GitBook: [master] 2 pages modified
This commit is contained in:
parent
377b9602b3
commit
99e313bb17
@ -118,6 +118,10 @@ ls \\victim.domain.local\C$
|
||||
|
||||
![](../../.gitbook/assets/b4.png)
|
||||
|
||||
### Abuse different service tickets
|
||||
|
||||
Lear about the [**available service tickets here**](silver-ticket.md#available-services).
|
||||
|
||||
## Kerberos Errors
|
||||
|
||||
* **`KDC_ERR_ETYPE_NOTSUPP`**: This means that kerberos is configured to not use DES or RC4 and you are supplying just the RC4 hash. Supply to Rubeus at least the AES256 hash \(or just supply it the rc4, aes128 and aes256 hashes\). Example: `[Rubeus.Program]::MainString("s4u /user:FAKECOMPUTER /aes256:CC648CF0F809EE1AA25C52E963AC0487E87AC32B1F71ACC5304C73BF566268DA /aes128:5FC3D06ED6E8EA2C9BB9CC301EA37AD4 /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:Administrator /msdsspn:CIFS/M3DC.M3C.LOCAL /ptt".split())`
|
||||
|
@ -42,3 +42,69 @@ Silver ticket events ID \(more stealth than golden ticket\):
|
||||
|
||||
\*\*\*\*[**More information about Silver Tickets in ired.team**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets)\*\*\*\*
|
||||
|
||||
## Available Services
|
||||
|
||||
<table>
|
||||
<thead>
|
||||
<tr>
|
||||
<th style="text-align:left">Service Type</th>
|
||||
<th style="text-align:left">Service Silver Tickets</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td style="text-align:left">WMI</td>
|
||||
<td style="text-align:left">
|
||||
<p>HOST</p>
|
||||
<p>RPCSS</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="text-align:left">PowerShell Remoting</td>
|
||||
<td style="text-align:left">
|
||||
<p>HOST</p>
|
||||
<p>HTTP</p>
|
||||
<p>Depending on OS also:</p>
|
||||
<p>WSMAN</p>
|
||||
<p>RPCSS</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="text-align:left">WinRM</td>
|
||||
<td style="text-align:left">
|
||||
<p>HOST</p>
|
||||
<p>HTTP</p>
|
||||
<p>In some occasions you can just ask for: WINRM</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="text-align:left">Scheduled Tasks</td>
|
||||
<td style="text-align:left">HOST</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="text-align:left">Windows File Share, also psexec</td>
|
||||
<td style="text-align:left">CIFS</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="text-align:left">LDAP operations, included DCSync</td>
|
||||
<td style="text-align:left">LDAP</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="text-align:left">Windows Remote Server Administration Tools</td>
|
||||
<td style="text-align:left">
|
||||
<p>RPCSS</p>
|
||||
<p>LDAP</p>
|
||||
<p>CIFS</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="text-align:left">Golden Tickets</td>
|
||||
<td style="text-align:left">krbtgt</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
Using **Rubeus** you may **ask for all** these tickets using the parameter:
|
||||
|
||||
* `/altservice:host,RPCSS,http,wsman,cifs,ldap,krbtgt,winrm`
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user