UnPAC The Hash

The UnPAC The Hash attack relies on two things that I first have to define: the PAC and PKINIT.

  • In the Kerberos Authentication protocol, a user's Kerberos tickets can contain a Privilege Attribute Certificate (PAC) that describes the user's security groups and privileges.

  • Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) is an extension in Kerberos Authentication that allows for certificate-based authentication.

The PAC can also contain the NTLM hashes of the authenticating user, allowing users to switch the NTLM authentication when the target server doesn't support Kerberos.

When obtaining a Ticket Granting Ticket (TGT) using PKINIT, the Key Distribution Center (KDC) includes a session key and a PAC that includes the NTLM password hash of the authenticating user.

Using the TGT in a U2U and S4U2Self allows you to obtain a Kerberos Service Ticket (ST) with a PAC that can be unencrypted with the session key obtained earlier.

Once the PAC is decrypted, we can extract the NTLM hash.

https://www.thehacker.recipes/ad/movement/kerberos/unpac-the-hash
PreviousKerberos RelayNextAD CS Abuse

Last updated