DCDumlu
Describing for DCDumlu that aims to conduct enumeration and some persistence techniques on the Active Directory
Following scenarios can be conducted according to ACL permissions. So you can use these approaches which can make possible asreproasting, kerberoasting and kerberos delegation attacks for abusing ACL and persistence purposes.
Modification:
Set
Distinguished Name
and Service Principal Name
attributes of the target object after setSpn
option is selected.Let's check it whether
http/whatever
is added to servicePrincipalName
attribute or not.Exploitation:
If TGS response is cracked with
GetUserSPNs.py
and john
(or whatever you are using), password of the target user will be obtained. impacket
python3 GetUserSPNs.py -request -dc-ip 192.168.1.253 kandemir.local/unsafe.inline
Modification:
Select
addAsRepRoasting
option and specify Distinguished Name
of target object.Using
GetNPUsers.py
we can list and get TGTs
in the John The Ripper
format for cracking.Exploitation:
impacket
python3 GetNPUsers.py -request -dc-ip 192.168.1.253 kandemir.local/unsafe.inline
Modification:
Firstly, if you don't know the
Distinguished Name
of target computers, use searchHost
option. So that DN
attribute value of sec560student
computer is obtained by typing sec
.Using
addUnconstrained
option , Trust this computer for delegation to any service (Kerberos only)
can be set for Delegation
.Exploitation:
After this modification , following links might be useful when you want to conduct unconstrained kerberos delegation attack.
Getting TGT of Administrator User
Modification:
addConstrained
option can be used to modify user account for the constrained Kerberos delegation attack. For example, cn=test user,cn=Users,dc=kandemir,dc=local
user account can be delegated to access HOST
service of a Domain Controller (another computer account could be selected too).Exploitation:
Modification:
addConstrained
option can be used to modify a computer account that has been obtained access with local administrator privilege (high mandatory level) for the constrained Kerberos delegation attack. For example, CN=SEC560STUDENT,CN=Computers,DC=kandemir,DC=local computer
account can be delegated to access HOST
service of a Domain Controller (another computer account could be selected too).Exploitation:
# Author: Metin Yunus Kandemir