Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
From Domain Admin to Enterprise Admin
Kerberoasting
Kerberos: Golden Tickets
Kerberos: Silver Tickets
AS-REP Roasting
Kerberoasting: Requesting RC4 Encrypted TGS when AES is Enabled
Kerberos Unconstrained Delegation
Kerberos Constrained Delegation
Kerberos Resource-based Constrained Delegation: Computer Object Takeover
Domain Compromise via DC Print Server and Kerberos Delegation
DCShadow - Becoming a Rogue Domain Controller
DCSync: Dump Password Hashes from Domain Controller
PowerView: Active Directory Enumeration
Abusing Active Directory ACLs/ACEs
Privileged Accounts and Token Privileges
From DnsAdmins to SYSTEM to Domain Compromise
Pass the Hash with Machine$ Accounts
BloodHound with Kali Linux: 101
Backdooring AdminSDHolder for Persistence
Active Directory Enumeration with AD Module without RSAT or Admin Privileges
Enumerating AD Object Permissions with dsacls
Active Directory Password Spraying
Active Directory Lab with Hyper-V and PowerShell
ADCS + PetitPotam NTLM Relay: Obtaining krbtgt Hash with Domain Controller Machine Certificate
From Misconfigured Certificate Template to Domain Admin
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Domain Compromise via DC Print Server and Kerberos Delegation
This lab demonstrates an attack on Active Directory Domain Controller (or any other host to be fair) that involves the following steps and environmental conditions:
  • Attacker has to compromise a system that has an unrestricted kerberos delegation enabled.
  • Attacker finds a victim that runs a print server. In this lab this happened to be a Domain Controller.
  • Attacker coerces the DC to attempt authenticating to the attacker controlled host which has unrestricted kerberos delegation enabled.
    • This is done via RPC API RpcRemoteFindFirstPrinterChangeNotificationEx that allows print clients to subscribe to notifications of changes on the print server.
    • Once the API is called, the DC attempts to authenticate to the compromised host by revealing its TGT to the attacker controlled compromised system.
  • Attacker extracts DC01's TGT from the compromised system and impersonates the DC to carry a DCSync attack and dump domain member hashes.

Execution

Our environment for this lab is:
  • ws01 - attacker compromised host with kerberos delegation enabled (attacker, server)
  • dc01 - domain controller running a print service (victim, target)
We can check if a spool service is running on a remote host like so:
1
ls \\dc01\pipe\spoolss
Copied!
If the spoolss was not running, we would receive an error.
Another way to check if the spoolss is running on a remote machine is:
Now, after compiling the amazing PoC SpoolSample by @tifkin_, we execute it with two arguments target and server (DC with spoolss running on it):
1
.\SpoolSample.exe dc01 ws01
Copied!
We are shown a message that the target attemped authenticating to our compromised system, so let's check if we can retrieve DC01 TGT:
1
mimikatz # sekurlsa::tickets
Copied!
We indeed got a TGT for DC01$ computer!
With this, we can make our compromised system ws01$ appear like a Domain Controller and extract an NTLM hash for the user offense\spotless which we know has high privileges in the domain:
1
mimikatz # lsadump::dcsync /domain:offense.local /user:spotless
Copied!
The above clearly shows the attack was successful and an NTLM hash for the user spotless got retrieved - get cracking or passing it now.

Mitigation

For mitigations, see Domain Compromise via Unrestricted Kerberos Delegation mitigations section.

References

GitHub - leechristensen/SpoolSample: PoC tool to coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface. This is possible via other protocols as well.
GitHub
Domain Controller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest
Active Directory Security
Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync
Active Directory Security
Previous
Kerberos Resource-based Constrained Delegation: Computer Object Takeover
Next
DCShadow - Becoming a Rogue Domain Controller
Last modified 1yr ago
Copy link
Contents
Execution
Mitigation
References