When you are logged into a computer, logging off is essential to your security.  In fact, if you simply close a session instead of logging off, it can lead to serious breaches in security.

That’s why our next tutorial is on stealing Kerberos Tickets.  Understanding this process can help you to protect your own information.

Accessing Files within a Domain

When a user completely logs off of their station, their information will be inaccessible to all other users, however, if the Kerberos tickets remain, you can grab them and use them to access the previous users’ files.

To grab the Kerberos tickets, you will need to download mimikatz, which is available here.

Accessing Kerberos Tickets

Using mimikatz you should assign the debug privilege and export the Kerberos tickets.  The Kerboros tickets will be exported to the Mimikatz folder as files.  When you select a particular Kerberos ticket, you can use it to import LSASS memory.

But, to verify the access, you can open another console that is running in the same domain.

Verification

From here when you enter the saved Kerberos ticket, the new console will be able to browse the shared files of the original user on the primary console.

To browse additional shared folders, you will need to simply select a different Kerberos ticket from the primary console.

Getting the Golden Ticket

To gain a Golden Ticket, you must mimikatz again, and it will grant you access to the entire domain.  To start you should know the domain name, domain SID, Username to impersonate, the NTLM Hash.

First, run the following commands:

mimikatz # lsadump::samrpc /patch
insideDomain : CQURE

[…]

RID  : 000001f6 (502)
User : krbtgt
LM   :
NTLM : 6aa0233756172c24df5e9797117d118b

Once you have the hash, you can access the golden ticket and use the Keberos:ptt command and find the cqure.tec.kirbi file in the mimikatz folder.

From here, simply verify your access and create the keys you need!

Did you like this? Share it: