Persistance
Kerberos Working
AS-REQ: The client asks TGT from the authentication server by sending an encrypted timestamp along with the request.
AS-REP: The authentication server verifies if it is a known client and if it is a known client it sends an encrypted TGT as confirmation.(This TGT is encrypted using password hash of krbtgt account)
TGS-REQ: The client sends the encrypted TGT along with SPN(alex\MYSQLcomputer$@domain.local) to Ticket granting server as a proof that he/she/it is a known client and wants to access some service(SPN).
TGS-REP: The ticket granting server verifies the TGT and sends a service ticket for that service(service ticket is encrypted with ntlm hash of the service and can be harvested and cracked offline which is known as kerberoasting attack also the TGS doesn't check if client has access to the requested service)
AP-REQ: Now, the client has ST he/she/it sends ST to that service requesting for access. -AP-REP: The service verifies if the client is allowed to access it or not by decrypting the ST and grants or denies access.
Golden Ticket
In second step(AS-REP) since the TGT which is sent to the client as a proof that this client/service/computer exists on the domain and is legitimate and this TGT is encrypted with hash of krbtgt account, If we have hash of krbtgt account we can forge TGT ourselves that means we can create our own TGT impersonating as any client(ex: Domain Admin), service or computer. After golden ticket we can use PSecev64 to gain access to that computer.
First extract aes key of krbtgt account on DC using mimikatz,safetykatz or any other variant.
Using DCSync feature for getting the same AES keys as above with DA privilege or user with replication rights
After getting the aes key for krbtgt run the following on any machine that has connectivity with DC. From that machine later winrs to dc since /ptt means to inject the ticket into current powershell process can also use /ticket to save it to a file for later use.
You can get SID of domain using PowerView itself
Silver Ticket
Golden ticket provides access to any machine while silver ticket provides access to particular service on a particular machine for which the silver ticket is created. Silver ticket means forging our own service ticket since Service ticket is signed and encrypted by the hash of service account(machine account in this case DCORP-DC$ since service runs on machine) if we get hash of machine account on which that particular service is running on we can forge our own service ticket and access that service on that machine later. So if we have administrative access on any machine
Note
All service accounts http(powershell remoting), cifs, rpcss, ldap, wmi all services use machine account as a service account ex: dcorp-dc$, dcorp-adminsrv$, dcorp-student$
Using hash of the Domain Controller computer account, below command provides access to file system on the DC.
There are various ways of achieving command execution using Silver tickets. Creating a silver ticket for the HOST SPN which will allow us to schedule a task on the target:
Here - While extracting aes keys for machin account always use the last one as we may find multiple aeskeys from same account see the SID 2-1-5-18 is for system account.
Diamond Ticket
A diamond ticket is created by decrypting a valid TGT, making changes to it and re-encrypting it using AES key of krbtgt account.Note: golden ticket was tgt forging attack while diamond ticket is tgt modification attack. A diamond ticket is more opsec safe. Here, If we have hash of krbtgt account we can forge TGT ourselves that means we can modify and create our own TGT impersonating as any client(ex: Domain Admin, student user), service or computer.
Since for cmd.exe is created access using winrs
Skeleton Key
It is an attack where it is possible to patch a domain controller(lsass process) so that it allows access as any user with a single password. Below the password would be mimikatz on the domain controller of choice.
Now, it is possible to access any machine with a valid username and password as "mimikatz"
DSRM(Directory Services Restore Mode)
There is a local administrator on every Domain Controller named Administrator whose password is the DSRM password DSRM password also known as SafeMode Password is needed when a server is prompted to a domain controller and it is rarely changed. After altering the configuration on DC it is possible to pass the NTLM hash of this user to access the DC.
Then on DC
Then, pass the hash
AdminSDHolder
AdminSDHolder is a security mechanism in AD where primary its purpose is to ensure that high-privilege accounts, such as members of built-in administrative groups like Domain Admins, Enterprise Admins, and Schema Admins, Backup Operators, Server Operators, Print Operators, Replicators remain secure and are not inadvertently granted excessive permissions or are tampered with. For example for preststance if an attacker modifies Domain Admins group to have full control by student user the Security Descriptor Propagator (SDPROP) would run every hour and compares the ACL of protected groups and members with the ACL of AdminSDHolderand any differences are overwritten on the object ACL meaning the changes made by attacker would not be viable after an hour. With DA privileges (Full Control/Write permissions) on the AdminSDHolder object, it can be used as a backdoor/persistence mechanism by adding a user with Full Permissions (or other interesting permissions) to the AdminSDHolder object. In 60 minutes (when SDPROP runs), the user will be added with Full Control to the AC of groups like Domain Admins without actually beinga member of it.
Add FullControlpermissions for a user to the AdminSDHolderusing PowerViewas DA:
Abusing FullControl using powerview
Reset password for a user to AdminSDHolder
Invoke the SDPropagator manually
Abuse reset password using powerview
Rights abuse
With Domain Admin privilege we can modify ACL of domain root to allow student1 user the ability to perform dcsync by providing access to replication rights.
Adding rights for dcsync for student1 user using powerview
Persistance using ACLs - Security Descriptors
With DA privilege it is posible to make changes to ACLs aka modify owner, primary group, dacl(read,write,execute,delete,full control) of multiple remote access methods to allow access to non admin users.
Using RACE tool
On local machine for student1:
On remote machine for student1 without explicit credentials:
On remote machine with explicit credentials. Only root\cimv2 and nested namespaces:
On remote machine remove permissions:
Persistance using ACLs - Remote Registry
Using RACE
As student1, retrieve machine account hash:
Retrieve local account hash:
Retrieve domain cached credentials:
Last updated