Sunday, March 27, 2016

Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Pass The Ticket (Golden Ticket)

As we continue this journey of learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit the objective of this post is for me to learn a bit more about Passing The Ticket (Golden Ticket) using mimikatz.

With a golden ticket you can gain access to a domain for a user who does not even have access to that domain. So this was obviously interesting to me.


First up, let's load up mimikatz and ensure we are good to go.


Let's see the various hashes for the information from the "krbtgt" account that will allow us to create our golden ticket.


Looks like we have a few choices. Let's use the AES256 hash.

Good stuff looks like we were able to create a ticket for the user EvilUser.

Additionally, we have assigned this user to the Domain Admins, Domain User, Cert Publishers, Enterprise Admins and Schema Admins groups. Now that is a lot of privileges this EvilUser has.

Time to verify that the ticket was created successfully.


Good stuff! We are now on our way to passing the ticket.


But before we pass the ticket, let's see if any tickets exist.







Looks like we have none.

So then let's ensure there is one then.






Looks good! Let's see what mimikatz says about this ticket.



Well I guess a lot was said by mimikatz. Let's see what the native Windows tool klist.exe says.


It says much the same thing. Looks like progress was made creating the golden ticket.

I wanted to do some additional validation on this. However, I did not have a x64 machine to test. So this is it for now. I'm confident that this works based on the additional research I've seen other people have done.


Set you in the next post where we start to look at the logs.




Reference:
http://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it
http://www.emvlab.org/dumpasn1/upload/
https://support.microsoft.com/en-us/kb/243330
https://adsecurity.org/?p=1515
http://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-attacks/
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Using_Kerberos.html



Posts in this series:
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Lab Setup
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Dumping the AD database
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Mimikatz
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Exporting Certificates
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Pass The Ticket (Golden Ticket)
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Skeleton Key
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Log Analysis
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Volatility Memory Analysis

No comments:

Post a Comment