UNSAFE-INLINE
Search…
UNSAFE-INLINE
ABOUT US
UNSAFE
INLINE
Asena
Suyla
dcFinder v1.0
DCDumlupınar
0DAY
Thecus N4800Eco Nas Server Control Panel Comand Injection
ManageEngine ADSelfService Plus 6.1 CSV Injection (CVE-2021-33256)
Openlitespeed Web Server 1.7.8 - Privilege Escalation (CVE-2021-26758)
KLOG Server (Authenticated) Command Injection (CVE-2021-3317)
Cokpit version 234 - Server Side Request Forgery (CVE-2020-35850)
KLOG Server Unauthenticated Command Injection (CVE-2020-35729)
Pearson Vue - VUEApplicationWrapper Unquoted Service Path (CVE-2020-36154)
Intel(r) Management and Security Application 5.2 - UNS Unquoted Service Path
BRAdmin Professional 3.75 - Unquoted Service Path
Powered By GitBook
DCDumlupınar
Describing for DCDumlupınar that aims to conduct enumeration and persistence on the Active Directory

Attack Approaches

Following scenarios can be conducted according to ACL permissions. So you can use these approaches which can make possible asreproasting, kerberoasting and kerberos delegation attacks for abusing ACL and persistence purposes.

1. Set SPN attribute to User account to obtain password conducting Kerberoasting attack

Modification:
Set Distinguished Name and Service Principal Name attributes of the target object after setSpn option is selected.
Let's check it whether http/whatever is added to servicePrincipalName attribute or not.
Exploitation:
If TGS response is cracked with GetUserSPNs.py and john (or whatever you are using), password of the target user will be obtained.
impacket
1
python3 GetUserSPNs.py -request -dc-ip 192.168.1.253 kandemir.local/unsafe.inline
Copied!

2. Set user option as do not require Kerberos preauthentication for As-Rep Roasting attack

Modification:
Select addAsRepRoasting option and specify Distinguished Name of target object.
Using GetNPUsers.py we can list and get TGTs in the John The Ripper format for cracking.
Exploitation:
impacket
1
python3 GetNPUsers.py -request -dc-ip 192.168.1.253 kandemir.local/unsafe.inline
Copied!

3. Modify a computer account for Unconstrained Kerberos Delegation Attack

Modification:
Firstly, if you don't know the Distinguished Name of target computers, use searchHost option. So that DN attribute value of sec560student computer is obtained by typing sec.
Using addUnconstrained option , Trust this computer for delegation to any service (Kerberos only) can be set for Delegation.
Exploitation:
After this modification , following links might be useful when you want to conduct unconstrained kerberos delegation attack.
Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)
Active Directory Security
Getting TGT of Administrator User

4. Modify a user account for Constrained Kerberos Delegation Attack

Modification:
addConstrained option can be used to modify user account for the constrained Kerberos delegation attack. For example, cn=test user,cn=Users,dc=kandemir,dc=local user account can be delegated to access HOST service of a Domain Controller (another computer account could be selected too).
Exploitation:
S4U2Pwnage - harmj0y
harmj0y

5. Modify a computer account for Constrained Kerberos Delegation Attack

Modification:
addConstrained option can be used to modify a computer account that has been obtained access with local administrator privilege (high mandatory level) for the constrained Kerberos delegation attack. For example, CN=SEC560STUDENT,CN=Computers,DC=kandemir,DC=local computer account can be delegated to access HOST service of a Domain Controller (another computer account could be selected too).
Exploitation:
S4U2Pwnage - harmj0y
harmj0y
Previous
dcFinder v1.0
Next - 0DAY
Thecus N4800Eco Nas Server Control Panel Comand Injection
Last modified 2mo ago
Copy link
Contents
Attack Approaches