Learning by practicing: Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit

Sunday, March 27, 2016

Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Skeleton Key

So skeleton key like mimikatz was something I learned about recently and was interested in. So this post is one is for me to understand how to use these features and hopefully log and or detect it.

According to Dell SecureWorks, skeleton key uses a method of bypassing AD authentication when single factor (password) authentication mechanism is used. Basically a malicious actor can assign a "master" password to the AD domain and thus login as any user.

So how do we test this?
We will leverage information we learned in the previous posts, specifically this one and this one.

Since most of the work was done in the previous posts, let's just go ahead and install the "skeleton key" using mimikatz.

From above we see skeleton key has been loaded.

Let's now test this by trying to connect to a network share on the DC from a Windows 7. Below I use the password "Blogging1" with the username "tUser" and was a able to successfully map drive "F" to the "tmp" share on the server and perform a "dir" to view the files in the directory.

Similarly below, I connect to a network share on the DC from a Windows 7. In this scenario however, I use the "master" password "mimikatz" with the username "tUser" and was a able to successfully map drive "F" to the "tmp" share on the server and perform a "dir" to view the files in the directory.

Learning by practicing

Sunday, March 27, 2016

Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Skeleton Key

No comments:

Post a Comment