Big Picture
In this scenario you are on a pen test for a company that uses Windows Active Directory and Kerberos to store their resources. Let’s say that you’ve gotten into a windows computer. This could be a workstation or server command line interface that you were able to log in with a user’s basic credentials that doesn’t have any elevated privileges. How would you be able to mover laterally across the network to different workstations, domain controllers, and accounts? How would you be able to get plaintext passwords or Kerberos authentication tokens for more access and to find more vulnerabilities on your client’s network devices? Well what I discovered is that sometimes you don’t even need the plaintext passwords and that you can gain access with just the Hash. Here are some post-exploitation techniques to abuse Active Directory and Kerberos to gained additional access and move laterally across a network.
Pass the Hash
Recall that hashing a password is a one-way operation. We can’t reverse a hash like we can decrypt and encrypted set of data. Pass the Hash is an exploit that takes advantage of a fundamental characteristic of the New Technology Lan Manager. NTLM is a Microsoft legacy authentication protocol that uses a challenge-response mechanism to verify credentials without transmitting them over a network. It utilizes MD4 Hashes that are sent instead of plaintext credentials, making the process susceptible Hash, Replay, and Brute force attacks. When you try to authenticate with NTLM, Windows hashes your password and uses that to encrypt a server provided challenge. The server compares the response against it’s own calculated challenge and if they match, you are authenticated. This means you can get authenticated with just the hash. Although NTLM is largely replaced by Kerberos in modern AD environments it is still often used in backend environments.
Windows PTH Tools
Mimikatz is a powerful tool to extract hashes and Kerberos tickets from the Windows LSASS process memory. Recall that LSASS is a critical Windows process that’s responsible for managing security and all authentication on a Windows device. It is very popular and is used by tons of pen tester and attackers even though most modern EDR’s can detect it quite easily. Mimikatz has a Sekurlsa tool that pulls these hashes and can even pull plaintext passwords if WDigest is enabled. Here is an example of a command you would run after starting Mimikatz: sekurlsa::pth /user:administrator /domain:CORP /rc4:8846f7eaee8fb117ad06bdd830b7586c /run:powershell.exe
This command spawns a new PowerShell window running as the administrator user, authenticated with their NTLM hash. The /rc4 parameter specifies the NT hash (NTLM uses RC4 for legacy compatibility). You get an interactive shell impersonating the target user without knowing their password, perfect for exploring the network as that user.
Invoke the Hash is a PowerShell toolkit for executing pass-the-hash, pass-the-ticket, and SMB relay attacks without needing Mimikatz on a disk (rarely will target machines will have Mimikatz installed). It allows you to remotely authenticate to Windows systems using NTLM hashes via SMB, WMI, or SMBExec without triggering anti-virus or EDR’s configured to look out for tools like Mimikatz. Invoke-SMBExec -Target 10.10.10.50 -Username administrator -Hash 8846f7eaee8fb117ad06bdd830b7586c -Command "whoami"
This command remotely executes “whoami” on the target machine without spawning local processes. This is very beneficial to stealth and operating in constricted environments.
Linux PtH Tools
Impacket is a python library of network protocol tools that implements other protocols like SMB, MSRPC, LDAP, and Kerberos. Since it’s python, it will work on Linux machines. One tool, PsExec.y, will take a username, target machine, NTLM hash, and a port to attempt to spawn a remote SYSTEM shell. Running this command on a Kali machine would look something like this:
psexec.py CORP/administrator@10.10.10.50 -hashes aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c
NetExec is a little like Impacket but more in-depth and offers addition attacks like credential and hash spraying plus share enumeration and other lateral movement techniques. NetExec will take your usernames and hashes and automatically attempt to authenticate across multiple protocols and ports and report back. If it happens to authenticate it can execute commands, dump credentials, and preform other post-exploitation techniques.
netexec smb 10.10.10.50 -u administrator -H 8846f7eaee8fb117ad06bdd830b7586c
NetExec reports whether the hash grants access and indicates if you have admin rights by outputting “Pwn3d!” (classic). Perfect for quickly testing a harvested hash against many systems.
Evil-WinRM is a PowerShell remoting tool that provides an interactive shell on Windows systems through the Windows Remote Management service (typically on port 5985/6). It is particulary helpful if you get credentials of user’s in the “Remote Management User’s” group. Commands like the one below should give you a full PowerShell session when SMB is blocked but WinRM is open on those ports and you have the right NTLM hash.
evil-winrm -i 10.10.10.50 -u administrator -H 8846f7eaee8fb117ad06bdd830b7586c
It’s important to note that local accounts often face User Account Control (UAC) restrictions meaning they can’t remotely authenticate with admin rights unless the LocalAccountTokeFilterPolicy registry key is correctly enabled. This, however, is bypassed with domain accounts that have admin rights to do so. This means domain credentials are extremely valuable for lateral movement.
Pass-the-Ticket and Abusing Kerberos
The PtT exploit attacks Kerberos which is Active Directory’s perferred authentication protocol. Instead of using password hashes, this attacks steals Kerberos tickets (cryptographically signed tokens that prove you identity). When you authenticate to AD, you receive a Ticket Granting Ticket (TGT) that you’ll use to request a Ticket Granting Service (TGS) for specific services like file shares or databases. These are all stored in LSASS memory and can be extracted and reused. You can harvest these tickets as .kirbi files using Mimikatz’s sekurlsa::tickets /export which will dump all the tickets from LSASS memory does does require admin privileges.
Rubeus is a C# tool created by SpecterOps team that is a more robust alternative to Mimikatz. Rubeus provides a more modern alternative with it’s Rubeus.exe dump /nowrap method that doesn’t require admin and outputs in Base64 encoding. Sometimes you don’t have tickets but you do have password hashes or Kerberos keys. A Pass-the-Key attack will convert these hashes and keys into valid TGT tickets.
The first step when you are on a Windows system would be to extract the keys using sekurlsa::ekeys to reveal AES256/168 and RC4 keys.
Once obtained, you can now structure a request to the TGT using Mimikatz and the NTLM hash we got (stole lol):sekurlsa::pth /domain:corp.local /user:administrator /ntlm:8846f7eaee8fb117ad06bdd830b7586c
You always want to prefer to do this with the most modern (AES256) hashes available because a downgrade in their version could potentially trigger a “encryption downgrade” event in some security monitoring tools.
Now that you have requested (and hopefully gotten) these tickets you can import them into your current session using Rubeus (You can also import base64 tickets with Mimikatz):Rubeus.exe ptt /ticket:ticket.kirbi
You always want to use the klist command to see if they imported correctly and if so you can now gain access to resources that ticket grants without re-authenticating!
PowerShell Remoting with PtT
If you want to gain remote access with PowerShell then you need to first get admin permissions, membership in the Remote Management Users group, or explicit PS Remoting permissions. If you are able to get a ticket using some of the methods above, you can use Rebues’s creatnetonly modifier to launch a separate process with logon type 9 and the provided ticket. You can then request separate tickets from the new PowerShell window that will isolate that ticket-session from your main session.
Pass-the-Ticket from Linux
If you are on a Linux system that is joined to Active Directory and uses Kerberos for authentication, then your system will be storing tickets different than on a Windows machine. Linux-Kerberos integration involves a domain-joined Linux machine that uses System Security Services Daemon(SSSD) or Winbind for Active Directory integration. You can type realm list in a Linux terminal to check if a system is domain joined. You can also use ps and grep commands to look for any “windbind” and “sssd” processes running.
The Kerberos tickets are stored in two formats, ccache and keytab files. Ccache(Credential Cache) are located at /tmp/krb5cc_* and contain active Kerberos tickets for current user sessions and expire when a user logs out. The KRB5CCNAME variable points to this location. Keytab files contain Kerberos principals with encrypted keys for authentication without the need of a password. They’re stored at /etc/krb5.keytab or another potentially custom path. Scripts and service accounts use these for automated authentication and unlike ccache files, they don’t expire.
Attacking with keytab files
You can use the find command to look for keytab files across the system, but remember to use 2>/dev/null to cast all your non-important output into the void if you’re listing. You can also use klist -k -t /opt/<user>.keytab to look for any cronjobs that may use them.
The kinit command in is used for managing Kerberos interactions and obtaining tickets. If you were able to find any keytabs you can run a command with the user, domain, and .keytab file to impersonate the user, then use python’s keytabextract module to extract the hashes reveal them in NTLM AES256 format:
smbclient //dc01/<target user> -k -c ls
python3 keytabextract.py /opt/<target user>.keytab
Additionally if you are able to escalate to root, you can access all user’s caches tickets in the /tmp./krb5cc* file and look for high value Domain Admin ccaches’s to export and then use to access domain resources:cp /tmp/<stolen ticket>
export KRB5CCNAME=/root/<stolen ticket>
klist
smbclient //<target domain>/C$ -k -c ls -no-pass
Sometimes you are going to be attacking from a system that is not domain-joined. You can circumvent this by using proxy chains with a tool called Chisel. This works by first setting up the correct name resolution in /etc/hosts, configuring the proxy chains, and then establishing a SOCKS tunnel through a compromised system. Impacket’s wimexec can be used with a proxychains call to attempt Kerberos authentication on a system that is not connected to the rest of the domain.
Certificate-Based Attacks in AD
Active Directory Certificate Services (AD CD) issues X.509 certificates to users and devices within a domain, PKINIT is a Kerberos extension that allows authentication using those certificates instead of credentials. In some cases these certificates automatically approve 2FA requirements that would normally be required when otherwise logging in with credentials. ESC8 attacks listen in on NTLM relay messages against web enrollment endpoints to try and find valid certificates.
The attack begins by setting up ntlmrelayx to target the certificate enrollment endpoint at /certsrv/certfnsh.asp, specifying the KerberosAuthentication template and enabling ADCS and SMB2 support. Once the relay is listening, you force a target machine (like a Domain Controller) to authenticate to your attacking machine using techniques like the printer bug coercion attack. When the DC authenticates to the relay, ntlmrelayx forwards that authentication to the AD Certificate Server and requests a certificate on behalf of the DC’s machine account, resulting in a .pfx certificate file.
With this certificate in hand, you can use gettgtpkinit.py to request a valid Kerberos TGT for the DC machine account (this just means a new account that is part of the target Domain). This TGT is stored in a credential cache file that you can then export using the KRB5CCNAME environment variable. Since you’re now authenticated as the Domain Controller itself, you can perform DCSync attacks using secretsdump to extract password hashes for any account in the domain, including the Administrator. This represents complete domain compromise achieved through an NTLM relay attack chain.
Shadow Credentials attacks exploit the msDS-KeyCredentialLink attribute by adding your own public key to a target account. Using pywhisker, you add a key credential link to the victim’s account, which generates a .pfx certificate that the domain trusts for authenticating as that user. You then use gettgtpkinit.py with this certificate to request a TGT for the victim account, store it in a credential cache, and authenticate to domain services like WinRM without ever needing the victim’s actual password.
The power of certificate-based attacks lies in their ability to bypass traditional security controls. Certificates often skip password policies, avoid triggering password change requirements, and circumvent MFA protections. This makes them exceptional for both initial compromise and long-term persistence, as certificates can remain valid even after password resets and provide stealthy authentication that may evade detection mechanisms focused on password-based authentication patterns.
Thanks for reading this far
From a defender’s perspective all of these attacks are not that difficult to fend off. Setting alerts for encryption downgrades (when RC4 instead of NTLM hash is used), unusual Kerberos patterns (like ticket’s requested from unknown IPs), certificate enrollment spikes (from non-standard templates indicating ESC8 abuse), and LDAP modifications to key credential files.
Pass-the-Hash, Pass-the-Ticket, and Certificate-based attacks represent the evolution of credential abuse in Active Directory. Understanding these techniques is essential whether you’re testing security or defending networks. Each method has specific use cases: PtH for NTLM environments and quick lateral movement, PtT for Kerberos domains with longer-lived access, and certificate attacks for bypassing modern defenses like MFA. Practicing these techniques is broadening and fun, I encourage you to do so in your own home labs and test environments. Remember they’re detectable, skilled blue teams watch for the indicators and so should you when testing these attacks. Always operate within authorized scope and use these methods responsibly to improve security instead of selfish exploitations.
-ZSC