UnPAC-the-Hash Activity

Kerberos is an authentication protocol that issues tickets as cryptographic proof of identity. As an alternative to Kerberos, users can pre-authenticate with PKINIT. The Microsoft implementation of PKINIT, also referred to as PKCA, allows the usage of x.509 certificates. An attacker that pre-authenticated with PKINIT can perform the UnPAC-the-Hash technique to steal NTLM hashes of account passwords.

To steal NTLM hashes, the attacker must first acquire an x.509 certificate from AD CS and a valid ticket granting ticket (TGT) from the Kerberos Key Distribution Center (KDC) on a domain controller (DC). Next, the attacker can run an attack tool, such as Certipy or Rubeus, to send a specially designed Kerberos request (TGS_REQ) to the KDC (1). This request has an option bitmask, such as 0x40810018, that specifies a type of user-to-user authentication. The KDC responds with a ticket that contains an NTLM hash for a Service Principal Name (SPN). Specifically, the NTLM hash is inserted into the privilege attribute certificate (PAC) structure of the Kerberos ticket (2). The attacker can decrypt this ticket to steal the NTLM hash and perform additional attacks, such as pass-the-hash, to access services and devices.