1.6 KiB
1.6 KiB
Active Directory Persistance
Using Credentials
- Knowledge Consistency Checker (KCC) replicates credentials through the forest
- DC Synchronisation is the process of syncing credentials between domain controllers, it can be used to gather credentials
- Credentials for multiple local administrators
- Service account with delegation permissions
- Service accounts with high AD permissions, Windows Server Update Services (WSUS), System Center Configuration Manager (SCCM)
Usage
- Use mimikatz
lsadump::dcsync /domain:<domain> /user:<username>
- To query the krbtgt user
lsadump::dcsync /domain:<domain> /user:krbtgt.<domain>
- Query everything
lsadump::dcsync /domain:<domain> /all
Using Tickets
-
Golden Ticket crafted TGT,
- Needs domain name, domain SID and a user ID to impersonate
- Needs krbtgt NTLM to sign the ticket
- krbtgt hash never rotates automatically, only refreshed manually
- krbtgt hash bypasses smart cards
- TGT can not be older than 20 minutes
- TGT lifetime can be set to years
- TGT can be signed anywhere as long as the krbtgt hash is known
-
Silver Ticket crafted TGS
- Signed by targeted service account on a host
- DC is never contacted, no contact to any TGT or KDC
- Non existing user can be used with a local admin group's SID
Usage
- Craft a golden ticket
Get-ADDomain
kerberos::golden /admin:MyLittleAdministrator /domain:<domain> /id:500 /sid:<Domain SID> /target:<Hostname of server being targeted> /rc4:<NTLM Hash of machine account of target> /service:cifs /ptt