Menttor
Library
LibraryPass-the-Hash and Pass-the-Ticket

Pass-the-Hash and Pass-the-Ticket

Learn about Pass-the-Hash and Pass-the-Ticket as part of OSCP Certification - Offensive Security Certified Professional

Table of Contents

Mastering Post-Exploitation: Pass-the-Hash & Pass-the-Ticket

In the realm of penetration testing and cybersecurity, post-exploitation is a critical phase. Once initial access is gained, the objective shifts to maintaining persistence, escalating privileges, and moving laterally across the compromised network. Two highly effective techniques for lateral movement, particularly in Windows environments, are Pass-the-Hash (PtH) and Pass-the-Ticket (PtT).

Understanding Pass-the-Hash (PtH)

Pass-the-Hash is a technique that allows an attacker to authenticate to a remote system using the NTLM hash of a user's password, rather than the plaintext password itself. This is possible because many Windows services and protocols (like SMB and WinRM) can authenticate using NTLM hashes. If an attacker can obtain a user's NTLM hash (e.g., through memory dumping or credential harvesting), they can use it to impersonate that user on other machines without ever needing to crack the hash into a plaintext password.

Understanding Pass-the-Ticket (PtT)

Pass-the-Ticket is a more advanced technique that leverages Kerberos tickets. Kerberos is the default authentication protocol for Windows domains. When a user logs in, they receive a Ticket-Granting Ticket (TGT). This TGT can then be used to request service tickets for various resources on the network. Pass-the-Ticket involves stealing a user's TGT (often from memory using tools like Mimikatz) and then using it to request service tickets for other services, allowing the attacker to impersonate the user without needing their password or hash.

Comparison: Pass-the-Hash vs. Pass-the-Ticket

FeaturePass-the-Hash (PtH)Pass-the-Ticket (PtT)
Authentication ProtocolNTLMKerberos
Credential UsedNTLM HashTicket-Granting Ticket (TGT)
Primary Use CaseLateral movement via SMB, WinRMBroader lateral movement, access to more services
ComplexityRelatively simplerMore complex, requires understanding Kerberos
DetectionCan be detected by NTLM logging and anomaly detectionCan be detected by Kerberos logging and anomaly detection
ToolsMimikatz, Impacket (psexec.py, smbexec.py)Mimikatz, Rubeus, Kerberoasting tools

Defensive Strategies

Defending against these techniques involves a multi-layered approach. Key strategies include:

  • Credential Protection: Implement strong password policies, multi-factor authentication (MFA), and avoid storing credentials in plaintext. Regularly audit privileged accounts.
  • Least Privilege: Ensure users and services only have the permissions they absolutely need. This limits the impact of compromised credentials.
  • Network Segmentation: Divide the network into smaller, isolated segments to prevent attackers from moving freely.
  • Logging and Monitoring: Enable detailed logging for authentication events (NTLM and Kerberos) and actively monitor for suspicious activity, such as unusual login patterns or access to sensitive resources.
  • Endpoint Security: Deploy endpoint detection and response (EDR) solutions that can detect credential dumping and suspicious process activity.

Practical Application for OSCP

For the OSCP certification, understanding and being able to practically apply Pass-the-Hash and Pass-the-Ticket is crucial. You will encounter scenarios where you gain initial access to a low-privilege user and need to move laterally to compromise higher-privilege accounts or critical systems. Mastering these techniques will significantly increase your chances of success in the exam lab.

Remember, the goal of these techniques is to leverage existing credentials or their derivatives to move laterally. Focus on understanding how authentication works in Windows environments to truly grasp their power.

Learning Resources

Pass the Hash (PtH) Explained(blog)

A comprehensive explanation of Pass-the-Hash, its mechanics, and common tools used for its execution.

Mimikatz - Kerberos Attacks(documentation)

Official Mimikatz documentation detailing its capabilities for Kerberos attacks, including Pass-the-Ticket.

Impacket - The Python Network Attack Tool(documentation)

Impacket is a collection of Python classes for working with network protocols, essential for many post-exploitation techniques including PtH.

Understanding Kerberos Authentication(documentation)

Microsoft's official documentation explaining the Kerberos authentication protocol, fundamental to understanding Pass-the-Ticket.

OSCP - Pass the Hash & Pass the Ticket(documentation)

While not directly on PtH/PtT, the OSCP exam guide often implicitly covers these topics as core post-exploitation skills. This link points to a general guide that would lead to relevant exam preparation materials.

Rubeus - Kerberos Interaction Tool(documentation)

Rubeus is a C# toolset for raw Kerberos interaction and abuse, crucial for Pass-the-Ticket operations.

Active Directory Security: Pass-the-Hash Attacks(blog)

A blog post from SANS Institute discussing Pass-the-Hash attacks and their implications for Active Directory security.

Kerberos Pass-the-Ticket Attack Explained(video)

A video tutorial demonstrating and explaining the Pass-the-Ticket attack in a practical lab environment.

NTLM Authentication Protocol(documentation)

Microsoft's official specification for the NTLM authentication protocol, providing deep technical details.

Lateral Movement Techniques(wikipedia)

MITRE ATT&CK framework entry for Lateral Movement, which includes Pass-the-Hash and Pass-the-Ticket as sub-techniques.