Hash - Pass The Key
Pass The Key allows attackers to gain access to systems by using a valid session key instead of the user's password or NTLM hash. This technique is related to other credential-based attacks like Pass The Hash (PTH) and Pass The Ticket (PTT) but specifically uses session keys to authenticate.
Pre-authentication requires the requesting user to provide a secret key, which is derived from their password and may use encryption algorithms such as DES, RC4, AES128, or AES256.
- RC4: ARCFOUR-HMAC-MD5 (23), in this format, this is the NTLM hash, go to Pass The Hash to use it directly and Over Pass The Hash page to request a TGT from it.
- DES: DES3-CBC-SHA1 (16), should not be used anymore and have been deprecated since 2018 (RFC 8429).
- AES128: AES128-CTS-HMAC-SHA1-96 (17), both AES encryption algorithms can be used with Impacket and Rubeus tools.
- AES256: AES256-CTS-HMAC-SHA1-96 (18)
In the past, there were more encryptions methods, that have now been deprecated.
| enctype | weak? | krb5 | Windows |
|---|---|---|---|
| des-cbc-crc | weak | <1.18 | >=2000 |
| des-cbc-md4 | weak | <1.18 | ? |
| des-cbc-md5 | weak | <1.18 | >=2000 |
| des3-cbc-sha1 | >=1.1 | none | |
| arcfour-hmac | >=1.3 | >=2000 | |
| arcfour-hmac-exp | weak | >=1.3 | >=2000 |
| aes128-cts-hmac-sha1-96 | >=1.3 | >=Vista | |
| aes256-cts-hmac-sha1-96 | >=1.3 | >=Vista | |
| aes128-cts-hmac-sha256-128 | >=1.15 | none | |
| aes256-cts-hmac-sha384-192 | >=1.15 | none | |
| camellia128-cts-cmac | >=1.9 | none | |
| camellia256-cts-cmac | >=1.9 | none |
Microsoft Windows releases Windows 7 and later disable single-DES enctypes by default.
Either use the AES key to generate a ticket with ticketer, or request a new TGT using getTGT.py script from Impacket.