0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [master] 2 pages modified

This commit is contained in:
CPol 2021-01-04 22:37:21 +00:00 committed by gitbook-bot
parent 377b9602b3
commit 99e313bb17
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
2 changed files with 70 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/active-directory-methodology/resource-based-constrained-delegation.md
View File

@ -118,6 +118,10 @@ ls \\victim.domain.local\C$
![](../../.gitbook/assets/b4.png)
### Abuse different service tickets
Lear about the [**available service tickets here**](silver-ticket.md#available-services).
## Kerberos Errors
* **`KDC_ERR_ETYPE_NOTSUPP`**: This means that kerberos is configured to not use DES or RC4 and you are supplying just the RC4 hash. Supply to Rubeus at least the AES256 hash \(or just supply it the rc4, aes128 and aes256 hashes\). Example: `[Rubeus.Program]::MainString("s4u /user:FAKECOMPUTER /aes256:CC648CF0F809EE1AA25C52E963AC0487E87AC32B1F71ACC5304C73BF566268DA /aes128:5FC3D06ED6E8EA2C9BB9CC301EA37AD4 /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:Administrator /msdsspn:CIFS/M3DC.M3C.LOCAL /ptt".split())`

66
windows/active-directory-methodology/silver-ticket.md
View File

@ -42,3 +42,69 @@ Silver ticket events ID \(more stealth than golden ticket\):
\*\*\*\*[**More information about Silver Tickets in ired.team**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets)\*\*\*\*
## Available Services
<table>
<thead>
<tr>
<th style="text-align:left">Service Type</th>
<th style="text-align:left">Service Silver Tickets</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:left">WMI</td>
<td style="text-align:left">
<p>HOST</p>
<p>RPCSS</p>
</td>
</tr>
<tr>
<td style="text-align:left">PowerShell Remoting</td>
<td style="text-align:left">
<p>HOST</p>
<p>HTTP</p>
<p>Depending on OS also:</p>
<p>WSMAN</p>
<p>RPCSS</p>
</td>
</tr>
<tr>
<td style="text-align:left">WinRM</td>
<td style="text-align:left">
<p>HOST</p>
<p>HTTP</p>
<p>In some occasions you can just ask for: WINRM</p>
</td>
</tr>
<tr>
<td style="text-align:left">Scheduled Tasks</td>
<td style="text-align:left">HOST</td>
</tr>
<tr>
<td style="text-align:left">Windows File Share, also psexec</td>
<td style="text-align:left">CIFS</td>
</tr>
<tr>
<td style="text-align:left">LDAP operations, included DCSync</td>
<td style="text-align:left">LDAP</td>
</tr>
<tr>
<td style="text-align:left">Windows Remote Server Administration Tools</td>
<td style="text-align:left">
<p>RPCSS</p>
<p>LDAP</p>
<p>CIFS</p>
</td>
</tr>
<tr>
<td style="text-align:left">Golden Tickets</td>
<td style="text-align:left">krbtgt</td>
</tr>
</tbody>
</table>
Using **Rubeus** you may **ask for all** these tickets using the parameter:
* `/altservice:host,RPCSS,http,wsman,cifs,ldap,krbtgt,winrm`