This write up will be part of a series of articles on the tool called Mimikatz which was created in the programming language C. it is mostly used for extracting Kerberos ticket from the memory and generating golden tickets.
In this scenario, we will be using Mimikatz
inside the client machine to find out tickets available within the client
system.
We will use the command:
Kerberos::list
This list command will display all the
tickets available on the client machine.
As you can see from the above screenshot,
there are 2 tickets within our client machine. The list command will provide
information such as:
1.
Start/End time of ticket
2.
Server name
3.
Client name
4.
and the Flag
Now once these information has been
available and if we want to save those for future use or reference, we will use
the following command: Kerberos::list
/export. This will save the above TGT tickets in the Mimikatz folder in the
kirbi format.
Now that the ticket has been saved in the
Mimikatz folder, we renamed it to ticket.kirbi for ease of use. Note that this
is not a mandatory process.
Since we have this ticket, we will now see
how it can be used later on for lateral movement so that we can perform pass
the ticket attack.
To perform the pass the ticket attach (ptt)
we will issue the following command:
Kerberos::ppt
ticket.kirbi
Once the command has been executed
successfully, we will issue another command misc::cmd which will open a command prompt session. We can see that
the command prompt session has been opened with the domain user ignite\aarti.
Let’t try to browse the directory of the
server with the user aarti by typing the following command in the command
prompt:
dir \\192.168.1.188\c$
(192.168.1.188 being the server ip address)
As you can see, we are able to view all the
directory of the server.
So being a non-administrator domain sccount,
the user aarti was able to check the directory of C driver of the server by
using PTT attack.
Kerberos
TGT
To display all TGT (Ticket Granting
Ticket), we can use the following command:
Kerberos::tgt
Kerberos
ASK
It helps you to access the service ticket. The
syntax for running this command are as follows:
Kerberos::ask /target/spn name ,where spn
name is cifs:/dc1.ignite.local
To display all the service ticket, we issue
the command: Kerberos::list
As we can see, we have 3 ticket listed
below.
Kerberos
Hash
This will dump all hashes available on the client machine.
Golden
Ticket Attack (GTA)
Golden Tickets are forged Ticket-Granting Tickets (TGTs),
also called authentication tickets. Some basic information needed to perform
this attack are:
1. Domain
name: ignite.local
2. SID:
S-1-5-21-1255168540-3690278322-1592948969
3. KRBTGT
Hash: 5cced0cb593612f08cf4a0b4f0bcb017
4. And an
impersonate user: raaz
So if we have the domain name, the SID and
the hash value of krbtgt, then we can go for pass the ticket attack by generating
fake golden ticket attack.
So the command for performing GTA is as
follows:
Kerberos::golden /user:raaz
/domain:ignite.local /sid S-1-5-21-1255168540-3690278322-1592948969
/krbtgt: 5cced0cb593612f08cf4a0b4f0bcb017 /id:500 /ptt
Where the id:500 is for administrator privilege
As shown above the command has completed successfully. Now let’s launch the command prompt via Mimikatz by issuing the command: misc::cmd
Via the new command prompt, we will be able
to access the server directories same as in previous examples.
Another method of golden ticket attack can
be performed by using the tool impacket.
When using Mimikatz or Rubeus, they will generate the ticket in .kirbi format file. But if we use impacket for golden ticket attack so that we can get the ticket, it will not give you ticket in kirbi format. It will give you the ticket in .ccache format.
So if we have the ticket in ccache format,
then we can performed the pass the ccache as shown below. Command is:
Kerberos:: ptc administrator.ccache
The msic::cmd which will open a new command
prompt which via which we will be able to access the server directories, same
as our previous examples.
If we want to list all the ccache file that
exist on the client system, the we use the following command: Kerberos::clist
administrator.cache
If we want to delete all the tickets,
either ccache or kirbi format, we can use the following command:
Kerberos::purge
0 comments:
Post a Comment