Charlie Bromberg « Shutdown » Profile picture
Apr 22, 2021 25 tweets 5 min read Read on X
(infosec thread) one of my latest tweets was followed by some questions in my DMs. So let's answer those here and remind some concepts😈

I'll talk about pass-the-hash, pass-the-ticket, pass-the-key, overpass-the-hash, pass-the-cache, silver and golden tickets 👇
Pass-the-Hash (1/4) : NTLM (LM, LMv2, NTLM or NTLMv2 depending on the version) is an authentication protocol used by Windows and AD-DS. Users have passwords, which are stored in a hashed format (LM or NT hash depending on the security settings and version).
Pass-the-Hash (2/4) : when authenticating to a remote service, the password hash is used to compute a ChallengeResponse. The LM hash is used for the LM version of the protocol while the NT hash is used for LMv2, NTLM and NTLMv2.
Pass-the-Hash (3/4) : since the password hash is used as-is, the knowledge of the password isn't required to authenticate. Only the knowledge of the LM or NT hash is needed. Using one of those hashes to authenticate is called "Pass-the-Hash"
Pass-the-Hash (4/4) : you have further questions, read thehacker.recipes/active-directo… and thehacker.recipes/active-directo…. Still have questions? You can DM or comment
Pass-the-Ticket (1/3) : Kerberos is another authentication protocol. It works with tickets and can only work for domain users (while NTLM can be used to authenticate a local user to a remote service). This one is pretty straight forward.
Pass-the-Ticket (2/3) : when attackers find Kerberos tickets that are not expired, they can use them to authenticate to remote services. That is called Pass-the-Ticket.
Pass-the-Ticket (3/3) : want to learn more about this? Read thehacker.recipes/active-directo…
Pass-the-Cache (1/1) : it's the same thing. Instead of using tickets from, or found on, Windows machines, this technique is about using tickets from, or found on, UNIX-like systems, but the principle is the same.
Pass-the-Key (1/3) : when requesting Kerberos tickets, knowledge of a shared key is needed. 4 types of keys exist : DES, RC4, AES-128 and AES-256.
Pass-the-Key (2/3) : when an attacker knows one of those keys, if the corresponding type is accepted by the KDC (Key Distribution Center, a service usually hosted on the Domain Controller), tickets can be obtained, hence allowing for Kerberos authentication to remote services.
Overpass-the-Hash (1/3) : this is the exact same thing as Pass-the-Key. The subtle difference is that RC4 Kerberos keys are actually the NT hashes of the users. And god knows how easier it is to come accross NT hashes than DES or AES Kerberos keys.
Overpass-the-Hash (2/3) : this technique is the equivalent of Pass-the-Hash, but for Kerberos. Attackers can use a user's NT hash to obtain Kerberos tickets and authenticate, without requiring the knowledge of the password.
Pass-the-Key (3/3) and Overpass-the-Hash (3/3) : want to learn more about this? Read thehacker.recipes/active-directo…
Silver Ticket (1/5) : Kerberos tickets embed a set of information that the remote service unpack and read to decide if the requesting user can have access or not. This decision is not up to the Domain Controller.
Silver Ticket (2/5) : These information are stored in a PAC (Privilege Authentication Certificate). In order to prevent users from modifying the PAC, and to allow the remote service to decrypt it, the PAC is encrypted with the remote service account's Kerberos key.
Silver Ticket (3/5) : When the RC4 etype is not disabled, the sevice account's RC4 key (NT hash) can then be used by an attacker to modify the PAC and create a Kerberos service ticket giving full access to the service.
Silver Ticket (4/5) : Nota Bene: computer accounts NT hashes could then be used to obtain admin access to computers.
Golden Ticket (1/6) : Kerberos service tickets are used to authenticate to remote services. A service ticket (TGS) can be obtained from the KDC when supplying an initial ticket (TGT). The PAC included in service tickets (TGSs) are just a copy-paste of the one included in the TGT.
Golden Ticket (2/6) : The PAC included in needs to be trusted and shouldn't be edited by anyone except the Kerberos service ticket (krbtgt). So the PAC is encrypted with the krbtgt account's Kerberos key.
Golden Ticket (3/6) : an attacker knowing a krbtgt account's key can then forge a TGT with an arbitrary PAC saying he's a Domain Admin for example. The PAC will be passed to the TGS and the attacker will have admin access to everything.
Golden Ticket (4/6) : however, this technique requires knowledge of the krbtgt key, which can usually only be obtained with a DCSync of when decrypting the NTDS.dit info. And this can only be done with Domain Admin rights or with admin access to a Domain Controller
Golden Ticket (5/6) : this technique is more of a persistence technique rather than a lateral movement/privilege escalation one.
Silver Ticket (5/5) and Golden Ticket (6/6) : want to learn more about forged ticket? Read thehacker.recipes/active-directo…
[end of thread] did I make mistakes? Do you have questions? do you want to add something? Comments and DMs are more than welcome 🤗

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Charlie Bromberg « Shutdown »

Charlie Bromberg « Shutdown » Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @_nwodtuhs

Jul 3, 2022
So apparently Microsoft ninja-patched two things lately in KB5014692 (06/14/2022)
1. ShadowCoerce (auth coercion abusing MS-FSRVP)
2. Self-RBCD trick to bypass limitations of Kerberos Constrained Delegation without Protocol Transition
Identified this with @Geiseric4 and @mkolsek
That being said, the second scenario may be something they unintentionally broke, who knows. MS bulletin says KB patched CVE-2022-30154 but nothing on coercion/self-rbcd 🤷‍♂️
Any insight @tiraniddo @_dirkjan @SteveSyfuhs (we need to know 👀)
Read 4 tweets
Apr 30, 2022
✨After 8 months of hard work with @Dramelac_ , now's the time ⏰ Exegol, a community-driven and fully-featured hacking environment, updates to v4.0

An opportunity to show you why you should probably drop your current pentesting env and get started with Exegol (10min read)
Exegol uses Docker. There are Exegol images that can be used to deploy Exegol containers.
This first concept allows its users to easily deploy environments that are separated from the host, that could be dedicated for some engagements tools, etc.
While we, as pentesters, help companies secure their infrastructure, our community itself has a lot of room for improvement when it comes to our tools and our practices 🤔 Having a unique, solid, environment for each client/engagement is a starter. Exegol allows that.
Read 23 tweets
Feb 8, 2022
Here is one of my latest paths to Domain Admin 😈 it took ~2h30 (I was relying on network traffic that was not so present at the beginning)

This path was a bit long and involved NTLM, Kerberos, network protocols, credential dump, etc 👁️👅👁️

[12 steps detailed below 🧵]
1. LLMNR, NBT-NS and mDNS spoofing combined with WPAD spoofing to redirect some network traffic using @PythonResponder's Responder

➡️ LLMNR, NBT-BS mDNS: thehacker.recipes/ad/movement/mi…

➡️ WPAD spoofing: thehacker.recipes/ad/movement/mi…
2. DHCPv6 spoofing combined with DNS spoofing to redirect more traffic 😈 using @_dirkjan's mitm6

➡️ DHCPv6 spoofing: thehacker.recipes/ad/movement/mi…

➡️ DNS spoofing: thehacker.recipes/ad/movement/mi…
Read 21 tweets
Dec 10, 2021
[thread 🧵] lets all welcome the new kid in town 😈
✨ Kerberos sAMAccountName spoofing ✨ from regular user to domain admin, because Microsoft didn't care enough about it's $$$

thehacker.recipes/ad/movement/ke…
** CVE-2021-42278 - Name impersonation
Before patch, there was no validation process to make sure computer accounts names end with an "$"
** CVE-2021-42287 - KDC bamboozling
Before patch, there was a weird behavior on the KDC. When requesting a service ticket, if the KDC wasn't able to find the user behind the TGT, it would make another lookup, but this time with an "$" at the end of the name
Read 10 tweets
Nov 17, 2021
🥇 new personal record for Domain Admin today 🥳

DA in ~150 seconds (≈ 3 guns per square seconds in 🇺🇸 units)

Last record was 23 minutes 😨
(not bragging here, the maturity was reaaaally low and path to DA really easy, but still what a blast I had! Just wanted to share the fun here 🤗)
Okay so here was the path

1. Authentication coercion with an MS-EFSR abuse (PetitPotam) against a Domain Controller
thehacker.recipes/ad/movement/mi…
Read 6 tweets
Nov 16, 2021
Latest paths to DA 😈
- Kerberoast of a domain admin
- AD CS insecure configuration (ESC6)
- AD CS insecure web endpoints (ESC8)

[more info below ⬇️ ]
AD CS insecure CA configuration (User Specified SAN) thehacker.recipes/ad/movement/ad…
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(