UI
Search
K

DCDumlu

Describing for DCDumlu that aims to conduct enumeration and some persistence techniques on the Active Directory

Persistence Approaches

Following scenarios can be conducted according to ACL permissions. So you can use these approaches which can make possible asreproasting, kerberoasting and kerberos delegation attacks for abusing ACL and persistence purposes.

1. Set SPN attribute to User account for conducting Kerberoasting attack

Modification:
Set Distinguished Name and Service Principal Name attributes of the target object after setSpn option is selected.
Let's check it whether http/whatever is added to servicePrincipalName attribute or not.
Exploitation:
If TGS response is cracked with GetUserSPNs.py and john (or whatever you are using), password of the target user will be obtained.
impacket
python3 GetUserSPNs.py -request -dc-ip 192.168.1.253 kandemir.local/unsafe.inline

2. Set user option as do not require Kerberos preauthentication for As-Rep Roasting attack

Modification:
Select addAsRepRoasting option and specify Distinguished Name of target object.
Using GetNPUsers.py we can list and get TGTs in the John The Ripper format for cracking.
Exploitation:
impacket
python3 GetNPUsers.py -request -dc-ip 192.168.1.253 kandemir.local/unsafe.inline

3. Modify a computer account for Unconstrained Kerberos Delegation Attack

Modification:
Firstly, if you don't know the Distinguished Name of target computers, use searchHost option. So that DN attribute value of sec560student computer is obtained by typing sec.
Using addUnconstrained option , Trust this computer for delegation to any service (Kerberos only) can be set for Delegation.
Exploitation:
After this modification , following links might be useful when you want to conduct unconstrained kerberos delegation attack.
Getting TGT of Administrator User

4. Modify a user account for Constrained Kerberos Delegation Attack

Modification:
addConstrained option can be used to modify user account for the constrained Kerberos delegation attack. For example, cn=test user,cn=Users,dc=kandemir,dc=local user account can be delegated to access HOST service of a Domain Controller (another computer account could be selected too).
Exploitation:

5. Modify a computer account for Constrained Kerberos Delegation Attack

Modification:
addConstrained option can be used to modify a computer account that has been obtained access with local administrator privilege (high mandatory level) for the constrained Kerberos delegation attack. For example, CN=SEC560STUDENT,CN=Computers,DC=kandemir,DC=local computer account can be delegated to access HOST service of a Domain Controller (another computer account could be selected too).
Exploitation:
# Author: Metin Yunus Kandemir