Understanding Windows

Lateral Movements
ATTL4S & ElephantSe4l
Understanding Windows
Lateral Movements
ATTL4S & ElephantSe4l
Understanding Windows
User Impersonation
ATTL4S & ElephantSe4l
# ATTL4S
• Daniel López Jiménez
• Twitter: @DaniLJ94
• GitHub: @ATTL4S
• Youtube: ATTL4S

• Loves Windows and Active Directory security

• Managing Security Consultant at NCC Group
• Associate Teacher at Universidad Castilla-La Mancha (MCSI)

attl4s.github.io
# ElephantSe4l
• Manuel León
• Twitter: @ElephantSe4l
• GitHub: @ElephantSe4l

• Very curious, enjoys Windows Internals and Code Reviewing

• Experienced Programmer
• Security Consultant at NCC Group

attl4s.github.io
The aim of this presentation is understanding the art of user impersonation in Windows
systems. This knowledge will be handy when performing lateral movements and other
interesting tasks within Windows and Active Directory networks

attl4s.github.io
 Impersonation

UserA UserB
HostA

HostB UserB
Agenda
1. Windows Authentication
• Ways of authentication and main Windows authentication components

2. User Impersonation
• Playing with Windows authentication and stolen credentials

3. Moving with the SSPI

• Examples of how to move laterally through SSPI authentication

attl4s.github.io
Windows Authentication

attl4s.github.io
Ways of Authentication
• There are different ways to authenticate on a Windows system, and each has its
implications

• Authenticating with local users is not the same as authenticating with domain
users

• Likewise, authenticating to a computer physically (in person) has different

requirements than doing so through the network

attl4s.github.io
Local Authentication
• Local users are only present in a specific system
• Only the system knows about them (e.g. ComputerA\Charles)

• Two systems may have users with similar usernames and passwords
• ComputerA\Charles and ComputerB\Charles

• Records of local users are stored within the Security Account Manager (SAM)
database
• Windows verifies such records when someone tries to authenticate to the system

attl4s.github.io
Local Authentication (cont.)

1. Hey I am HostA\attl4s

2. Data is verified

3. OK! SAM
HostA\ATTL4S HostA

attl4s.github.io
Domain Authentication
• Domain users and groups are present in a specific AD domain

• All domain-joined systems (or systems from trusted domains) will know how to
handle authentication
• They will essentially delegate this task to an authentication server (Domain Controller)

• Domain user and computer records are stored within the NT Directory Services
(NTDS) database
• Domain Controllers verify such records when an identity tries to authenticate

attl4s.github.io
Domain Authentication (cont.)

1. I am Domain\ATTL4S 2. Delegate Auth

3. Data is verified

5. OK! 4. OK! NTDS

Domain\ATTL4S Domain\HostA Domain\DC01

attl4s.github.io
Physical Authentication
• When physically in front of a Windows computer, if you have a valid account, you
should be able to log in

• This applies both to local users and domain users (as long as the target system
knows about the account)

• In default configurations of Active Directory, any domain user can physically log in
into any domain computer

attl4s.github.io
Remote Authentication
• Unlike physical, remote authentications require privileges by default
• Being member of Administrators, Remote Desktop Users…

• When doing a Pentest, we are not typically going to be in a position to perform

physical authentications

• In terms of moving laterally within a network, we usually care about remote

authentications

attl4s.github.io
 * Needs Privs!

HostA\UserA HostA\UserB

* Needs Privs!

Domain\UserA Domain\UserB
Windows Authentication
• In order to understand the art of impersonating users, it is important to be
familiar with the Windows authentication mechanism

• In the following sections we will examine:

• Authentication Packages (APs) / Security Support Providers (SSPs)

• Interactive and Non-Interactive Authentications

• Logon Sessions

• Access Tokens

attl4s.github.io
Authentication Packages

attl4s.github.io
 Authentication Packages
• Authentication Packages (APs) authenticate Windows users by analysing their
logon data
• Also known as Security Support Providers (SSP)

• Different APs provide support for a variety of logon processes and authentication
protocols

• APs come in the form of DLLs, which are loaded and used by the Local Security
Authority (LSA) component

https://learn.microsoft.com/en-us/windows/win32/secauthn/authentication-packages attl4s.github.io
 Authentication Packages (cont.)
• APs present by default in Windows:

https://learn.microsoft.com/en-us/windows/win32/secauthn/ssp-packages-provided-by-microsoft attl4s.github.io
Authentication Packages (cont.)
• APs provide the logic needed for Windows to act as a client and as an
authentication server

• Client - Want to connect to a service with Windows authentication?

• Windows will transparently select the appropriate Authentication Package and leverage your
cached credentials

• Server - Your service/program supports Windows authentication?

• Windows will transparently authenticate clients with the appropriate Authentication Package and
credential database

attl4s.github.io
 Local Security Authority
• As shown in the image below, the LSA component orchestrates everything

Windows Internals, Part 1 attl4s.github.io

 SSP Interface
• Microsoft provides the Security Support Provider Interface (SSPI) to easily
integrate applications with this authentication system

https://ldapwiki.com/wiki/Security%20Support%20Provider%20Interface attl4s.github.io
 SSP Interface (cont.)

https://learn.microsoft.com/en-us/windows/win32/secauthn/authentication-functions attl4s.github.io
Successful Authentication
• When an authentication succeeds, the selected Authentication Package carries
out two important tasks:

1. Creates a new logon session within the system

2. Provides security information about the authenticated user to LSA

• LSA uses that information to create an Access Token which represents the user’s
local security context on that system

attl4s.github.io
 Creates
Logon Session
TOKEN
Physical NTLM
User SID
Remote Kerberos
Logon Session ID
Auth Auth package LSA Creates
Integrity
Groups
UserA HostA
…
Security information
Provides

attl4s.github.io
Interactive and Non-Interactive
Authentications

attl4s.github.io
 Yet Another Differentiation
• Local/domain and physical/remote were not enough
• It is also important to differentiate between interactive and non-interactive authentications!

• Microsoft differentiates these based on whether the user inputs its logon data or
not
• User specifies credentials → Interactive

• User does not specify credentials → Non-Interactive

https://learn.microsoft.com/en-us/windows/win32/secauthn/lsa-user-logon-authentication attl4s.github.io
 Interactive
• Typically (but not limited to) when you log in through Window’s auth screen
• E.g. physical authentication via Winlogon + LogonUI

• The important bit here is that user credentials are cached within the memory of
the LSA process (lsass)
• Credentials are cached and prepared for each Authentication Package

• Cached credentials allow Windows providing a Single Sign-On (SSO) experience to

users

https://learn.microsoft.com/en-us/windows/win32/secauthn/interactive-authentication attl4s.github.io
 Interactive (cont.)

https://learn.microsoft.com/en-us/windows/win32/secauthn/interactive-authentication attl4s.github.io
 Non-Interactive
• “Cached credentials allow Windows providing a Single Sign-On (SSO) experience
to users”
• Such statement makes sense when talking about non-interactive authentications

• Rather than the user moving a finger, the application in use leverages the cached
credentials on behalf of the user

• That is, non-interactive authentications are only supposed to work after an

interactive authentication
• When cached credentials are available!

https://learn.microsoft.com/en-us/windows/win32/secauthn/noninteractive-authentication attl4s.github.io
 Non-Interactive (cont.)
• How does this work? Such applications leverage the Security Support Provider
Interface (SSPI) to perform these authentications

https://learn.microsoft.com/en-us/windows/win32/secauthn/noninteractive-authentication attl4s.github.io
Non-Interactive (cont.)

attl4s.github.io
Logon Sessions

attl4s.github.io
 Logon Sessions
• Logon sessions are created on the target system after a successful authentication
• Does not matter whether it is physical/remote/domain/local/interactive/non-interactive

• The important bit here:

AP cached credentials are tied to logon sessions!

• In which situations are logon sessions going to have cached credentials?

https://docs.microsoft.com/en-us/windows/desktop/secauthn/lsa-logon-sessions attl4s.github.io
mimikatz attl4s.github.io
 Logon Sessions (cont.)
• Logon sessions will typically have cached credentials after an interactive
authentication

• On the other hand, non-interactive authentications commonly result in logon

sessions without cached credentials

• As you may have noticed (“typically, commonly”)…

• Sometimes interactive does not result in cached credentials
• Sometimes non-interactive may result in cached credentials

https://docs.microsoft.com/en-us/windows/desktop/secauthn/lsa-logon-sessions attl4s.github.io
 Logon Types
• For reference, there are different types of logon sessions (link in the footnotes)

https://learn.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types attl4s.github.io
 Example - Interactive

https://github.com/leechristensen/Random/tree/master/PowerShellScripts attl4s.github.io
 Example - Network

https://github.com/leechristensen/Random/tree/master/PowerShellScripts attl4s.github.io
Let’s move on and see what access tokens are and their purpose!

attl4s.github.io
Access Tokens

attl4s.github.io
 Creates
Logon Session
TOKEN
Physical NTLM
User SID
Remote Kerberos
Logon Session ID
Auth Auth package LSA Creates
Integrity
Groups
UserA HostA
…
Security information
Provides

attl4s.github.io
 Access Tokens
• When a logon session is created, information is returned to LSA that is used to
create an access token

• An access token is a protected object that contains the local security context of an
authenticated user

• Every access token is tied to a logon session

• Access tokens are associated to processes or threads

https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-tokens attl4s.github.io
 Access Tokens (cont.)

SSPI

Process.exe Logon Session 1 Cached Credentials

Logon Session 2
…

LSA
Token

https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-tokens attl4s.github.io
 What’s Inside a Token
• Access tokens contain important data about the user and its execution context:
• The user security identifier (SID)

• Groups the user is a member of

• A list of privileges

• Logon session ID

• Integrity level

• Type of the token

• …

https://learn.microsoft.com/en-us/windows/win32/secauthz/access-tokens attl4s.github.io
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals attl4s.github.io
 Multiple Security Contexts
• Within Windows, it is possible for the same user to have different execution
contexts
• E.g. User Account Control (UAC) splits execution between medium (regular) and high integrity
(admin)

• How? Windows allows the same user to have different access tokens and logon
sessions in the same system

https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-tokens attl4s.github.io
attl4s.github.io
 Purpose of Access Tokens
• Windows uses access tokens to carry out access control decisions

• Windows securable objects have a list of control rules (DACL) associated

• Processes/threads accessing such objects have an access token

• The token information is compared against the control rules of an object to

determine if access is allowed or denied

https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-tokens attl4s.github.io
 Attl4s’s Process

Passwords.txt Access Token

…
Object’s Security
Descriptor Groups
S-1-5-32-544
… (Administrators)
…

DACL
Wint3r’s Process
Access Denied

ACE 1 S-1-5-21-domain-1004 (wint3r)

Read, Write, Execute Access Token

Access Allowed
…
ACE 2 S-1-5-32-544 (Administrators)

Write
User SID

S-1-5-21-domain-1004
 Token Types
• Primary Tokens (process tokens)
• Every process has a primary token associated
• When a new process is created, the default action is to inherit the primary
token of its parent

• Impersonation Tokens (thread tokens)

• Enable a thread to run with a different security context (different token) than
the parent process
• Usually used for client and server scenarios

https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-tokens - https://www.exploit-db.com/papers/13054 attl4s.github.io

 Impersonation Tokens
service.exe
• A new thread is created for every client
connecting to the service
SvcAcc
• Thanks to impersonation tokens, threads
can run with the security context of clients

• This enables the service to control access

SvcAcc Goku Vegeta via ACLs
Main Thread Thread Thread

https://es.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment attl4s.github.io
How does it work?
• Services which support Windows authentication carry out something called client
Impersonation

• When a client connects to a service of this kind:

1. Credentials are verified
2. An access token with the security context of the client is created
3. The service places a copy of that token into a new thread
4. Such thread can act on behalf of the client and is subject to the restrictions
imposed by ACLs

attl4s.github.io
 Process

Thread
Web.exe
Vegeta Access Token Impersonates

SvcAcc

Vegeta

Auth

Lists
Vegeta

ShareSupport

Web01.capsule.corp

attl4s.github.io
 Impersonation Levels
• Some services may just require limited information from their clients and not a
full impersonation

• Depending on the service and how it’s configured, impersonation tokens can
have different impersonation levels

https://docs.microsoft.com/en-us/windows/desktop/secauthz/impersonation-levels attl4s.github.io
User Impersonation

attl4s.github.io
User Impersonation
• Creating or hijacking the security context of another user to act on its behalf in
the network
• Creating a security context commonly requires credentials
• Hijacking a security context commonly requires privileges

• We will focus on leveraging the Windows components studied in previous

sections (APs, logon sessions, access tokens...)
• But we will also show alternative ways to perform user impersonation

attl4s.github.io
User Impersonation (cont.)
• The following sections will talk about impersonation via:
• Access token manipulation
• Passwords
• NT hashes
• Kerberos tickets

• Bear in mind that there exist other types of credential material and protocols, but
they will not be explained here

attl4s.github.io
 Do I have hashes / tickets?

Creates Logon
Session TOKEN
User SID
Logon Session ID
Auth Auth package LSA Creates
Integrity
Groups
UserA HostA
…
Security
Provides information

Do I have passwords?
Can I manipulate interesting tokens?
 Can I Manipulate
Interesting Tokens?

attl4s.github.io
Recap
• Starting with this – useful for the next sections!

• Recall that credentials (if any) are tied to logon sessions

• Usually the result of an interactive authentication

• If you want to use a token to access network resources, it must be associated to a

session with credentials
• Access tokens represent the local security context of an authenticated user
• Session cached credentials can be seen as the “network security context”

attl4s.github.io
 Recap (cont.)

SSPI

Process.exe Logon Session 1 Cached Credentials

Logon Session 2
…

LSA
Token

https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-tokens attl4s.github.io
Access Token Manipulation
• The Windows API provides functionality to manipulate access tokens
• E.g. duplicate tokens, create a new process with an specific token… and so on

• Depending what you are trying to achieve, you may need privileges
• As a local admin or SYSTEM, you will be able to manipulate any token in the system

• As a service account, you will likely be able to escalate privileges using techniques like Hot
Potato and the like

• As a normal user, you will be able to manipulate your own stuff (more on this later)

attl4s.github.io
Common Approaches
• There are two common approaches for when you want to hijack the security
context of an existing token:

1. Token Impersonation
• Duplicate the target token and apply it to your existing process or a new one

2. Process Injection
• Inject your payload/capability into the process where the target token is living

attl4s.github.io
Token Impersonation

attl4s.github.io
 TOKEN
Process User SID
Logon Session ID
Integrity
Groups
…

Logon Session
1. Duplicate Token
TOKEN
User SID
Logon Session ID
Integrity
Groups 2. Apply to… New Process
… or
Existing Thread
Process Injection

attl4s.github.io
 Payload

1. Inject

TOKEN
User SID
Logon Session ID Logon Session
Process
Integrity
Groups
…
Do I Have Passwords?

attl4s.github.io
RunAs.exe
• If you are a Windows user, you are probably familiar with RunAs.exe

• This tool enables the creation of processes using alternate credentials

• “I am Vegeta and I want to create a process running as Bulma”

• A default execution of RunAs will verify the provided credentials via LSA
• Similar to an interactive authentication (i.e. credentials cached for all the supported APs)
• The computer must know how to handle authentication for the target user

attl4s.github.io
attl4s.github.io
 Unknown Identities
• What happens when you use credentials from an account that is not known by
the current system?
• E.g. local user from other system or domain user from an untrusted domain

FAIL

https://blog.cobaltstrike.com/2015/12/16/windows-access-tokens-and-alternate-credentials/ attl4s.github.io
 The Netonly Flag
• RunAs offers the Netonly flag to allow the scenario described in the previous slide

• This flag tells RunAs that the specified credentials are for remote access only
• Credentials are not verified by LSA (i.e. you can specify wrong ones)

• Netonly processes have therefore two different security contexts:

• Local level: the process runs with the original identity that executed RunAs
• Network level: the process runs with the new identity (via cached credentials)

https://blog.cobaltstrike.com/2015/12/16/windows-access-tokens-and-alternate-credentials/ attl4s.github.io
attl4s.github.io
 TOKEN
User SID
Original Logon Logon Session ID
Session Integrity
Groups
…
2. The current token is
duplicated, and its logon session
ID updated with the new one
TOKEN
User SID
New Logon New Logon
Session Session ID
Integrity
New Process
1. A new logon session is created with the Groups
specified credentials
…
3. The new process runs with such token
attl4s.github.io
mimikatz attl4s.github.io
 Under The Hood
• RunAs uses the Win32 API CreateProcessWithLogon function
• Creates a new process with the security context of the specified credentials

https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithlogonw attl4s.github.io
 Under The Hood (cont.)
• The Netonly flag uses the LOGON_NETCREDENTIALS_ONLY logon option, which
creates and uses a new logon session, but with the original token

https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithlogonw attl4s.github.io
 Forget About RunAs
• Popular frameworks like MSF have their own RunAs (without the limitations of
the original one)
• E.g. post/windows/manage/run_as

https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/manage/run_as.rb attl4s.github.io
Forget About RunAs (cont.)
Interesting approaches?
1. Execute your payload directly as an executable file
• The new session will have the desired security context

2. Create an arbitrary process and steal its token

• Your existing session will acquire the desired security context

3. Create an arbitrary process and inject your payload into it

• The new session will have the desired security context

attl4s.github.io
 BONUS: MakeToken
• CreateProcessWithLogon is nice, but LogonUser is even better
• CreateProcessWithLogon in fact uses LogonUser

https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonusera attl4s.github.io
 BONUS: MakeToken (cont.)
• With LogonUser we can create a new logon session/token pair without having to
create a new process

• We can choose between different logon approaches

• E.g. LOGON32_LOGON_NEW_CREDENTIALS for “Netonly”

• The resulting token can be used through functions like

ImpersonateLoggedOnUser

https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonusera attl4s.github.io
Notes About Token Manipulation

attl4s.github.io
Few Notes
Doing token manipulation from a high integrity administrative context is easy – you
can do plenty of things:
1. Steal any token in the system

2. Inject into any process

3. Apply a stolen token into your current context

4. Create new processes with a stolen token

attl4s.github.io
Few Notes (cont.)
The same cannot be said for a medium integrity non-administrative context

1. You can only play with your own processes (includes those from RunAs)
• E.g. stealing tokens / process injection

2. Impersonating tokens in your current process should work fine

• As long as you can access those tokens!

3. Limitations when trying to create new processes using a token

• Functions like CreateProcessAsUser or CreateProcessWithToken require privileges

attl4s.github.io
Few Notes (cont.)
• In other words, if you are impersonating tokens from an unprivileged context,
focus on inline-execution

attl4s.github.io
Do I Have Hashes?

attl4s.github.io
Stolen Hashes
• Let’s suppose we have the NT hash of a juicy user (e.g. capsule.corp\bulma_da)

• How can we use such hash to impersonate her and access all them business
critical goodiez?

attl4s.github.io
Bad News?
• Unfortunately, Windows does not provide functionality to authenticate users via
NT hashes
• There is no LogonUserWithHash or CreateProcessWithHash functions 

• If we want to use a hash along with LSA, we need to manipulate and inject stuff
into the lsass process
• This is where all logon session and cached credential information is present
• Not only requires administrative privileges, it is also quite risky!

attl4s.github.io
Do LSA. Or Do Not.
• In reality, we don’t have to rely on LSA for user impersonation
• This also applies for when you have passwords or any other cred material
• Using LSA is an option!

• We can use tools with native support for protocols like NTLM or Kerberos
• We will call this approach: “The Fuck LSA way”

• Of course, each approach has its own advantages and disadvantages

attl4s.github.io
The LSA Way

attl4s.github.io
 Mimikatz Pass-the-Hash
• We will use Mimikatz to understand an ‘LSA-based’ Pass-the-Hash technique
• ‘LSA-based’ because we can do Pass-the-Hash without LSA as well

• Mimikatz provides functionality to create a new process using an NT hash rather

than a password

• The module we need to use is ‘sekurlsa::pth’

https://github.com/gentilkiwi/mimikatz/ attl4s.github.io
 Mimikatz Pass-the-Hash (cont.)
• In order to use Mimikatz’ approach you require administrative privileges
• Specifically, SeDebugPrivilege
• We are writing data into the lsass process

• By default, Mimikatz does this for the following authentication packages:

• Msv1_0 (NTLM)
• Kerberos

https://github.com/gentilkiwi/mimikatz/ attl4s.github.io
Mimikatz Pass-the-Hash (cont.)

attl4s.github.io
 Mimikatz Steps
Runas /netonly with the hash instead of the password!!

1. New process with CreateProcessWithLogon

• LOGON_NETCREDENTIALS_ONLY

2. Identify the new logon session created

• This can be extracted from the access token belonging to the new process

3. Write credential material into the target logon session

• Requires administrative privileges

https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c attl4s.github.io
 Mimikatz Steps (cont.)

2. Find associated logon session

Process.exe
Logon Session X Cached Credentials

1. CreateProcessWithLogon …

LSA 3. Inject data

Token

https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c attl4s.github.io
 Mimikatz Steps (cont.)

https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c attl4s.github.io
Mimikatz Pass-the-Hash (cont.)

attl4s.github.io
NORMAL
LSASS (msv0_1)

Patatas123 BD35111AB3B0D46129EFBDBAB06B49C4 Access

“PASS-THE-HASH”
LSASS (msv0_1)

Access

Benjamin Delpy – “Abusing Microsoft Kerberos. Sorry you guys don’t get it” – Blackhat 2014
NORMAL AS-REQ

AS-REP

LSASS (Kerberos) TGS-REQ

DC
TGS-REP
Patatas123 BD35111AB3B0D46129EFBDBAB06B49C4

HostA

“OVERPASS-THE-HASH” AS-REQ

AS-REP

LSASS (Kerberos) TGS-REQ

DC
TGS-REP
BD35111AB3B0D46129EFBDBAB06B49C4

HostA

Benjamin Delpy – “Abusing Microsoft Kerberos. Sorry you guys don’t get it” – Blackhat 2014
The Fuck LSA Way

attl4s.github.io
The Fuck LSA Way
• This approach is quite easy - just find tools with native support for the protocols
you want to use

• You don’t have to play with complex Windows components - just specify
credentials to the tool and you are fine

• Some examples are shown in the following slides for NTLM and Kerberos

attl4s.github.io
 NTLM – Invoke-the-Hash

https://github.com/Kevin-Robertson/Invoke-TheHash attl4s.github.io
 NTLM – Metasploit

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/psexec.rb attl4s.github.io
 NTLM – Impacket

https://github.com/fortra/impacket attl4s.github.io
 Kerberos
• For Kerberos we are only going to see examples of
tools that can generate raw Kerberos traffic to
obtain ticket-granting-tickets (TGT) or service tickets
(ST)

• In ‘Do I Have Tickets?’ we will see how to use those

tickets to actually interact with a service

TR19: You (dis)liked mimikatz? Wait for kekeo attl4s.github.io

 Ask Kerberos (cont.)

ASK-TGT/TGS
AS-REQ
AS-REP

TGS-REQ

TGS-REP DC

Access

https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/ attl4s.github.io
 Ask Kerberos – Rubeus

https://github.com/GhostPack/Rubeus attl4s.github.io
 Ask Kerberos – Impacket

https://github.com/fortra/impacket attl4s.github.io
Do I Have Tickets?

attl4s.github.io
Kerberos Tickets
• Although Windows does not provide functionality for NT hashes, it does for
Kerberos tickets

• You can import TGTs or STs into existing logon sessions

• Importing a ticket into your current session does not require privileges
• Importing a ticket into another session does require privileges

• Like the other sections, we can also use tools that do not rely on LSA

attl4s.github.io
The LSA Way

attl4s.github.io
Pass-the-Ticket
• Let’s suppose we have obtained (or forged) a Kerberos ticket from another user,
and we want to use it

• ‘Pass-the-Ticket’ consists of importing such ticket into an attacker-controlled

logon session
• This allows acting on behalf of the victim in the network

• Watchout when importing a TGT to an existing session - the original one will be
overwritten!

attl4s.github.io
 Pass-the-Ticket (cont.)
1. Obtain (or forge) a TGT/ST
2. Import the ticket(s)!

PASS-THE-TICKET
TGS-REQ

LSASS (Kerberos) TGS-REP DC

UserB

HostA

Benjamin Delpy – “Abusing Microsoft Kerberos. Sorry you guys don’t get it” – Blackhat 2014
 Pass-the-Ticket (cont.)
1. Obtain (or forge) a TGT/ST
2. Import the ticket(s)!

PASS-THE-TICKET
TGS-REQ

LSASS (Kerberos) TGS-REP DC

Kerberos LSA API = NO ADMIN ☺

UserB

HostA

Benjamin Delpy – “Abusing Microsoft Kerberos. Sorry you guys don’t get it” – Blackhat 2014
 Interacting with APs
• If we have a look at how Mimikatz or Rubeus implement this technique, we will
spot the use of LsaCallAuthenticationPackage

https://learn.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsacallauthenticationpackage attl4s.github.io
 Interacting with APs (cont.)
• The LsaCallAuthenticationPackage function enables applications to talk to
Windows authentication packages

• This is done through ‘messages’ which follow a specific structure expected by the
target authentication package
• These messages are just a buffer of data

• In the case of Pass-the-Ticket, the type of message is KerbSubmitTicketMessage

https://learn.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsacallauthenticationpackage attl4s.github.io
https://learn.microsoft.com/en-us/windows/win32/api/ntsecapi/ne-ntsecapi-kerb_protocol_message_type attl4s.github.io
Will Burgess - How attackers abuse Access Token Manipulation attl4s.github.io
https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/kerberos/kuhl_m_kerberos.c attl4s.github.io
Passing the Ticket
• Two interesting approaches for Passing the Ticket:

1. Import ticket into another session (admin) and steal token or inject into
process
• Tip: create a fresh ‘netonly’ process and import the ticket there

2. Import ticket into the current session (no admin)

• Tip: create a fresh logon type 9 and impersonate it to avoid overwriting the original TGT
(à la make_token)

attl4s.github.io
Importing into another session

attl4s.github.io
 attl4s.github.io

Importing into “current” session

The Fuck LSA Way

attl4s.github.io
Examples
• Just a few examples of tools supporting raw Kerberos traffic

• We start from the assumption that we have obtained (or forged) a TGT belonging
to the bulma_da user

• How can we use it with tools like MSF or Impacket?

attl4s.github.io
 Inspect our stolen TGT

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/kerberos/ attl4s.github.io
 Convert kirbi ticket to ccache (MSF wants this format)

Get a service ticket for the service we want to interact with (CIFS from web01.capsule.corp)

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/kerberos/ attl4s.github.io
 Use the service ticket to interact with the CIFS service from web01.capsule.corp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/psexec.rb attl4s.github.io
 We can also use the same ticket with other tools like Impacket’s psexec

https://github.com/fortra/impacket attl4s.github.io
Moving with the SSPI

attl4s.github.io
 Impersonation

UserA UserB
HostA

HostB UserB
From HostA to HostB
• We know how to impersonate users in Windows
• Playing with credentials, logon sessions, access tokens, LSA…
• In this final section we focus on “the LSA way”

• Now we want to move laterally to a remote system

• From HostA to HostB using UserB’s security context

• Windows provides a lot of protocols and services to execute stuff on remote

computers

attl4s.github.io
From HostA to HostB (cont.)
• Some examples:
• [MS-SCMR]: Service Control Manager Remote Protocol

• [MS-TSCH]: Task Scheduler Service Remoting Protocol

• [MS-RRP]: Windows Remote Registry Protocol

• [MS-WSMAN]: Web Services Management Protocol

• [MS-WMI]: Windows Management Instrumentation Remote Protocol

• [MS-DCOM]: Distributed Component Object Model (DCOM) Remote Protocol

attl4s.github.io
PsExec
• Let’s take the PsExec technique as an example

• With the appropriate security context and network visibility, we can create a
remote service using the SCM remote protocol

• We can use native tools like ‘sc.exe’ for that purpose

• What is of interest for us is the fact that these tools use the SSPI, and don’t tend to allow
specifying credentials as arguments

attl4s.github.io
PsExec (cont.)
Creating a remote service on DC01 with sc.exe

attl4s.github.io
 PsExec (cont.)
Starting the remote service with a BOF

https://github.com/trustedsec/CS-Remote-OPs-BOF/tree/main/Remote/sc_start attl4s.github.io
MANY THANKS!
Any Question?

Is anybody awake?