🧵 (1/) Forged Tickets Thread

Golden 🔑 tickets are no longer in fashion, so here’s a short memo on using Diamond 💎 (@exploitph) and Sapphire (@_nwodtuhs) tickets with ticketer[.]py from #Impacket. At first let’s recap what we already know about Golden tickets ⤵️

#ad #kerberos
🧵 (2/) Golden tickets are forged privileged TGTs that’re crafted completely offline. Having got krbtgt RC4 (NT hash) or AES key, a TA can specify some params (e.g., group membership, user’s RID, ticket validity period) to create and sign a fake PAC embedded inside the TGT ⤵️
🧵 (3/) Thus, the TA can provide the forged TGT to request an ST to any resource in the domain which will contain a copy of the fake PAC signed by the target service account. Since recently, we cannot use a non-existent account name as a result of CVE-2021-42287 mitigations ⤵️
🧵 (4/) Despite Golden tickets is a very strong dominance technique, it’s quite noisy as well. This is where Diamond tickets come in handy! A TA can request a legit low-priv TGT and recalculate only the PAC field providing the krbtgt encryption key ⤵️
🧵 (5/) But this is not the limit as well! The recent Sapphire ticket technique by @_nwodtuhs allows us to mimic the PAC field as close as possible to a legitimate one eliminating the need of recalculating it from scratch ⤵️
🧵 (6/) It is achieved by requesting the target user’s PAC with S4U2self+U2U exchange during TGS-REQ(P) (PKINIT). Due to using a ready-made PAC, all the previously modifiable options don’t take affect now ⤵️
🧵 (7/) As a side-note: I’ve used this crappy script to automate keytab creation alongside with @_dirkjan’s great keytab[.]py for decrypting KRB5 traffic in Wireshark 👇🏻

ppn.snovvcrash.rocks/pentest/infras…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with sn🥶vvcr💥sh

sn🥶vvcr💥sh Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @snovvcrash

Aug 26
🧶 (1/) Reproducing Masky Thread

So it’s a relaxing Friday evening to play with the new awesome #Masky tool by @_ZakSec. I’ll show you here how to reproduce its behavior with #CrackMapExec, #Impacket, #Sliver, #Certify and #Certipy.

Let’s go! ⤵️

#pentest #adcs
🧶 (2/) First things first, I shall enumerate AD CS environment with #CrackMapExec and qwinsta the Victim machine via newly introduced tstool[.]py from #Impacket (thx @nopernik!). For the purpose of this demo I’ll use a DA account to interact with the Victim but any LA will do 👨🏻‍💻
🧶 (3/) I shall now prepare my team server and generate an encrypted Sliver beacon to use it with DInjector 💉
Read 7 tweets
Jul 29
🧵 (1/x) Reanimating ADCSPwn thread (in a simple way) ⏬

You all know this great tool by @_batsec_, but unfortunately Microsoft broke it with one of those anti-PetitPotam patches a while ago ⏬

github.com/bats3c/ADCSPwn…

#lpe #adcs #petitpotam #webdav
🧵 (2/x) So that now the execution hangs like follows ⏬
🧵 (3/x) But guess what, there’s another super cool tool – Coercer (by @podalirius_) – which can be used to trigger the authentication with a different API that is not affected by the ad-hoc check provided in the patch ⏬
Read 5 tweets
Jul 1
[#HackStory 🧵] (1/4) Here’s a generic case of reaching a locked-down PC from a firewalled segment in AD. The background is: 172.16.66.6 (the target) can talk to 192.168.1.11 (a PWNed server) but not vice versa and to no one else in the foreseeable network 👀

#ad #pentest
(2/4) Being a DA an adversary can create an evil GPO that will coerce Immediate Scheduled Task execution on the target. The task downloads and executes a PS cradle pointing to the PWNed server. Sure, there’re fancy (py|Sharp)GPOAbuse, etc… But when it’s a pentest, who cares 😒
(3/4) Meanwhile, some v4tov4 port proxies are configured on the pivot point by the adversary via netsh 😈
Read 5 tweets
Oct 29, 2021
Yo, ho, was doing a bit of pentesting today. Inspired by @ippsec I shall give you my short story of 3 different paths to DA in 5 hours of work (hot pics are inside). Enjoy!
Path 1. DHCPv6 poisoning for initial access (thx to @_dirkjan)➡️authenticated PetitPotam to grab NTLMv1-SSP (thx to @topotam77)➡️ntlmv1-multi (thx to @Evil_Mog) + crack.sh to crack the response and get NT hash of DC➡️DCSync (thx to @SecureAuth) ImageImageImageImage
(1/2) Path 2. Scan the network to discover an MS17-010 unpatched system ➡️ Use AutoBlue-MS17-010 to perform the exploitation with an x86 shellcode ➡️ Dump LSASS via comsvcs.dll LOLBAS technique ➡️ Exfiltrate the dump with PowerShell ➡️ Parse it to get credz of a privileged user ImageImageImageImage
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(