Golden 🔑 tickets are no longer in fashion, so here’s a short memo on using Diamond 💎 (@exploitph) and Sapphire (@_nwodtuhs) tickets with ticketer[.]py from #Impacket. At first let’s recap what we already know about Golden tickets ⤵️
🧵 (2/) Golden tickets are forged privileged TGTs that’re crafted completely offline. Having got krbtgt RC4 (NT hash) or AES key, a TA can specify some params (e.g., group membership, user’s RID, ticket validity period) to create and sign a fake PAC embedded inside the TGT ⤵️
🧵 (3/) Thus, the TA can provide the forged TGT to request an ST to any resource in the domain which will contain a copy of the fake PAC signed by the target service account. Since recently, we cannot use a non-existent account name as a result of CVE-2021-42287 mitigations ⤵️
🧵 (4/) Despite Golden tickets is a very strong dominance technique, it’s quite noisy as well. This is where Diamond tickets come in handy! A TA can request a legit low-priv TGT and recalculate only the PAC field providing the krbtgt encryption key ⤵️
🧵 (5/) But this is not the limit as well! The recent Sapphire ticket technique by @_nwodtuhs allows us to mimic the PAC field as close as possible to a legitimate one eliminating the need of recalculating it from scratch ⤵️
🧵 (6/) It is achieved by requesting the target user’s PAC with S4U2self+U2U exchange during TGS-REQ(P) (PKINIT). Due to using a ready-made PAC, all the previously modifiable options don’t take affect now ⤵️
🧵 (7/) As a side-note: I’ve used this crappy script to automate keytab creation alongside with @_dirkjan’s great keytab[.]py for decrypting KRB5 traffic in Wireshark 👇🏻
🧶 (2/) First things first, I shall enumerate AD CS environment with #CrackMapExec and qwinsta the Victim machine via newly introduced tstool[.]py from #Impacket (thx @nopernik!). For the purpose of this demo I’ll use a DA account to interact with the Victim but any LA will do 👨🏻💻
🧶 (3/) I shall now prepare my team server and generate an encrypted Sliver beacon to use it with DInjector 💉
🧵 (2/x) So that now the execution hangs like follows ⏬
🧵 (3/x) But guess what, there’s another super cool tool – Coercer (by @podalirius_) – which can be used to trigger the authentication with a different API that is not affected by the ad-hoc check provided in the patch ⏬
[#HackStory 🧵] (1/4) Here’s a generic case of reaching a locked-down PC from a firewalled segment in AD. The background is: 172.16.66.6 (the target) can talk to 192.168.1.11 (a PWNed server) but not vice versa and to no one else in the foreseeable network 👀
(2/4) Being a DA an adversary can create an evil GPO that will coerce Immediate Scheduled Task execution on the target. The task downloads and executes a PS cradle pointing to the PWNed server. Sure, there’re fancy (py|Sharp)GPOAbuse, etc… But when it’s a pentest, who cares 😒
(3/4) Meanwhile, some v4tov4 port proxies are configured on the pivot point by the adversary via netsh 😈
Yo, ho, was doing a bit of pentesting today. Inspired by @ippsec I shall give you my short story of 3 different paths to DA in 5 hours of work (hot pics are inside). Enjoy!
Path 1. DHCPv6 poisoning for initial access (thx to @_dirkjan)➡️authenticated PetitPotam to grab NTLMv1-SSP (thx to @topotam77)➡️ntlmv1-multi (thx to @Evil_Mog) + crack.sh to crack the response and get NT hash of DC➡️DCSync (thx to @SecureAuth)
(1/2) Path 2. Scan the network to discover an MS17-010 unpatched system ➡️ Use AutoBlue-MS17-010 to perform the exploitation with an x86 shellcode ➡️ Dump LSASS via comsvcs.dll LOLBAS technique ➡️ Exfiltrate the dump with PowerShell ➡️ Parse it to get credz of a privileged user