Added -self, -altservice and -u2u to getST for S4U2self abuse, S4U2self+u2u, and service substitution
#1202
Conversation
Previous searchFilter resulted in a list of accounts missing vulnerable users
If `-self` (== no S4U2Proxy) is set, the `-spn` is now optional. If SPN is set, the S4U2Self request is made for that SPN. Else, the SPN is set to the requesting user
|
This PR can now be used along other tools for sAMAccountName spoofing attacks 👍 |
Removing searchfilter for DCs to allow RBCD and Unconstrained to be shown
# Conflicts: # examples/Get-GPPPassword.py
# Conflicts: # impacket/examples/ntlmrelayx/attacks/ldapattack.py
# Conflicts: # examples/ticketer.py # impacket/krb5/pac.py
# Conflicts: # impacket/smbserver.py
[getST.py] adding -u2u support in combination to -self for SPN-less RBCD
|
Adding
|
ShutdownRepo
changed the title
-self and -altservice to getST for S4U2self abuse and service substitution-self, -altservice and -u2u to getST for S4U2self abuse, S4U2self+u2u, and service substitution
Fix parameter merge
|
@ShutdownRepo Hi! do you think this could be revamped in the context of the current version? |
|
I think I messed up somewhere, as this PR changes 26 files, and this wasn't intended.
Everything else should be ignored, I will fix this PR accordingly |
|
I think I fixed the PR but it seems there are now conflicts on two files that are not changed, why... |
|
yeah, those conflicts related to this branch might be because of those files (ticketer.py, pac.py) got super outdated. |
I have no preference on this matter, feel free to split the PR if you prefer it that way 😉 |
Ah! Forgot about them, well done |
|
@anadrianmanrique done, but the ticketer.py and pac.py still seem to be modified for some reason.. Don't know how to fix that |
|
@ShutdownRepo ok, I've been testing the changes, so far everything looks ok. I would need you to resolve the conflicts in ticketer.py in your branch, in order to be able to merge this PR. Because of #1411, ticketer.py should be rebased to the latest version. Also ticketer.py and pac.py should be removed from the PR. Thanks |
|
either that, or create a new PR with getST.py changes ( we will link it to this one later ). Whichever works best for you |
anadrianmanrique
added
the
waiting for response
|
now merged in #1691. Thanks! |
My previous PR #1183 allowed getST to accept a custom ticket for S4U2Proxy and basically run S4U2Proxy without S4U2Self..
This edit allows to run S4U2Self only, with the
-selfflag, without having S4U2Proxy being engaged right after. This allows researchers to conduct S4U2Self separately but also allows for privilege escalation: https://exploit.ph/revisiting-delegate-2-thyself.html, https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/When running getST with the
-selfflag, the-spnbecomes optional. In this case, the target principal is set to the user running getST. But when-spnis set, the S4U2Self request is attempted for that SPN, sometimes allowing lateral movement between services of a same account.On a side note, what was previously possible in one step can now be run in two commands.
Nothing new here, it's already possible with Rubeus, but now Impacket's getST can do it.
Oh, also I changed the header from python to python3