{"id":983,"date":"2015-09-17T14:25:18","date_gmt":"2015-09-17T11:25:18","guid":{"rendered":"https:\/\/furkansandal.com\/post-exploitation3-golden-ticket-ile-etki-alanina-surekli-ve-yetkili-erisim\/"},"modified":"2015-09-17T14:25:18","modified_gmt":"2015-09-17T11:25:18","slug":"post-exploitation3-golden-ticket-ile-etki-alanina-surekli-ve-yetkili-erisim","status":"publish","type":"post","link":"https:\/\/furkansandal.com\/post-exploitation3-golden-ticket-ile-etki-alanina-surekli-ve-yetkili-erisim\/","title":{"rendered":"[Post Exploitation]#3 Golden Ticket ile Etki Alan\u0131na S\u00fcrekli ve Yetkili Eri\u015fim"},"content":{"rendered":"<div id=\"post-body-4581289949238736937\" itemprop=\"description articleBody\" readability=\"130.852066116\">\n<div style=\"text-align: justify;\" readability=\"10\">\n<a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/abusing-microsoft-kerberos.jpg?ssl=1\" imageanchor=\"1\" style=\"clear: right; float: right; margin-bottom: 1em; margin-left: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/abusing-microsoft-kerberos.jpg?resize=200%2C138&#038;ssl=1\" height=\"138\" width=\"200\" data-recalc-dims=\"1\" \/><\/a>Kurum i\u00e7ine yap\u0131lan sald\u0131r\u0131larda veya s\u0131zma testlerinde Domain Admin yetkisini elde eden bir sald\u0131rgan etki alan\u0131ndaki (neredeyse) her bilgisayar\u0131 ele ge\u00e7irmi\u015f olur denebilir. E\u011fer g\u00fcven (trust) ili\u015fkisi varsa bu durumda di\u011fer etki alanlar\u0131 da tehlike alt\u0131na girebilir. Bunun haricinde y\u00f6netim kolayl\u0131\u011f\u0131 olmas\u0131 a\u00e7\u0131s\u0131ndan sald\u0131r\u0131ya u\u011frayan etki alan\u0131na dahil edilmi\u015f kritik sistemler de tehlikeye maruz kalabilir. Bu sebeplerle etki alan\u0131 y\u00f6netici hesaplar\u0131n\u0131n korunmas\u0131 kurumlar i\u00e7in olduk\u00e7a \u00f6nemlidir.<\/div>\n<p>\nS\u0131zma testlerinde veya sald\u0131r\u0131larda etki alan\u0131 y\u00f6netici haklar\u0131 temel olarak 2 \u015fekilde elde edilir:<\/p>\n<ol>\n<li style=\"text-align: justify;\">Kurum a\u011f\u0131nda etki alan\u0131 y\u00f6neticisinin jetonu (token) ele ge\u00e7irilebilir. Bir kullan\u0131c\u0131n\u0131n jetonunun ele ge\u00e7irilmesi ile ilgili \u00f6rnek bir durum i\u00e7in <a href=\"http:\/\/ertugrulbasaranoglu.blogspot.com.tr\/2013\/10\/ipucu-domainde-yetkili-kullancnn.html\">bak\u0131n\u0131z<\/a>. Etki alan\u0131 y\u00f6neticisinin jetonunu elde eden sald\u0131rgan jeton i\u00e7erisindeki biletin (ticket) s\u00fcresi boyunca -bilet yenileme olay\u0131 ihmal edilmektedir-  istedi\u011fi i\u015flemi ger\u00e7ekle\u015ftirebilir.<\/li>\n<li style=\"text-align: justify;\">Benzer \u015fekilde etki alan\u0131 y\u00f6neticisinin parolas\u0131n\u0131 elde eden sald\u0131rgan, parola de\u011fi\u015fmedi\u011fi s\u00fcrece bu kullan\u0131c\u0131 hesab\u0131na ait parola ile istedi\u011fi i\u015flemi ger\u00e7ekle\u015ftirebilir. \u00d6rne\u011fin, kendisine \u00f6zel bir kullan\u0131c\u0131 olu\u015fturup o kullan\u0131c\u0131y\u0131 etki alan\u0131 y\u00f6neticisi yapabilir.<\/li>\n<\/ol>\n<div style=\"text-align: justify;\" readability=\"14\">\n<a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/2276877.jpg?ssl=1\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/2276877.jpg?resize=200%2C198&#038;ssl=1\" height=\"198\" width=\"200\" data-recalc-dims=\"1\" \/><\/a>Yukar\u0131da belirtilen 2 y\u00f6ntemin s\u00fcreklili\u011fi, yukar\u0131da belirtildi\u011fi gibi, uzun olmayabilir. \u00d6rne\u011fin parola de\u011fi\u015ftirildi\u011fi zaman art\u0131k etki alan\u0131nda s\u00f6z sahibi olunamayacakt\u0131r. Bunun \u00f6n\u00fcne ge\u00e7mek i\u00e7in alt\u0131n bilet (<b>Golden Ticket<\/b>) ad\u0131 verilen yetkili bir kimlik bilgisi ile kurban etki alan\u0131na eri\u015fim her zaman sa\u011flanabilir.\u00a0<\/div>\n<p>\nBu yaz\u0131da etki alan\u0131 y\u00f6neticilik yetkisinin y\u0131llar sonra bile kullan\u0131labilmesine imkan sa\u011flayan bir y\u00f6ntem incelenecektir.<\/p>\n<p>\nYaz\u0131da DC rol\u00fcne sahip\u00a0bir\u00a0Windows Server 2008 R2 sunucu ve bu etki alan\u0131ndaki (sirket.local) Windows 7 bir istemci kullan\u0131lacakt\u0131r.<\/p>\n<p>\nYaz\u0131 5 ad\u0131mdan olu\u015fmaktad\u0131r:<\/p>\n<ol>\n<li style=\"text-align: justify;\">KDC, KRBTGT, TGT gibi konular hakk\u0131nda \u00f6n bilgilendirme<\/li>\n<li style=\"text-align: justify;\">DC makinesine meterpreter oturumu elde edilmesi ve bir tak\u0131m bilgiler toplanmas\u0131<\/li>\n<li style=\"text-align: justify;\">DC \u00fczerinde alt\u0131n bilet (Golden Ticket) olu\u015fturulmas\u0131<\/li>\n<li style=\"text-align: justify;\">Standart bir kullan\u0131c\u0131n\u0131n haklar\u0131yla ele ge\u00e7irilmi\u015f olan bir istemci bilgisayar\u0131nda Golden Ticket ile etki alan\u0131 y\u00f6netici haklar\u0131n\u0131n yeniden ele ge\u00e7irilmesi<\/li>\n<li style=\"text-align: justify;\">Al\u0131nabilecek \u00f6nlemler\u00a0<\/li>\n<\/ol>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_55 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\" role=\"button\"><label for=\"item-662d31ce03940\" ><span class=\"\"><span style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input aria-label=\"Toggle\" aria-label=\"item-662d31ce03940\"  type=\"checkbox\" id=\"item-662d31ce03940\"><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/furkansandal.com\/post-exploitation3-golden-ticket-ile-etki-alanina-surekli-ve-yetkili-erisim\/#1_Genel_Kavramlar\" title=\"\n1) Genel Kavramlar\">\n1) Genel Kavramlar<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/furkansandal.com\/post-exploitation3-golden-ticket-ile-etki-alanina-surekli-ve-yetkili-erisim\/#2_DC_Uzerinde_Gerekli_Bilgilerin_Toplanmasi\" title=\"\n2) DC \u00dczerinde Gerekli Bilgilerin Toplanmas\u0131\">\n2) DC \u00dczerinde Gerekli Bilgilerin Toplanmas\u0131<\/a><ul class='ez-toc-list-level-4'><li class='ez-toc-heading-level-4'><ul class='ez-toc-list-level-4'><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/furkansandal.com\/post-exploitation3-golden-ticket-ile-etki-alanina-surekli-ve-yetkili-erisim\/#systeminfo_findstr_Domain\" title=\"\nsysteminfo | findstr Domain:\">\nsysteminfo | findstr Domain:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/furkansandal.com\/post-exploitation3-golden-ticket-ile-etki-alanina-surekli-ve-yetkili-erisim\/#net_user_domain_wmic_useraccount_get_sid_name\" title=\"\nnet user \/domain wmic useraccount get sid, name\">\nnet user \/domain wmic useraccount get sid, name<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/furkansandal.com\/post-exploitation3-golden-ticket-ile-etki-alanina-surekli-ve-yetkili-erisim\/#whoami_user_%E2%80%93%3E_Etki_alani_kullanicisina_atlandiginda_PsGetsidexe_sirketlocal_%E2%80%93%3E_PsGetSid_araci_indirilmelidir\" title=\"\nwhoami \/user &#8211;&gt; Etki alan\u0131 kullan\u0131c\u0131s\u0131na atland\u0131\u011f\u0131nda PsGetsid.exe sirket.local &#8211;&gt; PsGetSid arac\u0131 indirilmelidir.\">\nwhoami \/user &#8211;&gt; Etki alan\u0131 kullan\u0131c\u0131s\u0131na atland\u0131\u011f\u0131nda PsGetsid.exe sirket.local &#8211;&gt; PsGetSid arac\u0131 indirilmelidir.<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/furkansandal.com\/post-exploitation3-golden-ticket-ile-etki-alanina-surekli-ve-yetkili-erisim\/#hashdump\" title=\"\nhashdump\">\nhashdump<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/furkansandal.com\/post-exploitation3-golden-ticket-ile-etki-alanina-surekli-ve-yetkili-erisim\/#3_Golden_Ticket%E2%80%99in_Olusturulmasi\" title=\"\n3) Golden Ticket&#8217;\u0131n Olu\u015fturulmas\u0131\">\n3) Golden Ticket&#8217;\u0131n Olu\u015fturulmas\u0131<\/a><ul class='ez-toc-list-level-4'><li class='ez-toc-heading-level-4'><ul class='ez-toc-list-level-4'><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/furkansandal.com\/post-exploitation3-golden-ticket-ile-etki-alanina-surekli-ve-yetkili-erisim\/#load_kiwi\" title=\"\nload kiwi\">\nload kiwi<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/furkansandal.com\/post-exploitation3-golden-ticket-ile-etki-alanina-surekli-ve-yetkili-erisim\/#golden_ticket_create_-d_sirketlocal_-g_500_502_512_-k_e97cff82951e431e3ee148fef54a528d_-s_S-1-5-21-2894599646-2825042678-4174893972_-u_YeniKullanici_-t_rootGolden_YeniKullanicikrbtgt\" title=\"\ngolden_ticket_create -d sirket.local -g 500, 502, 512 -k e97cff82951e431e3ee148fef54a528d   -s S-1-5-21-2894599646-2825042678-4174893972 -u YeniKullanici -t \/root\/Golden_YeniKullanici.krbtgt\">\ngolden_ticket_create -d sirket.local -g 500, 502, 512 -k e97cff82951e431e3ee148fef54a528d   -s S-1-5-21-2894599646-2825042678-4174893972 -u YeniKullanici -t \/root\/Golden_YeniKullanici.krbtgt<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/furkansandal.com\/post-exploitation3-golden-ticket-ile-etki-alanina-surekli-ve-yetkili-erisim\/#4_Golden_Ticket%E2%80%99in_Kullanilmasi\" title=\"\n4) Golden Ticket&#8217;\u0131n Kullan\u0131lmas\u0131\">\n4) Golden Ticket&#8217;\u0131n Kullan\u0131lmas\u0131<\/a><ul class='ez-toc-list-level-4'><li class='ez-toc-heading-level-4'><ul class='ez-toc-list-level-4'><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/furkansandal.com\/post-exploitation3-golden-ticket-ile-etki-alanina-surekli-ve-yetkili-erisim\/#net_use_SRV1C\" title=\"\nnet use \\SRV1C$\">\nnet use \\SRV1C$<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/furkansandal.com\/post-exploitation3-golden-ticket-ile-etki-alanina-surekli-ve-yetkili-erisim\/#load_kiwi-2\" title=\"\nload kiwi\">\nload kiwi<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/furkansandal.com\/post-exploitation3-golden-ticket-ile-etki-alanina-surekli-ve-yetkili-erisim\/#kerberos_ticket_list\" title=\"\nkerberos_ticket_list\">\nkerberos_ticket_list<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/furkansandal.com\/post-exploitation3-golden-ticket-ile-etki-alanina-surekli-ve-yetkili-erisim\/#kerberos_ticket_purge_kerberos_ticket_use_rootGolden_YeniKullanicikrbtgt_kerberos_ticket_list\" title=\"\nkerberos_ticket_purge kerberos_ticket_use \/root\/Golden_YeniKullanici.krbtgt kerberos_ticket_list \">\nkerberos_ticket_purge kerberos_ticket_use \/root\/Golden_YeniKullanici.krbtgt kerberos_ticket_list <\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/furkansandal.com\/post-exploitation3-golden-ticket-ile-etki-alanina-surekli-ve-yetkili-erisim\/#net_use_SRV1C_dir_SRV1C\" title=\"\nnet use \\SRV1C$ dir \\SRV1C$\">\nnet use \\SRV1C$ dir \\SRV1C$<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/furkansandal.com\/post-exploitation3-golden-ticket-ile-etki-alanina-surekli-ve-yetkili-erisim\/#net_user_domain_net_group_%E2%80%9CDomain_Admins%E2%80%9D_domain\" title=\"\nnet user \/domain net group &#8220;Domain Admins&#8221; \/domain\">\nnet user \/domain net group &#8220;Domain Admins&#8221; \/domain<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/furkansandal.com\/post-exploitation3-golden-ticket-ile-etki-alanina-surekli-ve-yetkili-erisim\/#net_user_%E2%80%9CYine_Ben%E2%80%9D_Aa123456_add_domain_net_group_%E2%80%9CDomain_Admins%E2%80%9D_%E2%80%9CYine_Ben%E2%80%9D_add_domain\" title=\"\nnet user &#8220;Yine Ben&#8221; Aa123456 \/add \/domain net group &#8220;Domain Admins&#8221; &#8220;Yine Ben&#8221; \/add \/domain\">\nnet user &#8220;Yine Ben&#8221; Aa123456 \/add \/domain net group &#8220;Domain Admins&#8221; &#8220;Yine Ben&#8221; \/add \/domain<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/furkansandal.com\/post-exploitation3-golden-ticket-ile-etki-alanina-surekli-ve-yetkili-erisim\/#5_Onlemler\" title=\"\n5) \u00d6nlemler\">\n5) \u00d6nlemler<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/furkansandal.com\/post-exploitation3-golden-ticket-ile-etki-alanina-surekli-ve-yetkili-erisim\/#Kaynaklar\" title=\"\nKaynaklar\">\nKaynaklar<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"1_Genel_Kavramlar\"><\/span>\n1) Genel Kavramlar<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Bir etki alan\u0131 olu\u015fturuldu\u011funda KRBTGT ad\u0131nda bir kullan\u0131c\u0131 olu\u015fur. E\u011fer ortamda \u00e7ok fazla RODC varsa, birden fazla krbtgt hesab\u0131 da (sonuna birer ID eklenmi\u015f \u015fekilde) bulunabilir.<\/p>\n<p>Etki alan\u0131ndaki krbtgt hesab\u0131 ile ilgili ayr\u0131nt\u0131l\u0131 bilgi i\u00e7in <b><span style=\"font-family: Courier New, Courier, monospace;\">net<\/span><\/b> arac\u0131 kullan\u0131labilir.<\/p>\n<div readability=\"27.8684759916\">\n<\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/06.jpg?ssl=1\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/06.jpg?resize=400%2C320&#038;ssl=1\" height=\"320\" width=\"400\" data-recalc-dims=\"1\" \/><\/a><\/div>\n<blockquote class=\"tr_bq\"><p>\n<span style=\"color: #990000;\"><b>Not:<\/b> Bu kullan\u0131c\u0131 hesab\u0131n\u0131n pasif oldu\u011fu dikkat \u00e7ekmektedir.<\/span><\/p><\/blockquote>\n<p>\nMicrosoft etki alan\u0131 ortam\u0131nda kimlik do\u011frulama temel Kerberos protokol\u00fc \u00fczerine kurulmu\u015ftur. Kerberos kimlik do\u011frulamas\u0131 a\u015fa\u011f\u0131daki gibi tan\u0131t\u0131labilir:<\/p>\n<p><\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/00.jpg?ssl=1\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/00.jpg?resize=400%2C263&#038;ssl=1\" height=\"263\" width=\"400\" data-recalc-dims=\"1\" \/><\/a><\/div>\n<p>\nYukar\u0131daki ekran g\u00f6r\u00fcnt\u00fcs\u00fcnde, 2. ad\u0131mda, istemci TGT almak istedi\u011finde, sunucu bu talebi KRBTGT hesab\u0131n\u0131n NT \u00f6zeti ile \u015fifreler. Bu sebeple KRBTGT kullan\u0131c\u0131s\u0131n\u0131n NT \u00f6zeti ele ge\u00e7irildi\u011finde TGT olu\u015fturulabilir. Bu yaz\u0131da belirtilecek olan Meterpreter&#8217;daki &#8220;Kiwi&#8221; eklentisinin olu\u015fturdu\u011fu Golden Ticket da yakla\u015f\u0131k olarak bu \u015fekildedir.<\/p>\n<blockquote class=\"tr_bq\" style=\"text-align: justify;\"><p>\n<span style=\"color: #990000;\"><b>Not:<\/b> KRBTGT hesab\u0131n\u0131n parola \u00f6zeti kullan\u0131ld\u0131\u011f\u0131 i\u00e7in -bu hesap pasif olmas\u0131na ra\u011fmen- kimlik do\u011frulama i\u015flemleri ba\u015far\u0131l\u0131 bir \u015fekilde ger\u00e7ekle\u015ftirilebilir.<\/span><\/p><\/blockquote>\n<p>\n\u0130stemci, TGT ile etki alan\u0131ndaki bir servise direk olarak ba\u011flant\u0131 sa\u011flayamaz. \u00c7\u00fcnk\u00fc KRBTGT hesab\u0131n\u0131n parolas\u0131na ait NT \u00f6zeti sadece DC \u00fczerinde bulunmaktad\u0131r ve bu nesneyi istemci de\u015fifre edemez. \u0130stemci, bir hizmet almak istedi\u011fi zaman, elindeki TGT&#8217;yi KDC&#8217;ye g\u00f6nderir, daha sonra da istenilen servise (yetkisi dahilinde) eri\u015fim sa\u011flayabilir. \u00d6zetlemek gerekirse, servis bileti istenirken TGT bileti ilgili kullan\u0131c\u0131y\u0131 betimler \/ tan\u0131t\u0131r ( representation of user identity). B\u00f6ylece kullan\u0131c\u0131ya ait parolaya gerek duyulmadan mevcut TGT ile arzu edilen servise y\u00f6nelik bilet al\u0131n\u0131r ve ilgili servisten hizmet al\u0131nabilir. Varsay\u0131lan olarak bir TGT 10 saat i\u00e7in ge\u00e7erlidir ve 7 g\u00fcn boyunca otomatik olarak g\u00fcncellenir. Bir kullan\u0131c\u0131ya ait biletler i\u00e7in Windows <b><span style=\"font-family: Courier New, Courier, monospace;\">klist<\/span><\/b>\u00a0komut sat\u0131r\u0131 arac\u0131 kullan\u0131labilir.<\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/klist.jpg?ssl=1\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/klist.jpg?resize=611%2C640&#038;ssl=1\" height=\"640\" width=\"611\" data-recalc-dims=\"1\" \/><\/a><\/div>\n<blockquote class=\"tr_bq\"><p>\n<span style=\"color: #990000;\">Kerberos kimlik do\u011frulama ile ilgili ayr\u0131nt\u0131l\u0131 bilgi i\u00e7in <b><a href=\"http:\/\/ertugrulbasaranoglu.blogspot.com.tr\/2013\/01\/notlar-kerberos.html\" target=\"_blank\">bak\u0131n\u0131z<\/a><\/b>.<\/span><\/p><\/blockquote>\n<h2><span class=\"ez-toc-section\" id=\"2_DC_Uzerinde_Gerekli_Bilgilerin_Toplanmasi\"><\/span>\n2) DC \u00dczerinde Gerekli Bilgilerin Toplanmas\u0131<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Golden Ticket olu\u015fturmak i\u00e7in a\u015fa\u011f\u0131daki bilgilere ihtiya\u00e7 duyulur:<\/p>\n<ul>\n<li>Etki alan\u0131 ad\u0131<\/li>\n<li>Etki alan\u0131na ait SID de\u011feri<\/li>\n<li>Etki alan\u0131ndaki krbtgt kullan\u0131c\u0131s\u0131na ait NTLM hash de\u011feri<\/li>\n<\/ul>\n<\/div>\n<div readability=\"30\">\n<p>\nBu bilgilerden krbtgt kullan\u0131c\u0131s\u0131na ait parolan\u0131n NTLM \u00f6zet de\u011feri etki alan\u0131ndaki bir DC \u00fczerinden elde edilebilirken, di\u011ferleri herhangi bir makine \u00fczerinden elde edilebilir. Bu yaz\u0131da ele ge\u00e7irilen bir DC \u00fczerinden t\u00fcm bilgiler elde edilecektir.<\/p>\n<p>\nS\u0131zma testi s\u0131ras\u0131nda DC \u00fczerinde oturum a\u00e7abilecek bir kullan\u0131c\u0131n\u0131n kimlik bilgileri elde edilmi\u015f olsun. Bu bilgiler kullan\u0131larak klasik\u00a0MSF psexec\u00a0mod\u00fcl\u00fc ile ba\u011flant\u0131 kurulabilir:<\/p>\n<p><\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/1442489118_01.jpg?ssl=1\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/1442489118_01.jpg?resize=640%2C371&#038;ssl=1\" height=\"371\" width=\"640\" data-recalc-dims=\"1\" \/><\/a><\/div>\n<p>\nB\u00f6ylece DC rol\u00fcne sahip makineye Meterpreter ba\u011flant\u0131s\u0131 olu\u015fur:<\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/1442489118_02.jpg?ssl=1\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/1442489118_02.jpg?resize=640%2C163&#038;ssl=1\" height=\"163\" width=\"640\" data-recalc-dims=\"1\" \/><\/a><\/div>\n<p>\nMSF Psexec mod\u00fcl\u00fcn\u00fc olu\u015ftururken etki alan\u0131 ad\u0131 olarak sirket.local verilmi\u015fti. Bunun yan\u0131nda, <span style=\"font-family: Courier New, Courier, monospace;\"><b>systeminfo<\/b><\/span> komutu ile de etki alan\u0131 ad\u0131 elde edilebilir.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"systeminfo_findstr_Domain\"><\/span>\nsysteminfo | findstr Domain:<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/1442489118_03.jpg?ssl=1\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/1442489118_03.jpg?resize=400%2C71&#038;ssl=1\" height=\"71\" width=\"400\" data-recalc-dims=\"1\" \/><\/a><\/div>\n<p>\nMevcut durumda makinedeki mevcut kullan\u0131c\u0131lar a\u015fa\u011f\u0131daki gibidir:<\/p>\n<h4><span class=\"ez-toc-section\" id=\"net_user_domain_wmic_useraccount_get_sid_name\"><\/span>\nnet user \/domain<br \/>wmic useraccount get sid, name<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/1442489118_04.jpg?ssl=1\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/1442489118_04.jpg?resize=640%2C528&#038;ssl=1\" height=\"528\" width=\"640\" data-recalc-dims=\"1\" \/><\/a><\/div>\n<p>\nAyr\u0131ca wmic komutunun \u00e7\u0131kt\u0131s\u0131nda da g\u00f6r\u00fcld\u00fc\u011f\u00fc gibi, etki alan\u0131na ait SID de\u011feri &#8220;S-1-5-21-2894599646-2825042678-4174893972&#8221; olarak elde edilmi\u015ftir. SID de\u011ferini elde etmek i\u00e7in kullan\u0131labilecek di\u011fer komutlar \u015fu \u015fekildedir:<\/p>\n<h4><span class=\"ez-toc-section\" id=\"whoami_user_%E2%80%93%3E_Etki_alani_kullanicisina_atlandiginda_PsGetsidexe_sirketlocal_%E2%80%93%3E_PsGetSid_araci_indirilmelidir\"><\/span>\nwhoami \/user &#8211;&gt; Etki alan\u0131 kullan\u0131c\u0131s\u0131na atland\u0131\u011f\u0131nda<br \/>PsGetsid.exe sirket.local &#8211;&gt; PsGetSid arac\u0131 indirilmelidir.<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Son bilgi olan krbtgt kullan\u0131c\u0131s\u0131n\u0131n parola \u00f6zeti ise, meterpreter hashdump komutu ile elde edilebilir.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"hashdump\"><\/span>\nhashdump<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<\/div>\n<div readability=\"70.8711938134\">\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/1442489118_05.jpg?ssl=1\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/1442489118_05.jpg?resize=400%2C166&#038;ssl=1\" height=\"166\" width=\"400\" data-recalc-dims=\"1\" \/><\/a><\/div>\n<blockquote class=\"tr_bq\" style=\"text-align: justify;\"><p>\n<span style=\"color: #990000;\"><b>Not: <\/b>&#8220;hashdump&#8221; komutu \u00e7al\u0131\u015f\u0131rken hata al\u0131nmas\u0131 durumunda <b><a href=\"http:\/\/ertugrulbasaranoglu.blogspot.com.tr\/2013\/11\/ipucu-hashdump-hatas.html\" target=\"_blank\">ba\u011flant\u0131daki<\/a><\/b> ad\u0131mlar ger\u00e7ekle\u015ftirilebilir.<\/span><\/p><\/blockquote>\n<blockquote class=\"tr_bq\" style=\"text-align: justify;\"><p>\n<span style=\"color: #990000;\"><b>Not:<\/b> Etki alan\u0131ndaki kullan\u0131c\u0131lar\u0131n parolalar\u0131n\u0131 \u00e7evrim i\u00e7i olarak NTDS.dit ve SYSTEM dosyalar\u0131n\u0131 kullanarak elde edilmesi i\u00e7in <b><a href=\"http:\/\/ertugrulbasaranoglu.blogspot.com.tr\/2013\/07\/ipucu-etki-alanndaki-butun-kullanclarn.html\" target=\"_blank\">ba\u011flant\u0131daki<\/a><\/b> y\u00f6ntem de kullan\u0131labilir.<\/span><\/p><\/blockquote>\n<h2><span class=\"ez-toc-section\" id=\"3_Golden_Ticket%E2%80%99in_Olusturulmasi\"><\/span>\n3) Golden Ticket&#8217;\u0131n Olu\u015fturulmas\u0131<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Gerekli bilgiler elde edildikten sonra gerekli bilet olu\u015fturulabilir. Bu ama\u00e7la \u00f6ncelikle &#8220;kiwi&#8221; adl\u0131 eklenti Meterpreter&#8217;a y\u00fcklenir.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"load_kiwi\"><\/span>\nload kiwi<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/07.jpg?ssl=1\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/07.jpg?resize=400%2C151&#038;ssl=1\" height=\"151\" width=\"400\" data-recalc-dims=\"1\" \/><\/a><\/div>\n<p><\/p>\n<div style=\"text-align: justify;\" readability=\"7\">\nBu eklentinin komutlar\u0131 a\u015fa\u011f\u0131daki gibidir.<\/p>\n<blockquote class=\"tr_bq\"><p>\n<span style=\"color: #990000;\">Meterpreter komut sat\u0131r\u0131nda &#8220;help&#8221; komutunun \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131 ile listelenebilir.<\/span><\/p><\/blockquote>\n<\/div>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/08.jpg?ssl=1\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/08.jpg?resize=400%2C245&#038;ssl=1\" height=\"245\" width=\"400\" data-recalc-dims=\"1\" \/><\/a><\/div>\n<p>\nGolden Ticket olu\u015fturmak i\u00e7in <span style=\"font-family: Courier New, Courier, monospace;\"><b>golden_ticket_create<\/b><\/span> komutu kullan\u0131lacakt\u0131r. Komutun temel kullan\u0131m\u0131 a\u015fa\u011f\u0131daki gibidir:<\/p>\n<p><\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/09.jpg?ssl=1\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/09.jpg?resize=640%2C243&#038;ssl=1\" height=\"243\" width=\"640\" data-recalc-dims=\"1\" \/><\/a><\/div>\n<p>\nBu komutla &#8220;YeniKullanici&#8221; adl\u0131 bir hesap i\u00e7in RID de\u011feri 500, 502 ve 512 olacak \u015fekilde bir bilet olu\u015fturulmas\u0131 a\u015fa\u011f\u0131daki gibidir:<\/p>\n<h4><span class=\"ez-toc-section\" id=\"golden_ticket_create_-d_sirketlocal_-g_500_502_512_-k_e97cff82951e431e3ee148fef54a528d_-s_S-1-5-21-2894599646-2825042678-4174893972_-u_YeniKullanici_-t_rootGolden_YeniKullanicikrbtgt\"><\/span>\ngolden_ticket_create -d sirket.local -g 500, 502, 512 -k e97cff82951e431e3ee148fef54a528d   -s S-1-5-21-2894599646-2825042678-4174893972 -u YeniKullanici -t \/root\/Golden_YeniKullanici.krbtgt<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/10.jpg?ssl=1\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/10.jpg?resize=640%2C57&#038;ssl=1\" height=\"57\" width=\"640\" data-recalc-dims=\"1\" \/><\/a><\/div>\n<blockquote class=\"tr_bq\" style=\"text-align: justify;\"><p>\n<span style=\"color: #990000;\">Microsoft ortam\u0131nda jeton (Token\/SAT) i\u00e7erisinde de SID de\u011ferleri bulunur. Golden Ticket olu\u015fturulurken, SID de\u011feri olarak da 500 (Built-in Administrator), 502 (Krbtgt) ve 512 (Domain Admins) gibi de\u011ferler verilir. Bu yetkilere sahip olan hesaplar etki alan\u0131nda kullan\u0131c\u0131 y\u00f6netimi i\u015flemlerini ger\u00e7ekle\u015ftirebilir. \u00d6rne\u011fin Domain Admins grubuna bir hesap ekleyebilir.\u00a0<\/span><span style=\"color: #990000;\">SID hakk\u0131nda ayr\u0131nt\u0131l\u0131 bilgi i\u00e7in\u00a0<\/span><b style=\"color: #990000;\"><a href=\"https:\/\/support.microsoft.com\/kb\/243330?wa=wsignin1.0\" target=\"_blank\">bak\u0131n\u0131z<\/a><\/b><span style=\"color: #990000;\">.\u00a0<\/span><\/p><\/blockquote>\n<p>\nB\u00f6ylece, Aktif Dizin \u00fczerinde var olmayan bir kullan\u0131c\u0131 i\u00e7in bir Kerberos bileti olu\u015fturulmu\u015ftur. K\u0131sacas\u0131 Golden Ticket, bit \u00e7e\u015fit sahte KDC (Key Distribution Center) olarak davranarak ge\u00e7erli bir TGT olu\u015fturmu\u015ftur.<\/p>\n<blockquote class=\"tr_bq\" style=\"text-align: justify;\"><p>\n<span style=\"color: #990000;\"><b>Not:<\/b> Golden Ticket olu\u015fturma i\u015fleminin bir DC veya etki alan\u0131nda bir bilgisayarda ger\u00e7ekle\u015ftirilmesine gerek yoktur. Mevcut bilgiler olduktan sonra herhangi bir bilgisayarda da haz\u0131rlanabilir.<\/span><\/p><\/blockquote>\n<p>\nBu bilet herhangi bir kullan\u0131c\u0131ya (krbtgt hari\u00e7) veya herhangi bir \u015feye (etki alan\u0131na ait SID de\u011feri ve ad\u0131 hari\u00e7) ba\u011fl\u0131 olmaks\u0131z\u0131n kullan\u0131labilir. Yaz\u0131n\u0131n devam\u0131nda bunu g\u00f6rmek i\u00e7in DC&#8217;ye ba\u011flant\u0131 s\u0131ras\u0131nda kullan\u0131lan hesab\u0131n (Yonetici) parolas\u0131 de\u011fi\u015ftirilir:<\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/11.jpg?ssl=1\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/11.jpg?resize=640%2C60&#038;ssl=1\" height=\"60\" width=\"640\" data-recalc-dims=\"1\" \/><\/a><\/div>\n<h2><span class=\"ez-toc-section\" id=\"4_Golden_Ticket%E2%80%99in_Kullanilmasi\"><\/span>\n4) Golden Ticket&#8217;\u0131n Kullan\u0131lmas\u0131<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>\nGolden Ticket olu\u015fturulmadan \u00f6nce standarttan kullan\u0131c\u0131 haklar\u0131yla DC&#8217;nin C diskine uzaktan eri\u015filemiyorken, Golden Ticket kullan\u0131ld\u0131ktan sonra DC&#8217;nin C diskine girilebildi\u011fi g\u00f6r\u00fclecektir.<\/p>\n<p>\nBu ama\u00e7la \u00f6ncelikle herhangi bir bilgisayar ele ge\u00e7irilir:<\/p>\n<p><\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/12.jpg?ssl=1\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/12.jpg?resize=640%2C164&#038;ssl=1\" height=\"164\" width=\"640\" data-recalc-dims=\"1\" \/><\/a><\/div>\n<p>\nEtki alan\u0131 denetleyicileri tespit edilir.<\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/13.jpg?ssl=1\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/13.jpg?resize=640%2C208&#038;ssl=1\" height=\"208\" width=\"640\" data-recalc-dims=\"1\" \/><\/a><\/div>\n<p>\nMevcut durumda SRV1 bilgisayar\u0131n\u0131n C$ diskine eri\u015fim sa\u011flanamad\u0131\u011f\u0131 g\u00f6r\u00fclmektedir<\/p>\n<h4><span class=\"ez-toc-section\" id=\"net_use_SRV1C\"><\/span>\nnet use \\SRV1C$<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p><a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/14.jpg?ssl=1\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/14.jpg?resize=400%2C180&#038;ssl=1\" height=\"180\" width=\"400\" data-recalc-dims=\"1\" \/><\/a><\/p>\n<p>Daha sonra kiwi eklentisi y\u00fcklenir.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"load_kiwi-2\"><\/span>\nload kiwi<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p><a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/15.jpg?ssl=1\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/15.jpg?resize=400%2C172&#038;ssl=1\" height=\"172\" width=\"400\" data-recalc-dims=\"1\" \/><\/a><\/p>\n<p>\nMevcut durumdaki t\u00fcm biletler a\u015fa\u011f\u0131daki gibidir. Herhangi bir kullan\u0131c\u0131n\u0131n oturum a\u00e7mad\u0131\u011f\u0131 bu bilgisayarda, sadece servislere ait biletlerin oldu\u011fu g\u00f6r\u00fclmektedir. Zorunlu olmamakla birlikte g\u00f6r\u00fcnt\u00fc kirlili\u011fi olmamas\u0131 a\u00e7\u0131s\u0131ndan t\u00fcm biletler silinecek ve sonras\u0131nda daha \u00f6nceki ba\u015fl\u0131kta DC \u00fczerinde elde edilen Golden Ticket y\u00fcklenecektir.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"kerberos_ticket_list\"><\/span>\nkerberos_ticket_list<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/16.jpg?ssl=1\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/16.jpg?resize=640%2C363&#038;ssl=1\" height=\"363\" width=\"640\" data-recalc-dims=\"1\" \/><\/a><\/div>\n<p>\nB\u00f6ylece, sadece Golden Ticket taraf\u0131ndan olu\u015fturulan bilet (YeniKullanici adl\u0131 var olmayan hesaba ait bilet) RAM \u00fczerinde tutulmaktad\u0131r.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"kerberos_ticket_purge_kerberos_ticket_use_rootGolden_YeniKullanicikrbtgt_kerberos_ticket_list\"><\/span>\nkerberos_ticket_purge<br \/>kerberos_ticket_use \/root\/Golden_YeniKullanici.krbtgt<br \/>kerberos_ticket_list <span class=\"ez-toc-section-end\"><\/span><\/h4>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/17.jpg?ssl=1\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/17.jpg?resize=640%2C240&#038;ssl=1\" height=\"240\" width=\"640\" data-recalc-dims=\"1\" \/><\/a><\/div>\n<p>\nYukar\u0131daki ekran g\u00f6r\u00fcnt\u00fcs\u00fcnde de g\u00f6r\u00fcld\u00fc\u011f\u00fc gibi, olu\u015fan bu bilet 10 saat de\u011fil, 10 y\u0131l ge\u00e7erlidir. Ayr\u0131ca, bir hafta de\u011fil 20 y\u0131l s\u00fcre boyunca yenilenebilir.<\/p>\n<blockquote class=\"tr_bq\"><p>\n<span style=\"color: #990000;\"><b>Not:<\/b> Windows komut sat\u0131r\u0131 arac\u0131 olan &#8220;klist&#8221; ile de benzer bilgi elde edilebilir.<\/span><\/p><\/blockquote>\n<p>Bu durumdayken DC makinesinin (SRV1) C diskine eri\u015fim sa\u011flanabildi\u011fi g\u00f6r\u00fclmektedir.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"net_use_SRV1C_dir_SRV1C\"><\/span>\nnet use \\SRV1C$<br \/>dir \\SRV1C$<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p><a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/18.jpg?ssl=1\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/18.jpg?resize=400%2C341&#038;ssl=1\" height=\"341\" width=\"400\" data-recalc-dims=\"1\" \/><\/a><\/p>\n<p>\n\u0130lk durumda etki alan\u0131ndaki kullan\u0131c\u0131lar a\u015fa\u011f\u0131daki gibidir:<\/p>\n<h4><span class=\"ez-toc-section\" id=\"net_user_domain_net_group_%E2%80%9CDomain_Admins%E2%80%9D_domain\"><\/span>\nnet user \/domain<br \/>net group &#8220;Domain Admins&#8221; \/domain<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/19.jpg?ssl=1\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/19.jpg?resize=640%2C401&#038;ssl=1\" height=\"401\" width=\"640\" data-recalc-dims=\"1\" \/><\/a><\/div>\n<p>\nElde edilen yetkilerle bir kullan\u0131c\u0131 olu\u015fturulup, Domain Admins grubuna eklenebilir:<\/p>\n<h4><span class=\"ez-toc-section\" id=\"net_user_%E2%80%9CYine_Ben%E2%80%9D_Aa123456_add_domain_net_group_%E2%80%9CDomain_Admins%E2%80%9D_%E2%80%9CYine_Ben%E2%80%9D_add_domain\"><\/span>\nnet user &#8220;Yine Ben&#8221; Aa123456 \/add \/domain<br \/>net group &#8220;Domain Admins&#8221; &#8220;Yine Ben&#8221; \/add \/domain<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/20.jpg?ssl=1\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/20.jpg?resize=400%2C252&#038;ssl=1\" height=\"252\" width=\"400\" data-recalc-dims=\"1\" \/><\/a><\/div>\n<p>\nBu yaz\u0131da MSF Kiwi eklentisi kullan\u0131larak i\u015flemler ger\u00e7ekle\u015ftirilmi\u015ftir. Bunun yan\u0131nda, Meterpreter kabu\u011fu elde edilmeden, Windows \u00fczerinde Mimikatz arac\u0131 kullan\u0131larak da ayn\u0131 i\u015flemler ger\u00e7ekle\u015ftirilebilir. Bu i\u015flemler i\u00e7in yaz\u0131n\u0131n alt\u0131ndaki &#8220;Kaynaklar&#8221; incelenebilir.<\/p>\n<blockquote class=\"tr_bq\" style=\"text-align: justify;\"><p>\n<span style=\"color: #990000;\"><b>Not:<\/b> Mevcut bilgiler varken herhangi bir bilgisayarda (etki alan\u0131na dahil olsun veya olmas\u0131n) olu\u015fturulan Golden Ticket i\u015flev g\u00f6rmektedir. Bunun yan\u0131nda etki alan\u0131na dahil olmayan bir bilgisayarda kullan\u0131lmaya \u00e7al\u0131\u015f\u0131lan Golden Ticket -olu\u015fan ticket bilgisayar \u00fczerinde g\u00f6r\u00fclmesine ra\u011fmen- i\u015flev g\u00f6stermemektedir. Bu sebeple, bilet kullan\u0131l\u0131rken, etki alan\u0131ndaki bir bilgisayar \u00fczerindeyken biletin kullan\u0131lmas\u0131 gerekmektedir.<\/span><\/p><\/blockquote>\n<h2><span class=\"ez-toc-section\" id=\"5_Onlemler\"><\/span>\n5) \u00d6nlemler<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<div style=\"text-align: justify;\" readability=\"15.7372262774\">\nEtki alan\u0131n\u0131 kurum i\u00e7in olduk\u00e7a \u00f6nemlidir. Bir sald\u0131r\u0131 olmas\u0131 durumunda etki alan\u0131ndeki kritik nesnelerin (Domain Controller makineleri, Domain Admins veya Enterprise Admins grubu \u00fcyeleri vb. gibi) g\u00fcven alt\u0131nda olmas\u0131 olduk\u00e7a \u00f6nemlidir. Etki alan\u0131n\u0131 korumaya y\u00f6nelik at\u0131lacak ad\u0131mlar i\u00e7in <b><a href=\"http:\/\/ertugrulbasaranoglu.blogspot.com.tr\/2014\/06\/etki-alan-saldrlarna-kars-temel-korunma.html\" target=\"_blank\">bak\u0131n\u0131z<\/a><\/b>. Ayr\u0131ca, ger\u00e7ekle\u015fen bir sald\u0131r\u0131 sonucunda kaybedilecek baz\u0131 bilgilerin (krbtgt hesab\u0131n\u0131n NTLM parola \u00f6zeti gibi) kurum etki alan\u0131n\u0131 s\u00fcrekli olarak tehlike alt\u0131nda bulunduraca\u011f\u0131 g\u00f6z \u00f6n\u00fcnde bulundurulmal\u0131d\u0131r.<\/div>\n<div style=\"text-align: justify;\" readability=\"6.37623762376\">\nBu yaz\u0131da bahsedilen sald\u0131r\u0131dan korunmak i\u00e7in ger\u00e7ekle\u015ftirilebilecek i\u015flemler i\u00e7in <b><a href=\"http:\/\/cert.europa.eu\/static\/WhitePapers\/CERT-EU-SWP_14_07_PassTheGolden_Ticket_v1_1.pdf\" target=\"_blank\">bak\u0131n\u0131z<\/a><\/b>.<\/div>\n<p>\n\u00d6zetlemek gerekirse,<\/p>\n<ul>\n<li style=\"text-align: justify;\">Etki alan\u0131 sald\u0131r\u0131lara kar\u015f\u0131 korunmal\u0131d\u0131r. Sald\u0131rgan etki alan\u0131nda y\u00f6netici hakk\u0131na sahip olamamal\u0131d\u0131r.<\/li>\n<li style=\"text-align: justify;\">Sald\u0131r\u0131 ger\u00e7ekle\u015fmi\u015fse, KRBTGT hasab\u0131n\u0131n parolas\u0131 <b>iki kere<\/b>\u00a0s\u0131f\u0131rlanmal\u0131d\u0131r (resetlenmelidir). Ancak bu durumda manuel olarak ba\u015flat\u0131lmas\u0131 gereken baz\u0131 servislerin ba\u015flayamamas\u0131na, ak\u0131ll\u0131 kart ile kimlik do\u011frulayan kullan\u0131c\u0131lar\u0131n yeni bilet talep ederek DC \u00fczerinde y\u00fck olu\u015fturmas\u0131na vb. sebep olabilir. Hatta baz\u0131 durumlarda kullanc\u0131lar\u0131n kimlik do\u011frulayamamas\u0131na, bilgisayarlar\u0131n etki alan\u0131ndan d\u00fc\u015fmesine de sebep olabilir.<\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"Kaynaklar\"><\/span>\nKaynaklar<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><a href=\"http:\/\/blog.gentilkiwi.com\/securite\/mimikatz\/golden-ticket-kerberos\" target=\"_blank\">http:\/\/blog.gentilkiwi.com\/securite\/mimikatz\/golden-ticket-kerberos<\/a><br \/><a href=\"http:\/\/rycon.hu\/papers\/goldenticket.html\" target=\"_blank\">http:\/\/rycon.hu\/papers\/goldenticket.html<\/a><br \/><a href=\"https:\/\/www.christophertruncer.com\/golden-ticket-generation\/\" target=\"_blank\">https:\/\/www.christophertruncer.com\/golden-ticket-generation\/<\/a><\/div>\n<\/div>\n<p><a href=\"https:\/\/furkansandal.com\">Ana Sayfa <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Kurum i\u00e7ine yap\u0131lan sald\u0131r\u0131larda veya s\u0131zma testlerinde Domain Admin yetkisini elde eden bir sald\u0131rgan etki alan\u0131ndaki (neredeyse) her bilgisayar\u0131 ele&#8230;<\/p>\n","protected":false},"author":1,"featured_media":984,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","footnotes":""},"categories":[6,1,9,10,3,7,4],"tags":[103,109,76,104,105,59,22,108,102,107,101,84,86,106],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/abusing-microsoft-kerberos.jpg?fit=305%2C212&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6BM7I-fR","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts\/983"}],"collection":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/comments?post=983"}],"version-history":[{"count":0,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts\/983\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/media\/984"}],"wp:attachment":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/media?parent=983"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/categories?post=983"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/tags?post=983"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}