Useful Hacking with Paula Januszkiewicz Part 2 – Kerberos

Welcome to the Useful Hacking Series, in this series of 20 Episodes our world-renowned penetration tester/international speaker will share with you the top useful tips used during her security audits. The goal in this series is only to be a major supporting tool in everyday administrative tasks, but to also to encourage experimentation in creating your own solutions and having fun with technology using the tools we present.   We call the series the “Hacking” for the good guys. Enjoy!

 

Episode 2: How to steal Kerberos Tickets?

Hi Security Enthusiasts! Today is the time to play a little bit with Kerberos tickets. Actually, we’re stealing them! Within our Episodes we will be discussing passwords several times, but this time let’s raise the bar a bit. First of all, I would like to discuss the problem of a bad habit with Domain Administrators or other domain privileged accounts who are logged into the user’s workstation. When there is a RDP session used DO NOT forget to log off properly, this is a common mistake when you close the session rather than logging off. In such cases your credentials remain in the memory of the user’s workstation. Users who have a Debug Privilege (effectively being a member of the local Administrators group) are able to grab your password from memory in clear text. This magical space where passwords live is called: LSA Secrets, unfortunately it’s no longer a secret. The proper security practice is when you don’t even use a domain privileged account to log on a user’s workstation and always remember to log off properly after performing the administrative tasks using RDP. The world would be a beautiful place if this problem was over, so let’s have a little fun, but not in a production environment, okay?

 

Scenario 1: Access to the services.

Imagine the situation where domain user: Administrator@cqure.tec enters a share from the Workstation1 that is member of the domain. He goes to the share \\server\share\:

 

The user spends a while opening several shared files. Then the user completely logs off and then another user logs in while being a member of the local Administrators group. He then tries to access the same share:

 

It is predictable since this is a different user. If we check for the assigned Kerberos tickets, the user also receives nothing:

 

But of course what happens is that Kerberos tickets of the previous user remains in the operating system’s memory and you can grab them by using mimikatz (download from: http://blog.gentilkiwi.com/mimikatz and run in the elevated console):

 

After assigning the Debug Privilege it is time to export the Kerberos tickets of the previous user to the file:

 

Kerberos tickets are exported to files in the Mimikatz folder:

Selected .kirbi file can be imported to LSASS memory for the current user’s session. This can be done for example by passing the name of the CIFS ticket as the parameter for the Kerberos::ptt, in the following way:

 

Now it’s time to verify the share access, you can do this by opening up a separate console. Make sure the console is running in a member of the local Administrators group context (in my case it’s Paula):

TRATADAMDAM! Verify if you have the appropriate ticket:

 

As you see the local user (Paula) has been assigned the Kerberos ticket of the Administrator from the domain CQURE.

Remember that when you have the ticket for one service, this is the only one that will be working as it requires a separate TGS (Ticket Granting Service), so browsing the shares on the other servers will not work unless you assign another TGT (Ticket Granting Ticket).

 

To be able to browse other server’s shares and, in general, act as another user you need to assign to yourself the following ticket, I suggest you do this on your own using the krbtgt ticket and just browse \\server2\share:

 

Scenario 2:  The Golden Ticket to the Wonka Chocolate factory

 

[Warning]: Do this only in a test environment!

The way to get the Golden Tickets the NTLM hash of the password for the krbtgt account. To grab it you can use mimikatz as well. With this technique, you can access any resource in the domain. You first need to get the following information:

  • Domain name
  • Domain’s SID
  • Username that you would like to impersonate
  • krbtgt user’s NTLM hash (details later in the text)

 

In order to grab the NTLM hash you need to be able to access the Domain Controller, which for the attacker may be the end of activities. The steps below are to show you what is possible and present the potential problem when someone has a few privileges. The goal to achieve the user’s token that is the privileged used. First step is to get the Domain’s SID, you can use PsGetsid.exe from the Sysinternals tools:

 

Now it is time to get the krbtgt’s account SID. This is not the easiest thing to do, but let’s dig into it! The following commands need to run on the domain controller, but not the one in the production environment! It may happen that server will reboot automatically because of the LSASS injection. If it reboots automatically you need to find another way to grab hashes for the krbtgt account (try wce, gsecdump, esedbextract + dsusers.py etc.)

 

mimikatz # lsadump::samrpc /patch
insideDomain : CQURE

[…]

RID  : 000001f6 (502)
User : krbtgt
LM   :
NTLM : 6aa0233756172c24df5e9797117d118b

 

In order to grab the hash, you can alternatively have a look at my TechEd session where you will find the presentation on how to grab hashes differently. In case a domain controller reboots this will for sure allow you to still extract the hash information: http://channel9.msdn.com/Events/TechEd/Europe/2013/ATC-B301 – starting in 32:00 minute. At the end, you should be able to read the hash of the krbtgt account:

 

If you have a hash you can generate the tickets for the chosen accounts:

 

This means that finally we can enjoy the:

Of course you need to sign in using the keberos:ptt command like we did before. In the current mimikatz folder you will find the file cqure.tec.kirbi that you can use to generate your own keys. If you share this file with someone, this person will act as a chosen user (Administrator) for the next 10 years.

 

After that you will see that ticket is valid for a bit longer than usual and it allows us to use all the domain services with high privileges:

 

The same situation may happen if Administrators shares the memory dump with someone. You can download procdump from here: http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx

 

procdump /ma lsass.exe

mimikatz # sekurlsa::minidump lsass_140224_153946.dmp

mimikatz # sekurlsa::tickets /export

 

 

In the “Episode 3: How to sniff HTTPS – the ultimate guide to sniff logon credentials” you will read how to sniff HTTPS for the multiple user sessions without injecting certificates! Should I explain where do we use https?

 

Stay Cqure!

About the Author

Paula Januszkiewicz

Owner, CQURE, IT Security Auditor and Penetration Tester, Enterprise Security MVP, Microsoft Certified
Trainer (MCT) and Microsoft Security Trusted Advisor

Paula is an accomplished IT security specialist and industry-recognized speaker. She owns CQURE, a company focused on security-related issues and projects, and has conducted hundreds of IT security audits and penetration tests, including ones for governmental organizations. Often rated as the number one speaker, she has spoken at many well-known conferences including TechEd North America, TechEd Europe, TechEd Middle East, RSA, TechDays and CyberCrime.

Her distinct specialization is Microsoft security solutions in which she holds multiple Microsoft certifications, in addition to being familiar with and possessing certifications in other related technologies. Paula is passionate about sharing her knowledge with others.

Paula has authored a book on Threat Management Gateway 2010 and is currently working on her next book. Every year, she travels to over 200 locations taking on more opportunities to perform penetration tests and consulting with customers on how to secure their infrastructures.

Leave a Reply

Your email address will not be published. Required fields are marked *

UA-65015606-2