search
LinkedInGithub
githubEdit

kerberos-double-hop

It arises when an attacker attempts to use kerberos authentication across two hops. The issue concerns how kerberos tickets are granted for specific resources. When we perform kerberos authentication, we get a 'ticket' that permits us to access the requested resource. On the contrary, when we use password to authenticate, that NTLM hash is stored in our session. A hop/server cannot send forward the user's credentials without special configurations.

When authentication with WinRM over two or more connections, the user's passwords is never cached as part of the login.(we won't see credentials in the memory)

hashtag
Method1: Create-credential-object (after connection to the remote host with domain cred)

We can create a PSCredentials objects to pass our credentials again (non-joined domain host) 

Import-module .\PowerView.ps1 

Setup a credentials object

In evil-winrm session 

$SecPassword = ConvertTo-SecureString '!qazXSW@' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\backupadm', $SecPassword)

Query SPN account 

Get-domainuser -spn -credential $cred | select samaccountname
Klist (check cached tickets)

If we RDP to the same host, check tickets using klist via CMD, we have necessary tickets cached. So do not need to worry about the double hop problem.

hashtag
Method2: PSSession configuration

First establish WinRM session on the remote host

We cannot directly interact with the DC using PowerView

Register a powershell session config

Restart the WinRM session (In current session)

Reconnect session with PSSession using the named registered session

Register-PSSessionConfiguration cannot be used by evil-winrm as we won't be able to get the credentials popup. First setup PSCredential object and pass the credentials like -RunAsCredential $cred. This method will not work as it requires GUI access and proper powershell console.

Previousclean-upNextmssql-server

Last updated