Comments (8)
gentilkiwi
commented on September 26, 2024
Amazing :)
It already existed with /restrictedAdmin, a ticket without keys (without SSO).
A flag may exist to indicate it's remote :)
Do you have a dump on client side, and in the same time on server side ?
Cheers
from mimikatz.
goldfinger2
commented on September 26, 2024
No currently not but we can make it at the end of this week.
Jürgen
from mimikatz.
gentilkiwi
commented on September 26, 2024
Thank you Jürgen!
It can be easier if @microsoft can buy me a Surface Book :P
from mimikatz.
goldfinger2
commented on September 26, 2024
Salut Benjamin,
here your dumps.
We made a connection from source with active credential guard (lsass-source-rdp-cg) with mstsc /remoteGuard to the target (lsass-target-rg)
Executing mimikatz on the target with sekurlsa::tickets we get a crash.
We used sadmin with P@ssw0rd!
lsass-target-rgc.zip
lsass-source-rdp-cg.zip
from mimikatz.
gentilkiwi
commented on September 26, 2024
Hello Jürgen :)
Thank you, I'll take a look 👍
Was the user in "Protected Users" group too ?
from mimikatz.
goldfinger2
commented on September 26, 2024
Yes, he is in the Protected User Group, too.
Jürgen
from mimikatz.
goldfinger2
commented on September 26, 2024
Salut Benjamin,
I forgot to attach the user information.
We used claims, too. May be they can be counterfeit soon and easy by the mimikatz golden ticket creation. ;-)
By the way is there a mimikatz command to list the Kerberos PAC field authorization information directly?
Juergen
whoami /all
USER INFORMATION
----------------
User Name SID
============== =============================================
company\sadmin S-1-5-21-504569365-2122958605-3922303804-1609
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================== ================ ============================================ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
COMPANY\Group Policy Creator Owners Group S-1-5-21-504569365-2122958605-3922303804-520 Mandatory group, Enabled by default, Enabled group
COMPANY\Domain Admins Group S-1-5-21-504569365-2122958605-3922303804-512 Mandatory group, Enabled by default, Enabled group
COMPANY\Protected Users Group S-1-5-21-504569365-2122958605-3922303804-525 Mandatory group, Enabled by default, Enabled group
COMPANY\Schema Admins Group S-1-5-21-504569365-2122958605-3922303804-518 Mandatory group, Enabled by default, Enabled group
COMPANY\Enterprise Admins Group S-1-5-21-504569365-2122958605-3922303804-519 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Claims Valid Well-known group S-1-5-21-0-0-0-497 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
COMPANY\Denied RODC Password Replication Group Alias S-1-5-21-504569365-2122958605-3922303804-572 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled
USER CLAIMS INFORMATION
-----------------------
Claim Name Claim ID Flags Type Values
==================== =========================== ===== ====== ========================
"AuthenticationSilo" ad://ext/AuthenticationSilo String "Restricted_Admin_Logon"
from mimikatz.
gentilkiwi
commented on September 26, 2024
I don't know a lots about claims for the moment.
I've embedded some tools in mimikatz to decrypt ticket & for PAC interpretation,.. but can not make all automated because of ASN.1 interpretation: https://social.msdn.microsoft.com/Forums/vstudio/en-US/b237c77e-614b-4c77-b9d7-9773eefb2698/berinit-and-asn1-sequence
You can enable "allowtgtsessionkey", export tgt by API and send me ticket + AES krbtgt. I can take a look.
Do not hesitate to use mail if sensitive informations.
from mimikatz.
Related Issues (20)
- Can't find way to run Mimikatz in context of a domain administrator on non-domain-joined PC for DC Shadow attack HOT 8
- can't find a syntax to call Mimikatz from the command line with embedded quotes HOT 1
- Mimikatz on Windows 11 with/without Credential Guard HOT 5
- ts::logonpasswords no passwords in latest win10 build HOT 2
- Same old "ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list" again... HOT 6
- Windows 11 Build 10.0.22621.1848 HOT 2
- Problem with Decrypting Masterkeys HOT 2
- Cant export certificate and its public key to DER HOT 1
- Function kull_m_cred_create does not copy actual credentials blob size HOT 2
- arm架构上不支持凭证注入进程 HOT 3
- Not displaying passords in plain text. HOT 1
- ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list on win11-22h2-pro HOT 2
- EFS files - Masterkey with empty user password in windows login HOT 1
- UTF-8 / nanodump -> mimikatz and pypykatz errors HOT 4
- Problem Working for Windows 11 ARM64
- Mimikatz Golden Ticket fails to create PAC attribute RequestorSID
- Why i am not Getting the MasterKey
- Skeleton Key on "MSV" SSP HOT 1
- I detect a trojan when downloading the zip Trojan:Win32/Vigorf.A zip HOT 1
- oxnan/mimikatz issue : windows 21h2 22000.318 run error
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mimikatz.