search
Infiltr8ForumGitHub
githubEdit

UnPAC the hash

hashtag
Theory

When using PKINIT to obtain a TGT (Ticket Granting Ticket), the KDC (Key Distribution Center) includes in the ticket a PAC_CREDENTIAL_INFO structure containing the NTLM keys (i.e. LM and NT hashes) of the authenticating user. This feature allows users to switch to NTLM authentications when remote servers don't support Kerberos, while still relying on an asymmetric Kerberos pre-authentication verification mechanism (i.e. PKINIT).

The NTLM keys will then be recoverable after a TGS-REQ through U2U which is a Service Ticket request made to the KDC where the user asks to authenticate to itself (User-to-User authenticationarrow-up-right).

The following protocol diagram demonstrates how UnPAC-the-hash works. It allows attackers that know a user's private key, or attackers able to conduct a Shadow Credentials attacks, to recover the user's LM and NT hashes.

hashtag
Practice

From UNIX-like systems, this attack can be conducted with PKINITtoolsarrow-up-right (Python).

The first step consists in obtaining a TGT by validating a PKINIT pre-authentication first.

Once the TGT is obtained, and the session key extracted (printed by gettgtpkinit.py), the getnthash.py script can be used to recover the NT hash.

The NT hash can be used for pass-the-hash, silver ticket, or Kerberos delegations abuse.

hashtag
Resources

Shadow Credentials: Abusing Key Trust Account Mapping for Account TakeoverShenanigans Labschevron-right
LogoSSTIC2014 » Présentation » Secrets d'authentification épisode II : Kerberos contre-attaque - Aurélien Bordeswww.sstic.orgchevron-right

Last updated