This series of posts are based on me trying to get a better understanding of Mimikatz and Skeleton Key while also getting a better understanding of Kerberos and Metasploit's new method of dumping the Active Directory Database (NTDS.dit).
My lab consists of a Windows 2008 Server, Windows 7 client and a Kali 32 bit installation.
The idea is not only to use the tools and see them in action but also to try to identify way in which I may be able to detect these activities based on the logs written, packet captures as well as memory analysis.
In order to ensure I have the necessary monitoring infrastructure in place, I will be using the "free" Splunk for log analysis, Windump for packet analysis and DumpIT to capture a memory image.
First up, let's install Splunk on my Kali system.
Now that Splunk is installed on Kali, time to install the Splunk Universal Forwarder on the Windows 2008 server and 7 client.My lab consists of a Windows 2008 Server, Windows 7 client and a Kali 32 bit installation.
The idea is not only to use the tools and see them in action but also to try to identify way in which I may be able to detect these activities based on the logs written, packet captures as well as memory analysis.
In order to ensure I have the necessary monitoring infrastructure in place, I will be using the "free" Splunk for log analysis, Windump for packet analysis and DumpIT to capture a memory image.
First up, let's install Splunk on my Kali system.
As shown below, I have not checked any of the Windows Event log options. This is because I intend to use the Sysmon tools from the Sysinternals suite.
Now that the Splunk Universal Forwarder is installed, it's time to install the Sysmon monitoring tool.
Looks like sysmon has been installed, let's verify that the service is in place.
Let's now configure Splunk to forward these logs to the Kali host.
Let's now verify that these logs are actually getting to our Kali system and can be read by splunk.
Now that logs are coming into splunk successfully, let's load windump on the Windows server
As we have built out our monitoring infrastructure, its now time to get the real work done. Let's get to the labs.
Posts in this series:
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Lab Setup
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Dumping the AD database
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Mimikatz
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Exporting Certificates
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Pass The Ticket (Golden Ticket)
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Skeleton Key
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Log Analysis
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Volatility Memory Analysis
There are bunch of inputs.conf in Splunk universal forwarder.
ReplyDeleteWhich one of it did you reconfigure ?
Only the two which are above.
Delete