CAPEC-645: Use of Captured Tickets (Pass The Ticket)

Description

An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.

Extended Description

When authenticating via LM or NTLM, an authenticating account's plaintext credentials are not required by the protocols for successful authentication. Instead, the hashed credentials are used to determine if an authentication attempt is valid. If an adversary can obtain an account's hashed credentials, the hash values can then be passed to a system or service to authenticate, without needing to brute-force the hashes to obtain their cleartext values. Successful Pass The Hash attacks result in the adversary fully authenticating as the targeted account, which can further allow the adversary to laterally move within the network, impersonate a legitimate user, and/or download/install malware to systems within the domain. This technique can be performed against any operating system that leverages the LM or NTLM protocols even if the operating system is not Windows-based, since these systems/accounts may still authenticate to a Windows domain.

Severity :

High

Possibility :

Low

Type :

Detailed

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-151: Identity Spoofing Identity Spoofing CAPEC-652: Use of Known Kerberos Credentials Use of Known Kerberos Credentials

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

The adversary needs physical access to the victim system.
The use of a third-party credential harvesting tool.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Low Determine if Kerberos authentication is used on the server.
High The adversary uses a third-party tool to obtain the necessary tickets to execute the attack.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Use Alternate Authentication Material:Pass The Ticket

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-294: Authentication Bypass by Capture-replay

CWE-308: Use of Single-factor Authentication

CWE-522: Insufficiently Protected Credentials

Visit http://capec.mitre.org/ for more details.