This is because those are the only sensitive pieces of information needed to validate either one. And since that TGT is signed by the "krbtgt" user account hash, or the TGS is signed by the machine_account or service_account hash of the target service, it is considered valid by the DC when it goes to validate the TGT or TGS. The key here is that the end result is a TGT or TGS written to LSASS process memory of the currently logged-in user, without ever having had any direct interaction with the DC. Overpass-the-hash is a direct write operation of a forged TGT or TGS directly into LSASS process memory for the currently logged-in user, bypassing authenticating or interacting directly with the DC. The result of this process is LSASS process memory now contains a DC-certified TGT or TGS, generated by the DC. Pass-the-hash is equivalent to going through the authentication process with the DC, but using the hash directly. Pass-the-hash relies on interacting directly with the DC in order to generate a TGT or TGS ticket, as one example. Also checkout detection exercise linked in the blog you referenced. For a more direct explanation, check out the " Abusing Kerberos" whitepaper by the Mimikatz developers. I agree that many of the top search result blog posts do not clearly explain the unique mechanism of OPTH. Because they are closely linked, overpass-the-hash and pass-the-ticket are often used interchangeably. This technique also opens up the pass-the-ticket attack vector, where now that forged but valid (before expiration) TGT/ST can be exported and re-injected for future use and bypass communication with the KDC. With overpass-the-hash you can leverage that NT hash twice over to now request a full Kerberos TGT or service ticket from the KDC on behalf of that compromised user. Typically, with pass-the-hash you use a NT hash from a compromised user account for use to directly authenticate to remote services as that user, either by injecting into the memory of the current Windows user or providing the hash directly to client applications which accept it (e.g. The "over" in overpass-the-hash refers to taking the pass-the-hash technique one step further to acquire a valid Kerberos ticket.
0 Comments
Leave a Reply. |