1 00:00:01,370 --> 00:00:05,690 Welcome to the last attack for the Active Directory section. 2 00:00:05,690 --> 00:00:09,900 This makes me happy and sad because we're going to have to leave it here. 3 00:00:10,040 --> 00:00:13,100 So golden ticket is going to be a the attack. 4 00:00:13,100 --> 00:00:18,170 We're actually going to use a golden ticket attack and surprise a pass the ticket attack as well. 5 00:00:18,170 --> 00:00:20,300 We'll talk about both of those. 6 00:00:20,300 --> 00:00:23,450 So what is a golden ticket and why do we care. 7 00:00:23,450 --> 00:00:28,340 Well in the last video you saw me dump the K B TGT account right. 8 00:00:28,820 --> 00:00:29,420 What is that. 9 00:00:29,420 --> 00:00:35,060 That's the curb gross ticketing count the ticket granting ticket account that allows us to generate 10 00:00:35,090 --> 00:00:36,170 tickets. 11 00:00:36,170 --> 00:00:42,260 Well what if we have the hash of that account then guess who gets to generate curb gross ticket writing 12 00:00:42,260 --> 00:00:43,220 tickets. 13 00:00:43,310 --> 00:00:46,950 We do so with a cobra's take a grading ticket. 14 00:00:47,030 --> 00:00:54,970 We can request access to any resource or system on the domain using the ticket granting service. 15 00:00:55,040 --> 00:00:55,680 OK. 16 00:00:55,700 --> 00:01:01,670 So what does that mean in layman's terms that means when we have a golden ticket we have complete access 17 00:01:01,670 --> 00:01:03,550 to the entire domain. 18 00:01:03,800 --> 00:01:05,910 All the machines we can gain shells on them. 19 00:01:05,930 --> 00:01:09,660 We can get all the files all the folders etc.. 20 00:01:09,860 --> 00:01:12,730 So this is such a cool attack here. 21 00:01:12,800 --> 00:01:15,080 So we're going to go ahead and try to pull this off. 22 00:01:15,110 --> 00:01:24,860 Let's go ahead and do Mimi Katz dot EMC and I'm going to show you the technique that I use when I do 23 00:01:24,860 --> 00:01:25,520 this. 24 00:01:25,520 --> 00:01:36,300 So go ahead and do your privilege debug as always and from here instead of doing the LSA dump LSA patch 25 00:01:36,930 --> 00:01:42,170 we're just going to say inject like this and we're going to pull down the actual user we want. 26 00:01:42,180 --> 00:01:47,250 That way we don't pull down all the users we're just gonna pull down one user so I'm pulling down by 27 00:01:47,250 --> 00:01:51,240 name and the care B TGT account. 28 00:01:51,240 --> 00:01:54,060 Go ahead and hit enter and when you do this. 29 00:01:54,060 --> 00:02:00,690 Go ahead open up a notepad as well so open up a notepad and we're gonna go ahead and scroll up. 30 00:02:00,750 --> 00:02:02,610 We need a few things. 31 00:02:02,760 --> 00:02:06,060 We need the SCADA of the domain. 32 00:02:06,060 --> 00:02:14,000 So go ahead and copy that and paste that in here and you need the end tell them hash of the curve rows 33 00:02:14,010 --> 00:02:18,830 take a granting ticket account so go ahead and copy that paste that in here as well. 34 00:02:19,940 --> 00:02:22,040 The rest you should be good to go. 35 00:02:22,040 --> 00:02:24,890 We're going to be able to generate our ticket based off of this. 36 00:02:25,400 --> 00:02:29,140 So we're going to do is we're gonna do something along the lines of this. 37 00:02:29,150 --> 00:02:38,160 So we're going to say curb arrows if it'll type curve arrows and gold in like that. 38 00:02:38,420 --> 00:02:43,350 The user here is I always like to put administrator. 39 00:02:43,460 --> 00:02:44,390 You don't have to. 40 00:02:44,390 --> 00:02:48,980 You could put fake user fake user 1 to 3 whatever you want. 41 00:02:48,980 --> 00:02:49,700 Here it doesn't matter. 42 00:02:49,700 --> 00:02:52,960 I can type but it doesn't have to be a real user. 43 00:02:53,150 --> 00:02:58,200 The domain does have to be real so domain here is Marvel dot local. 44 00:02:58,550 --> 00:03:01,210 And then we need the SCADA of the domain. 45 00:03:02,000 --> 00:03:03,320 So let's go ahead and grab that 46 00:03:06,350 --> 00:03:08,380 and paste it here. 47 00:03:08,420 --> 00:03:13,820 We also need the curb gross ticket granting ticket account so care be TGT. 48 00:03:14,330 --> 00:03:20,340 Go ahead and grab that hash that we copied or right click there. 49 00:03:20,340 --> 00:03:24,770 Paste that and then we're going to supply the I.D.. 50 00:03:24,780 --> 00:03:28,370 So I.D. of five hundred here. 51 00:03:30,090 --> 00:03:30,990 It didn't work. 52 00:03:30,990 --> 00:03:31,430 Sorry. 53 00:03:31,440 --> 00:03:32,970 The copy paste messed up. 54 00:03:32,970 --> 00:03:41,640 We'll do I.D. of five hundred and that just stands for your AR I.D. So if you're familiar the I.D. is 55 00:03:41,640 --> 00:03:44,570 the admin account of five hundred. 56 00:03:44,640 --> 00:03:50,370 So we're going to use I.D. of five hundred and the last thing we're gonna do is we're going to say P 57 00:03:50,460 --> 00:03:51,350 T T. 58 00:03:51,360 --> 00:03:52,080 Just like that. 59 00:03:52,110 --> 00:03:53,610 So what does that stand for. 60 00:03:53,700 --> 00:03:54,450 That stands for. 61 00:03:54,440 --> 00:03:56,080 Pass the ticket. 62 00:03:56,160 --> 00:04:01,690 So we're going to generate a golden ticket here and then we're going to use past the ticket we're going 63 00:04:01,690 --> 00:04:05,430 to pass that ticket along to our next session. 64 00:04:05,430 --> 00:04:05,670 Right. 65 00:04:05,670 --> 00:04:13,020 Or the current session and we're going to utilize that ticket to open up a command prompt and that command 66 00:04:13,020 --> 00:04:16,930 prompt is going to be able to access any computer we want. 67 00:04:17,340 --> 00:04:17,760 OK. 68 00:04:17,850 --> 00:04:18,980 So let's go ahead and do this. 69 00:04:18,990 --> 00:04:21,200 We're going to pass the ticket generate this. 70 00:04:21,210 --> 00:04:27,060 Go ahead hit enter and you see it says pass the ticket. 71 00:04:27,080 --> 00:04:27,650 OK. 72 00:04:27,650 --> 00:04:32,480 And it says golden ticket for administrator of marvel that local successfully submitted for current 73 00:04:32,570 --> 00:04:33,430 session. 74 00:04:33,530 --> 00:04:34,940 Current session. 75 00:04:34,940 --> 00:04:37,180 So let's go ahead and do something like this. 76 00:04:37,190 --> 00:04:40,310 Miscellaneous and then command 77 00:04:43,220 --> 00:04:43,550 OK. 78 00:04:43,560 --> 00:04:48,900 Now we've got this command prompt up and we're utilizing the session and the golden ticket we just created. 79 00:04:49,380 --> 00:04:52,220 Now let's try to say something like Dir. 80 00:04:52,410 --> 00:04:56,900 And we can utilize something like we could try the punisher. 81 00:04:56,910 --> 00:05:02,960 Let's see if it takes with the name resolution here see dollar sign and look at that. 82 00:05:02,960 --> 00:05:08,060 We just did a directory of the Punisher from our machine. 83 00:05:08,120 --> 00:05:09,290 We could take this further. 84 00:05:09,320 --> 00:05:10,070 OK. 85 00:05:10,220 --> 00:05:13,550 If we have P.S. exact downloaded to this machine. 86 00:05:13,620 --> 00:05:14,880 P.S. exactly. 87 00:05:14,990 --> 00:05:19,400 Remember this is a tool used for windows like this. 88 00:05:19,430 --> 00:05:19,640 Right. 89 00:05:19,640 --> 00:05:21,670 We can access computers with P.S. exact. 90 00:05:21,670 --> 00:05:28,130 That was the whole intent of P.S. exact being created so we can download the windows tool of P.S. exact 91 00:05:28,640 --> 00:05:32,390 and gain access to this machine if we want to. 92 00:05:32,390 --> 00:05:36,940 So that's going to be my challenge to you if you want to have some more fun with this. 93 00:05:37,070 --> 00:05:42,360 Take this a step further and go out go download P.S. Exactly. 94 00:05:42,410 --> 00:05:48,080 So again all you're going to look for is P.S. exact EMC and that is a Windows tool so you should be 95 00:05:48,080 --> 00:05:56,690 able to find on the windows site download it and then run P.S. exact dot EMC and run it against this 96 00:05:56,810 --> 00:06:02,710 computer run it in something like this against the Punisher and then run against commands. 97 00:06:02,730 --> 00:06:04,000 EMC just like that. 98 00:06:04,010 --> 00:06:04,700 And guess what. 99 00:06:04,700 --> 00:06:07,030 You're gonna get a shell on this machine. 100 00:06:07,070 --> 00:06:08,810 This is an awesome attack. 101 00:06:08,810 --> 00:06:12,200 You have complete control on top of this. 102 00:06:12,260 --> 00:06:16,380 You can think of a golden ticket as persistence. 103 00:06:16,430 --> 00:06:23,650 Once you own the domain controller yes you can go add in a user name and you can create your own account. 104 00:06:23,660 --> 00:06:25,390 Make them a domain admin. 105 00:06:25,490 --> 00:06:27,590 A lot of places will pick up on that. 106 00:06:27,680 --> 00:06:31,860 Not everybody is picking up on the golden ticket quite yet. 107 00:06:31,880 --> 00:06:36,000 And if you want to get stealth there look into what a silver ticket is. 108 00:06:36,020 --> 00:06:38,020 That's starting to be the way to go. 109 00:06:38,020 --> 00:06:41,180 Now that golden tickets are starting to get picked up a little bit. 110 00:06:41,210 --> 00:06:45,410 So what we're gonna do is end this here. 111 00:06:45,440 --> 00:06:46,690 That's my challenge to you. 112 00:06:46,700 --> 00:06:47,750 Go out download. 113 00:06:47,780 --> 00:06:48,800 Yes exactly. 114 00:06:48,800 --> 00:06:50,090 Play around with it. 115 00:06:50,120 --> 00:06:54,930 Make this your own go out there and look at more Mimi Katz commands. 116 00:06:54,980 --> 00:06:59,020 Learn all the different little tools and techniques you have the lab built for it. 117 00:06:59,030 --> 00:07:01,010 Everything is ready to roll. 118 00:07:01,010 --> 00:07:06,070 So I'm going to cover in the next video some good resources for you to study. 119 00:07:06,080 --> 00:07:09,770 We'll talk about a little bit about certifications and what's out there. 120 00:07:09,770 --> 00:07:13,920 And then we're gonna go ahead and move on and get out of active directory pen testing. 121 00:07:13,940 --> 00:07:17,360 It has been a fun ride so I'll catch you over in the next video.