(infosec thread) one of my latest tweets was followed by some questions in my DMs. So let's answer those here and remind some concepts😈
I'll talk about pass-the-hash, pass-the-ticket, pass-the-key, overpass-the-hash, pass-the-cache, silver and golden tickets 👇
Pass-the-Hash (1/4) : NTLM (LM, LMv2, NTLM or NTLMv2 depending on the version) is an authentication protocol used by Windows and AD-DS. Users have passwords, which are stored in a hashed format (LM or NT hash depending on the security settings and version).
Pass-the-Hash (2/4) : when authenticating to a remote service, the password hash is used to compute a ChallengeResponse. The LM hash is used for the LM version of the protocol while the NT hash is used for LMv2, NTLM and NTLMv2.
Pass-the-Hash (3/4) : since the password hash is used as-is, the knowledge of the password isn't required to authenticate. Only the knowledge of the LM or NT hash is needed. Using one of those hashes to authenticate is called "Pass-the-Hash"
Pass-the-Ticket (1/3) : Kerberos is another authentication protocol. It works with tickets and can only work for domain users (while NTLM can be used to authenticate a local user to a remote service). This one is pretty straight forward.
Pass-the-Ticket (2/3) : when attackers find Kerberos tickets that are not expired, they can use them to authenticate to remote services. That is called Pass-the-Ticket.
Pass-the-Cache (1/1) : it's the same thing. Instead of using tickets from, or found on, Windows machines, this technique is about using tickets from, or found on, UNIX-like systems, but the principle is the same.
Pass-the-Key (1/3) : when requesting Kerberos tickets, knowledge of a shared key is needed. 4 types of keys exist : DES, RC4, AES-128 and AES-256.
Pass-the-Key (2/3) : when an attacker knows one of those keys, if the corresponding type is accepted by the KDC (Key Distribution Center, a service usually hosted on the Domain Controller), tickets can be obtained, hence allowing for Kerberos authentication to remote services.
Overpass-the-Hash (1/3) : this is the exact same thing as Pass-the-Key. The subtle difference is that RC4 Kerberos keys are actually the NT hashes of the users. And god knows how easier it is to come accross NT hashes than DES or AES Kerberos keys.
Overpass-the-Hash (2/3) : this technique is the equivalent of Pass-the-Hash, but for Kerberos. Attackers can use a user's NT hash to obtain Kerberos tickets and authenticate, without requiring the knowledge of the password.
Silver Ticket (1/5) : Kerberos tickets embed a set of information that the remote service unpack and read to decide if the requesting user can have access or not. This decision is not up to the Domain Controller.
Silver Ticket (2/5) : These information are stored in a PAC (Privilege Authentication Certificate). In order to prevent users from modifying the PAC, and to allow the remote service to decrypt it, the PAC is encrypted with the remote service account's Kerberos key.
Silver Ticket (3/5) : When the RC4 etype is not disabled, the sevice account's RC4 key (NT hash) can then be used by an attacker to modify the PAC and create a Kerberos service ticket giving full access to the service.
Silver Ticket (4/5) : Nota Bene: computer accounts NT hashes could then be used to obtain admin access to computers.
Golden Ticket (1/6) : Kerberos service tickets are used to authenticate to remote services. A service ticket (TGS) can be obtained from the KDC when supplying an initial ticket (TGT). The PAC included in service tickets (TGSs) are just a copy-paste of the one included in the TGT.
Golden Ticket (2/6) : The PAC included in needs to be trusted and shouldn't be edited by anyone except the Kerberos service ticket (krbtgt). So the PAC is encrypted with the krbtgt account's Kerberos key.
Golden Ticket (3/6) : an attacker knowing a krbtgt account's key can then forge a TGT with an arbitrary PAC saying he's a Domain Admin for example. The PAC will be passed to the TGS and the attacker will have admin access to everything.
Golden Ticket (4/6) : however, this technique requires knowledge of the krbtgt key, which can usually only be obtained with a DCSync of when decrypting the NTDS.dit info. And this can only be done with Domain Admin rights or with admin access to a Domain Controller
Golden Ticket (5/6) : this technique is more of a persistence technique rather than a lateral movement/privilege escalation one.
So apparently Microsoft ninja-patched two things lately in KB5014692 (06/14/2022) 1. ShadowCoerce (auth coercion abusing MS-FSRVP) 2. Self-RBCD trick to bypass limitations of Kerberos Constrained Delegation without Protocol Transition
Identified this with @Geiseric4 and @mkolsek
That being said, the second scenario may be something they unintentionally broke, who knows. MS bulletin says KB patched CVE-2022-30154 but nothing on coercion/self-rbcd 🤷♂️
Any insight @tiraniddo@_dirkjan@SteveSyfuhs (we need to know 👀)
✨After 8 months of hard work with @Dramelac_ , now's the time ⏰ Exegol, a community-driven and fully-featured hacking environment, updates to v4.0
An opportunity to show you why you should probably drop your current pentesting env and get started with Exegol (10min read)
Exegol uses Docker. There are Exegol images that can be used to deploy Exegol containers.
This first concept allows its users to easily deploy environments that are separated from the host, that could be dedicated for some engagements tools, etc.
While we, as pentesters, help companies secure their infrastructure, our community itself has a lot of room for improvement when it comes to our tools and our practices 🤔 Having a unique, solid, environment for each client/engagement is a starter. Exegol allows that.
[thread 🧵] lets all welcome the new kid in town 😈
✨ Kerberos sAMAccountName spoofing ✨ from regular user to domain admin, because Microsoft didn't care enough about it's $$$
** CVE-2021-42278 - Name impersonation
Before patch, there was no validation process to make sure computer accounts names end with an "$"
** CVE-2021-42287 - KDC bamboozling
Before patch, there was a weird behavior on the KDC. When requesting a service ticket, if the KDC wasn't able to find the user behind the TGT, it would make another lookup, but this time with an "$" at the end of the name