However, there are advanced monitoring tools that could detect possible PTH attacks, both at the domain and local level. (Since PTH authentication is done using local administrators, access logs are not recorded in a domain controller, they stay on the computer, so a Blue Team would have to analyze the local logs of internal computers, or implement a SIEM to obtain all this information that is not being stored in the domain controllers).<\/p>\n\n\n\n
There are numerous articles on how to detect PTH or indications that can be observed in the access logs of the respective computers that suggest that this attack is being carried out.<\/p>\n\n\n\n
For this reason, we present in this post a slightly stealthier technique than PTH, called Pass the ticket.<\/p>\n\n\n\n
The Kerberos authentication flow is a bit complicated to explain in a nutshell (I don’t fully understand it yet enough to write confidently about it), but for this scenario, we’ll keep things simple.<\/p>\n\n\n\n
When a user authenticates through Kerberos, as a result, he gets a Ticket, either a service ticket or a “ticket granting ticket (TGT)”, this ticket could be considered as an identity document, which can be used in the internal domain to access certain resources without the need to authenticate with username and password.<\/p>\n\n\n\n
If an attacker gains control of one of these tickets, he can use it to impersonate the affected user and access internal domain resources as if he were the owner of the ticket.<\/p>\n\n\n\n
Scenario 1 – Pass the ticket<\/h2>\n\n\n\n
In order to configure the vulnerable environment, the only thing we need to do is login into a host with multiple users, in my case, on the host “TECNOLOGIA01”.<\/p>\n\n\n\n We can use the “impacket suite” to perform the attack, leveraging an existing script that automates the credential harvesting process.<\/p>\n\n\n\n As it was mentioned in previous posts, the domain authentication information is stored in memory, specifically within the “LSASS” process, so if we dump the process, we can obtain this information.<\/p>\n\n\n\n For this task, we can use multiple methods, to mention a few:<\/p>\n\n\n\n The script I mentioned before is called autoProc.py<\/strong>.<\/p>\n\n\n\n Link: https:\/\/gist.github.com\/knavesec\/0bf192d600ee15f214560ad6280df556<\/p>\n\n\n\n It’s recommended to edit the script, to set the correct path where the tool will look for the procdump binary.<\/p>\n\n\n\n This script will authenticate to the host through “wmiexec”, it’ll upload the “procdump” binary, execute it, downloads and deletes the output from the victim host and processes it using “pypykatz”.<\/p>\n\n\n\n Since we have administrative access on the “TECNOLOGIA01” host, we can execute “autoProc” to obtain the lsass dump from the host.<\/p>\n\n\n\n In this case, Windows defender is preventing the dump, so we’ll proceed to disable it remotely, as we did so on previous posts.<\/p>\n\n\n\n PS C:\\Windows\\System32> Set-MPPreference -disableRealTimeMonitoring $true<\/strong><\/p>\n\n\n\n Once the antivirus is disabled, we successfully obtain the required information.<\/p>\n\n\n\n This time, by specifying the “-k” flag on “pypykatz”, we’ll be able to extract the existing Kerberos tickets.<\/p>\n\n\n\n Listing the extracted tickets.<\/p>\n\n\n\n We can observe that there are many service tickets, as well as TGT tickets for two users, Service_BD<\/strong> and Administrator<\/strong>, which we can use to impersonate these users.<\/p>\n\n\n\n Since we extracted these tickets straight from a dump file, we need to convert the kerberos tickets from .kirbi to .ccache, we can do that by using the tool “kirby2ccache”, then we set up an environment variable named “KRB5CCNAME” pointing towards our new .ccache ticket and we execute “klist”, confirming the ticket is being recognized.<\/p>\n\n\n\n We try to spawn a semi-interactive shell through “wmiexec” on the domain controller using the extracted ticket.<\/p>\n\n\n\n By using the parameter “-k”, the tool will use the active kerberos ticket instead of a password, we should also use the parameter “-no-pass” to prevent any errors in the kerberos authentication procedure.<\/p>\n\n\n\n The ticket works and we get a valid session on the domain controller, giving us full control over it without the need to obtain the password or NTLM hash of the domain admin.<\/p>\n\n\n\n Since we have a valid domain admin kerberos ticket, we’ll use it to create a golden ticket and ensure persistence, which will give us access as a domain admin for a default time of 10 years, assuming the ticket wasn’t detected.<\/p>\n\n\n\n To forge these tickets, we need the following bits of information.<\/p>\n\n\n\n Using impacket-secretsdump<\/strong>, we can obtain the KRBTGT<\/strong> user NTLM hash.<\/p>\n\n\n\n The “-just-dc-user” <\/strong>parameter will allow us to extract a single user hash from the NTDS.dit database.<\/p>\n\n\n\n KRBTGT<\/strong>: 7f9b6cfb……bf1<\/p>\n\n\n\n To extract the domain SID, we can also use impacket suite, in this case, “lookupsid”.<\/p>\n\n\n\n To obtain this information, we can use any valid user within the domain, even low privileged ones.<\/p>\n\n\n\n Domain SID: S-1-5-21…..13415<\/p>\n\n\n\n For the FQDN, we can spawn a remote session on the Domain Controller and query the operating system through WMIC.<\/p>\n\n\n\n FQDN: jsec.local<\/p>\n\n\n\n Now we can forge our golden ticket using impacket suite, “ticketer”.<\/p>\n\n\n\n impacket-ticketer -nthash HASH-KRBTGT -domain-sid SID -domain FQDN USER<\/p>\n\n\n\n We’ll create a ticket for the domain user ‘DC01$’ and save it as “DC01$.ccache<\/strong>“.<\/p>\n\n\n\n We export the ticket with “export KRB5CCNAME=’.\/DC01$.ccache'” and dump the NTDS.dit database once again.<\/p>\n\n\n\n We get all of the domain users NTLM hashes, confirming the validity of our ticket.<\/p>\n\n\n\n It’s important to note that we don’t even need to impersonate a valid domain user, we can create the ticket for a non-existing user and we’ll still have Domain Admin privileges, because of the way the ticket is forged.<\/p>\n\n\n\n We generated a new ticket for the user “goldenticket<\/strong>“, which doesn’t exist in the current domain, but the access is still granted.<\/p>\n\n\n\n These are some of the known Kerberos attacks, mainly for lateral movement and persistence.<\/p>\n\n\n\n In future posts, we’ll explore slightly more complicated scenarios (Constrained delegation, Domain Admin to Enterprise Admin, etc.).<\/p>\n","protected":false},"excerpt":{"rendered":" In this entry, we continue with some known attacks on Active Directory environments using Kerberos, mainly lateral movement and persistence. One of the oldest and most known ways of lateral movement is Pass the hash, where we use a user’s NTLM hash to gain access to resources or computers where Continue Reading<\/i><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22],"tags":[28,30],"class_list":["post-393","post","type-post","status-publish","format-standard","hentry","category-p-rt-en","tag-english","tag-rt"],"_links":{"self":[{"href":"https:\/\/jsec-rt.com\/index.php\/wp-json\/wp\/v2\/posts\/393","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jsec-rt.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jsec-rt.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jsec-rt.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jsec-rt.com\/index.php\/wp-json\/wp\/v2\/comments?post=393"}],"version-history":[{"count":1,"href":"https:\/\/jsec-rt.com\/index.php\/wp-json\/wp\/v2\/posts\/393\/revisions"}],"predecessor-version":[{"id":421,"href":"https:\/\/jsec-rt.com\/index.php\/wp-json\/wp\/v2\/posts\/393\/revisions\/421"}],"wp:attachment":[{"href":"https:\/\/jsec-rt.com\/index.php\/wp-json\/wp\/v2\/media?parent=393"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jsec-rt.com\/index.php\/wp-json\/wp\/v2\/categories?post=393"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jsec-rt.com\/index.php\/wp-json\/wp\/v2\/tags?post=393"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/06\/image-19-1024x692.png\")
<\/figure>\n\n\n\nExploitation<\/h2>\n\n\n\n
\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/06\/image-20.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/06\/image-21.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/06\/image-26.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/06\/image-27.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/06\/image-28.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/06\/image-29.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/06\/image-30-1024x229.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/06\/image-31.png\")
<\/figure>\n\n\n\nPERSISTENCE – GOLDEN TICKET<\/h2>\n\n\n\n
\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/06\/image-34.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/06\/image-35.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/06\/image-36.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/06\/image-37-1024x238.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/06\/image-38-1024x702.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2022\/06\/image-39-1024x691.png\")
<\/figure>\n\n\n\n