DCDumlu

Describing for DCDumlu that aims to conduct enumeration and some persistence techniques on the Active Directory
GitHub - passtheticket/DCDumlu: enumeration and persistence on the Active Directory
GitHub
 Persistence Approaches
Following scenarios can be conducted according to ACL permissions. So you can use these approaches which can make possible asreproasting, kerberoasting and kerberos delegation attacks for abusing ACL and persistence purposes.
1. Set SPN attribute to User account for conducting Kerberoasting attack
Modification:
Set Distinguished Name and Service Principal Name attributes of the target object after setSpn option is selected.
Let's check it whether http/whatever is added to servicePrincipalName attribute or not.
Exploitation:
If TGS response is cracked with GetUserSPNs.py and john (or whatever you are using), password of the target user will be obtained. 
impacket
python3 GetUserSPNs.py -request -dc-ip 192.168.1.253 kandemir.local/unsafe.inline
2. Set user option as do not require Kerberos preauthentication for As-Rep Roasting attack
Modification:
Select addAsRepRoasting option and specify Distinguished Name of target object.
Using GetNPUsers.py we can list and get TGTs in the John The Ripper format for cracking.
Exploitation:
impacket
python3 GetNPUsers.py -request -dc-ip 192.168.1.253 kandemir.local/unsafe.inline
3. Modify a computer account for Unconstrained Kerberos Delegation Attack
Modification:
 Firstly, if you don't know the Distinguished Name of target computers, use searchHost option. So that DN attribute value of sec560student computer is obtained by typing sec.
Using addUnconstrained option ,  Trust this computer for delegation to any service (Kerberos only) can be set for Delegation.
Exploitation:
After this modification , following links might be useful when you want to conduct unconstrained kerberos delegation attack.
Kerberos Unconstrained Delegation
Red Teaming Experiments
Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)
Active Directory Security
Getting TGT of Administrator User
4. Modify a user account for Constrained Kerberos Delegation Attack
Modification:
 addConstrained option can be used to modify user account for the constrained Kerberos delegation attack. For example, cn=test user,cn=Users,dc=kandemir,dc=local user account can be delegated to access HOST service of a Domain Controller (another computer account could be selected too).
Exploitation:
Kerberos Constrained Delegation
Red Teaming Experiments
S4U2Pwnage - harmj0y
harmj0y
5. Modify a computer account for Constrained Kerberos Delegation Attack
Modification:
addConstrained option can be used to modify a computer account that has been obtained access with local administrator privilege (high mandatory level) for the constrained Kerberos delegation attack. For example, CN=SEC560STUDENT,CN=Computers,DC=kandemir,DC=local computer account can be delegated to access HOST service of a Domain Controller (another computer account could be selected too).
Exploitation:
Kerberos Constrained Delegation
Red Teaming Experiments
S4U2Pwnage - harmj0y
harmj0y
# Author: Metin Yunus Kandemir
dcFinder
Next - 0DAY
Multiple ManageEngine Applications Critical Information Disclosure Vulnerability
Last modified 29d ago