# Diamond Ticket {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** ๐Ÿ’ฌ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** ๐Ÿฆ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %} ## Diamond Ticket **ํ™ฉ๊ธˆ ํ‹ฐ์ผ“์ฒ˜๋Ÿผ**, ๋‹ค์ด์•„๋ชฌ๋“œ ํ‹ฐ์ผ“์€ **๋ชจ๋“  ์‚ฌ์šฉ์ž๋กœ์„œ ๋ชจ๋“  ์„œ๋น„์Šค์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ๋Š” TGT**์ž…๋‹ˆ๋‹ค. ํ™ฉ๊ธˆ ํ‹ฐ์ผ“์€ ์™„์ „ํžˆ ์˜คํ”„๋ผ์ธ์—์„œ ์œ„์กฐ๋˜๋ฉฐ, ํ•ด๋‹น ๋„๋ฉ”์ธ์˜ krbtgt ํ•ด์‹œ๋กœ ์•”ํ˜ธํ™”๋œ ํ›„, ์‚ฌ์šฉ์„ ์œ„ํ•ด ๋กœ๊ทธ์˜จ ์„ธ์…˜์œผ๋กœ ์ „๋‹ฌ๋ฉ๋‹ˆ๋‹ค. ๋„๋ฉ”์ธ ์ปจํŠธ๋กค๋Ÿฌ๋Š” TGT๋ฅผ ์ถ”์ ํ•˜์ง€ ์•Š๊ธฐ ๋•Œ๋ฌธ์—(๋˜๋Š” ๊ทธ๋“ค์ด ์ •๋‹นํ•˜๊ฒŒ ๋ฐœ๊ธ‰ํ•œ TGT๋ฅผ ์ถ”์ ํ•˜์ง€ ์•Š๊ธฐ ๋•Œ๋ฌธ์—), ๊ทธ๋“ค์€ ์ž์‹ ์˜ krbtgt ํ•ด์‹œ๋กœ ์•”ํ˜ธํ™”๋œ TGT๋ฅผ ๊ธฐ๊บผ์ด ์ˆ˜์šฉํ•ฉ๋‹ˆ๋‹ค. ํ™ฉ๊ธˆ ํ‹ฐ์ผ“์˜ ์‚ฌ์šฉ์„ ๊ฐ์ง€ํ•˜๋Š” ๋‘ ๊ฐ€์ง€ ์ผ๋ฐ˜์ ์ธ ๊ธฐ์ˆ ์ด ์žˆ์Šต๋‹ˆ๋‹ค: * ํ•ด๋‹น AS-REQ๊ฐ€ ์—†๋Š” TGS-REQ๋ฅผ ์ฐพ์Šต๋‹ˆ๋‹ค. * Mimikatz์˜ ๊ธฐ๋ณธ 10๋…„ ์ˆ˜๋ช…๊ณผ ๊ฐ™์€ ์–ด๋ฆฌ์„์€ ๊ฐ’์„ ๊ฐ€์ง„ TGT๋ฅผ ์ฐพ์Šต๋‹ˆ๋‹ค. **๋‹ค์ด์•„๋ชฌ๋“œ ํ‹ฐ์ผ“**์€ **DC์— ์˜ํ•ด ๋ฐœ๊ธ‰๋œ ์ •๋‹นํ•œ TGT์˜ ํ•„๋“œ๋ฅผ ์ˆ˜์ •ํ•˜์—ฌ ๋งŒ๋“ค์–ด์ง‘๋‹ˆ๋‹ค**. ์ด๋Š” **TGT๋ฅผ ์š”์ฒญํ•˜๊ณ **, ๋„๋ฉ”์ธ์˜ krbtgt ํ•ด์‹œ๋กœ **๋ณตํ˜ธํ™”ํ•œ ํ›„**, ํ‹ฐ์ผ“์˜ ์›ํ•˜๋Š” ํ•„๋“œ๋ฅผ **์ˆ˜์ •ํ•˜๊ณ **, ๋‹ค์‹œ **์•”ํ˜ธํ™”ํ•˜๋Š”** ๋ฐฉ์‹์œผ๋กœ ์ด๋ฃจ์–ด์ง‘๋‹ˆ๋‹ค. ์ด๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์€ ์ด์œ ๋กœ ํ™ฉ๊ธˆ ํ‹ฐ์ผ“์˜ ๋‘ ๊ฐ€์ง€ ๋‹จ์ ์„ **๊ทน๋ณตํ•ฉ๋‹ˆ๋‹ค**: * TGS-REQ๋Š” ์ด์ „์— AS-REQ๊ฐ€ ์žˆ์„ ๊ฒƒ์ž…๋‹ˆ๋‹ค. * TGT๋Š” DC์— ์˜ํ•ด ๋ฐœ๊ธ‰๋˜์—ˆ์œผ๋ฏ€๋กœ ๋„๋ฉ”์ธ์˜ Kerberos ์ •์ฑ…์—์„œ ๋ชจ๋“  ์˜ฌ๋ฐ”๋ฅธ ์„ธ๋ถ€์ •๋ณด๋ฅผ ๊ฐ€์ง‘๋‹ˆ๋‹ค. ์ด๋Ÿฌํ•œ ์„ธ๋ถ€์ •๋ณด๋Š” ํ™ฉ๊ธˆ ํ‹ฐ์ผ“์—์„œ ์ •ํ™•ํ•˜๊ฒŒ ์œ„์กฐํ•  ์ˆ˜ ์žˆ์ง€๋งŒ, ๋” ๋ณต์žกํ•˜๊ณ  ์‹ค์ˆ˜์˜ ์—ฌ์ง€๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค. ```bash # Get user RID powershell Get-DomainUser -Identity -Properties objectsid .\Rubeus.exe diamond /tgtdeleg /ticketuser: /ticketuserid: /groups:512 # /tgtdeleg uses the Kerberos GSS-API to obtain a useable TGT for the user without needing to know their password, NTLM/AES hash, or elevation on the host. # /ticketuser is the username of the principal to impersonate. # /ticketuserid is the domain RID of that principal. # /groups are the desired group RIDs (512 being Domain Admins). # /krbkey is the krbtgt AES256 hash. ``` {% hint style="success" %} AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
HackTricks ์ง€์›ํ•˜๊ธฐ * [**๊ตฌ๋… ๊ณ„ํš**](https://github.com/sponsors/carlospolop) ํ™•์ธํ•˜๊ธฐ! * **๐Ÿ’ฌ [**Discord ๊ทธ๋ฃน**](https://discord.gg/hRep4RUj7f) ๋˜๋Š” [**ํ…”๋ ˆ๊ทธ๋žจ ๊ทธ๋ฃน**](https://t.me/peass)์— ์ฐธ์—ฌํ•˜๊ฑฐ๋‚˜ **Twitter** ๐Ÿฆ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**๋ฅผ ํŒ”๋กœ์šฐํ•˜์„ธ์š”.** * **[**HackTricks**](https://github.com/carlospolop/hacktricks) ๋ฐ [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) ๊นƒํ—ˆ๋ธŒ ๋ฆฌํฌ์ง€ํ† ๋ฆฌ์— PR์„ ์ œ์ถœํ•˜์—ฌ ํ•ดํ‚น ํŠธ๋ฆญ์„ ๊ณต์œ ํ•˜์„ธ์š”.**
{% endhint %}