Active Directory

This section mean you have an access to computer that connected to AD. This mean we assume breach on that computer.

Enumerate Juicy Info

Harvest tickets from Linux

Check type and location of tickets:

grep default_ccache_name /etc/krb5.conf

If none return, default is FILE:/tmp/krb5cc_%{uid}.

In case of file tickets, you can copy-paste (if you have permissions) for use them.

In case of being KEYRING tickets, you can use tickey to get them:

# To dump current user tickets, if root, try to dump them all by injecting in other user processes
# to inject, copy tickey in a reachable folder by all users
cp tickey /tmp/tickey
/tmp/tickey -i

Harvest tickets from Windows

With Mimikatz:

mimikatz # sekurlsa::tickets /export

With Rubeus in Powershell:

reference:

https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a

krb5.keytab

extract with this -> https://github.com/sosdave/KeyTabExtract/blob/master/keytabextract.py

if you found the krb5cc_* file, just export it to env variable KRB5CCNAME then check with klist

PowerView

Import module

The Domain Users

The Domain Groups

The Shared Folder

Note: Default shared folder:

Net Computer

Mimikatz

note: must run as administrator

PreviousPost ExploitNextKerberos

Last updated