Skip to content

Commit 239d27c

Browse files
carlospolopcarlospolop
authored
Merge pull request #1702 from HackTricks-wiki/research_update_src_windows-hardening_active-directory-methodology_kerberos-double-hop-problem_20251221_082654
Research Update Enhanced src/windows-hardening/active-direct...
2 parents fb8554a + 7734ff4 commit 239d27c

File tree

1 file changed

+32
-4
lines changed

1 file changed

+32
-4
lines changed

src/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md

Lines changed: 32 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,20 @@ Invoke-Command -ComputerName bizintel -Credential ta\redsuit -ScriptBlock {
3535
}
3636
```
3737

38+
### Remote Credential Guard (RCG)
39+
40+
**Remote Credential Guard** keeps the user's TGT on the originating workstation while still allowing the RDP session to request new Kerberos service tickets on the next hop. Enable **Computer Configuration > Administrative Templates > System > Credentials Delegation > Restrict delegation of credentials to remote servers** and select **Require Remote Credential Guard**, then connect with `mstsc.exe /remoteGuard /v:server1` instead of falling back to CredSSP.
41+
42+
Microsoft broke RCG for multi-hop access on Windows 11 22H2+ until the **April 2024 cumulative updates** (KB5036896/KB5036899/KB5036894). Patch the client and intermediary server or the second hop will still fail. Quick hotfix check:
43+
44+
```powershell
45+
("KB5036896","KB5036899","KB5036894") | ForEach-Object {
46+
Get-HotFix -Id $_ -ErrorAction SilentlyContinue
47+
}
48+
```
49+
50+
With those builds installed, the RDP hop can satisfy downstream Kerberos challenges without exposing reusable secrets on the first server.
51+
3852
## Workarounds
3953

4054
### Invoke Command
@@ -57,7 +71,7 @@ A solution to bypass the double hop problem involves using `Register-PSSessionCo
5771
```bash
5872
Register-PSSessionConfiguration -Name doublehopsess -RunAsCredential domain_name\username
5973
Restart-Service WinRM
60-
Enter-PSSession -ConfigurationName doublehopsess -ComputerName <pc_name> -Credential domain_name\username
74+
Enter-PSSession -ConfigurationName doublehopsess -ComputerName TARGET_PC -Credential domain_name\username
6175
klist
6276
```
6377

@@ -94,15 +108,29 @@ To resolve `Connection reset` errors, permissions might need to be updated to al
94108
icacls.exe "C:\Users\redsuit\Documents\ssh\OpenSSH-Win64" /grant Everyone:RX /T
95109
```
96110

111+
### LSA Whisperer CacheLogon (Advanced)
112+
113+
**LSA Whisperer** (2024) exposes the `msv1_0!CacheLogon` package call so you can seed an existing *network logon* with a known NT hash instead of creating a fresh session with `LogonUser`. By injecting the hash into the logon session that WinRM/PowerShell already opened on hop #1, that host can authenticate to hop #2 without storing explicit credentials or generating extra 4624 events.
114+
115+
1. Get code execution inside LSASS (either disable/abuse PPL or run on a lab VM you control).
116+
2. Enumerate logon sessions (e.g. `lsa.exe sessions`) and capture the LUID corresponding to your remoting context.
117+
3. Pre-compute the NT hash and feed it to `CacheLogon`, then clear it when done.
118+
119+
```powershell
120+
lsa.exe cachelogon --session 0x3e4 --domain ta --username redsuit --nthash a7c5480e8c1ef0ffec54e99275e6e0f7
121+
lsa.exe cacheclear --session 0x3e4
122+
```
123+
124+
After the cache seed, rerun `Invoke-Command`/`New-PSSession` from hop #1: LSASS will reuse the injected hash to satisfy Kerberos/NTLM challenges for the second hop, neatly bypassing the double hop constraint. The trade-off is heavier telemetry (code execution in LSASS) so keep it for high-friction environments where CredSSP/RCG are disallowed.
125+
97126
## References
98127

99128
- [https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/understanding-kerberos-double-hop/ba-p/395463?lightbox-message-images-395463=102145i720503211E78AC20](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/understanding-kerberos-double-hop/ba-p/395463?lightbox-message-images-395463=102145i720503211E78AC20)
100129
- [https://posts.slayerlabs.com/double-hop/](https://posts.slayerlabs.com/double-hop/)
101130
- [https://learn.microsoft.com/en-gb/archive/blogs/sergey_babkins_blog/another-solution-to-multi-hop-powershell-remoting](https://learn.microsoft.com/en-gb/archive/blogs/sergey_babkins_blog/another-solution-to-multi-hop-powershell-remoting)
102131
- [https://4sysops.com/archives/solve-the-powershell-multi-hop-problem-without-using-credssp/](https://4sysops.com/archives/solve-the-powershell-multi-hop-problem-without-using-credssp/)
132+
- [https://support.microsoft.com/en-au/topic/april-9-2024-kb5036896-os-build-17763-5696-efb580f1-2ce4-4695-b76c-d2068a00fb92](https://support.microsoft.com/en-au/topic/april-9-2024-kb5036896-os-build-17763-5696-efb580f1-2ce4-4695-b76c-d2068a00fb92)
133+
- [https://specterops.io/blog/2024/04/17/lsa-whisperer/](https://specterops.io/blog/2024/04/17/lsa-whisperer/)
103134

104135

105136
{{#include ../../banners/hacktricks-training.md}}
106-
107-
108-

0 commit comments

Comments
 (0)