Lateral Movement Through Pass-the-Cache

Lateral movement techniques like Pass-the-Hash, Pass-the-Ticket, and Overpass-the-Hash provide attackers with ways to take stolen or compromised credentials and spread out across a network to achieve privilege escalation.  I recently found myself testing some Active Directory attacks from a Kali Linux host, and needed a way to use compromised credentials from this Linux system on my Windows boxes.  Luckily, this is something supported by Mimikatz and surprisingly easy to perform.  This technique, known as Pass-the-Cache, allows an attacker to take Kerberos credentials compromised from a Linux system and replay them on Windows systems within an Active Directory domain.  Let’s take a look at how this works and when you may find this useful in your own security testing.

Obtaining a Credential Cache (ccache) File

A credential cache file contains Kerberos credentials and is used to authenticate a user to other services without having to communicate to Active Directory each and every time.  So basically these are files on Linux that enable Kerberos authentication with Active Directory to work, much like TGT and TGS tickets stored in LSASS work on Windows. 

In my lab, I was testing different ways to generate tickets with a forged PAC and wanted to test out the MS14-068 exploit which allows you to forge the PAC of a Kerberos ticket with any user you have the password for, as long as you are targeting an unpatched domain controller running Windows Server 2008 R2 or earlier. 

Using the Python Kerberos Exploitation Kit it’s straightforward from Kali Linux to generate a Kerberos ticket with a forged PAC giving the user membership in Domain Admins, Enterprise Admins, Schema Admins, and Group Policy Creator Owners.  This can be performed against any account at all, as long as you know the password.  So this is a scary and powerful attack for privilege elevation.  By running this command I can successfully perform a forged PAC attack using PyKEK:

Python ms14-068.py –u [USERNAME] –s [USERSID] –p [USER PASSWORD] –d [DOMAIN CONTROLLER IP]

After successful completion of that, you are left with a credential cache file representing a new Kerberos TGT for the specified user with all of the new group memberships added via a forged PAC.  

Now that we have our ccache file, what can we do with it?  That is where Mimikatz comes in.

Performing a Pass-the-Cache Attack

After copying the ccache file over to my Windows system, now I am able to inject that ticket into my current session with Mimikatz and the pass-the-cache command:

Kerberos::ptc [TICKET NAME] 

You can see I now have the compromised users ticket loaded into memory, and although this user is just a regular Domain User I am able to connect to the admin share of my domain controller due to the forged PAC giving that user Domain Admin rights. 

Detecting Pass-the-Cache

To implement detections for pass-the-cache you mimic the detections we have covered for pass-the-ticket attack.  Both follow the same general technique where you load a TGT into your session that was obtained from elsewhere, and then use it to be granted TGS tickets.