GET a TGS on behalf of another user without password
Scenario: you are Local Administrator and there is a logged User you want to Impersonate!
Chain: SeTcbPrivilege allows you to read LSA storage, extract the SESSION KEY from TGT, and forge a request asking for a TGS; You must use LUID instead of Username.
Goal: From Local Admin to Domain Admin with Kerberos TGS
Required: Local Administrator and a Domain Admin Logged (or Disconnected). In this guide the Domain Admin User is CALIPENDULA\fagiolo
-
ask to GIUDA for a shell as SYSTEM
-
GIUDA -runaslsass or
-
GIUDA -runaspid:PID (a NT AUTHORITY\SYSTEM's PID, enumerate by yourself) you need a PID running with SeTcpPrivilege, search well and try also WINLOGON's PID!
-
ask to GIUDA to show ALL Logged User's LUID
-
GIUDA -askluids
-
take the LUID that you want to impersonate and ask GIUDA to get the msdsspn that you want
-
use PSSession to log on the Domain Controller
Optionally you can ask to SAVE the TGS and pass it next or on another Machine (also on Linux, but only if USER doesn't require PREAUTH, because you have only a TGS without TGT)
- ask TGS with -save option. GIUDA'll save a file named TICKET.KIRBI so you can copy it
A very big thanks to Erwan22, he does a very powerful set of Pascal Units for AD. Thx Erwan22, you're really great!