maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/BadSuccessor.md

70 lines
4.8 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Abusing Active Directory ACLs/ACEs
{{#include ../../../banners/hacktricks-training.md}}
## Overview
Delegated Managed Service Accounts(**dMSAs**) are a brandnew AD principal type introduced with **Windows Server2025**. They are designed to replace legacy service accounts by allowing a oneclick “migration” that automatically copies the old accounts ServicePrincipalNames (SPNs), group memberships, delegation settings, and even cryptographic keys into the new dMSA, giving applications a seamless cutover and eliminating Kerberoasting risk.
Akamai researchers found that a single attribute — **`msDSManagedAccountPrecededByLink`** — tells the KDC which legacy account a dMSA “succeeds”. If an attacker can write that attribute (and toggle **`msDSDelegatedMSAState` 2**), the KDC will happily build a PAC that **inherits every SID of the chosen victim**, effectively allowing the dMSA to impersonate any user, including Domain Admins.
## What exactly is a dMSA?
* Built on top of **gMSA** technology but stored as the new AD class **`msDSDelegatedManagedServiceAccount`**.
* Supports an **optin migration**: calling `StartADServiceAccountMigration` links the dMSA to the legacy account, grants the legacy account write access to `msDSGroupMSAMembership`, and flips `msDSDelegatedMSAState`=1.
* After `CompleteADServiceAccountMigration`, the superseded account is disabled and the dMSA becomes fully functional; any host that previously used the legacy account is automatically authorised to pull the dMSAs password.
* During authentication, the KDC embeds a **KERBSUPERSEDEDBYUSER** hint so Windows 11/24H2 clients transparently retry with the dMSA.
## Requirements to attack
1. **At least one WindowsServer2025 DC** so that the dMSA LDAP class and KDC logic exist.
2. **Any objectcreation or attributewrite rights on an OU** (any OU) e.g. `Create msDSDelegatedManagedServiceAccount` or simply **Create All Child Objects**. Akamai found 91% of realworld tenants grant such “benign” OU permissions to nonadmins.
3. Ability to run tooling (PowerShell/Rubeus) from any domainjoined host to request Kerberos tickets.
*No control over the victim user is required; the attack never touches the target account directly.*
## Stepbystep: BadSuccessor*privilege escalation
1. **Locate or create a dMSA you control**
```bash
NewADServiceAccount Attacker_dMSA `
DNSHostName ad.lab `
Path "OU=temp,DC=lab,DC=local"
```
Because you created the object inside an OU you can write to, you automatically own all its attributes .
2. **Simulate a “completed migration” in two LDAP writes**:
- Set `msDSManagedAccountPrecededByLink = DN` of any victim (e.g. `CN=Administrator,CN=Users,DC=lab,DC=local`).
- Set `msDSDelegatedMSAState = 2` (migrationcompleted).
Tools like **SetADComputer, ldapmodify**, or even **ADSI Edit** work; no domainadmin rights are needed.
3. **Request a TGT for the dMSA** — Rubeus supports the `/dmsa` flag:
```bash
Rubeus.exe asktgs /targetuser:attacker_dmsa$ /service:krbtgt/aka.test /dmsa /opsec /nowrap /ptt /ticket:<Machine TGT>
```
The returned PAC now contains the SID 500 (Administrator) plus Domain Admins/Enterprise Admins groups.
## Gather all the users passwords
During legitimate migrations the KDC must let the new dMSA decrypt **tickets issued to the old account before cutover**. To avoid breaking live sessions it places both currentkeys and previouskeys inside a new ASN.1 blob called **`KERBDMSAKEYPACKAGE`**.
Because our fake migration claims the dMSA succeeds the victim, the KDC dutifully copies the victims RC4HMAC key into the **previouskeys** list even if the dMSA never had a “previous” password. That RC4 key is unsalted, so it is effectively the victims NT hash, giving the attacker **offline cracking or “passthehash”** capability.
Therefore, masslinking thousands of users lets an attacker dump hashes “at scale,” turning **BadSuccessor into both a privilegeescalation and credentialcompromise primitive**.
## Tools
- [https://github.com/akamai/BadSuccessor](https://github.com/akamai/BadSuccessor)
- [https://github.com/logangoins/SharpSuccessor](https://github.com/logangoins/SharpSuccessor)
- [https://github.com/LuemmelSec/Pentest-Tools-Collection/blob/main/tools/ActiveDirectory/BadSuccessor.ps1](https://github.com/LuemmelSec/Pentest-Tools-Collection/blob/main/tools/ActiveDirectory/BadSuccessor.ps1)
## References
- [https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory](https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory)
{{#include ../../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink