UNSAFE-INLINE
Search…
DCDumlupınar
Describing for DCDumlupınar that aims to conduct enumeration and persistence on the Active Directory

Attack Approaches

Following scenarios can be conducted according to ACL permissions. So you can use these approaches which can make possible asreproasting, kerberoasting and kerberos delegation attacks for abusing ACL and persistence purposes.

1. Set SPN attribute to User account to obtain password conducting Kerberoasting attack

Modification:
Set Distinguished Name and Service Principal Name attributes of the target object after setSpn option is selected.
Let's check it whether http/whatever is added to servicePrincipalName attribute or not.
Exploitation:
If TGS response is cracked with GetUserSPNs.py and john (or whatever you are using), password of the target user will be obtained.
impacket
1
python3 GetUserSPNs.py -request -dc-ip 192.168.1.253 kandemir.local/unsafe.inline
Copied!

2. Set user option as do not require Kerberos preauthentication for As-Rep Roasting attack

Modification:
Select addAsRepRoasting option and specify Distinguished Name of target object.
Using GetNPUsers.py we can list and get TGTs in the John The Ripper format for cracking.
Exploitation:
impacket
1
python3 GetNPUsers.py -request -dc-ip 192.168.1.253 kandemir.local/unsafe.inline
Copied!

3. Modify a computer account for Unconstrained Kerberos Delegation Attack

Modification:
Firstly, if you don't know the Distinguished Name of target computers, use searchHost option. So that DN attribute value of sec560student computer is obtained by typing sec.
Using addUnconstrained option , Trust this computer for delegation to any service (Kerberos only) can be set for Delegation.
Exploitation:
After this modification , following links might be useful when you want to conduct unconstrained kerberos delegation attack.
Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)
Active Directory Security
Getting TGT of Administrator User

4. Modify a user account for Constrained Kerberos Delegation Attack

Modification:
addConstrained option can be used to modify user account for the constrained Kerberos delegation attack. For example, cn=test user,cn=Users,dc=kandemir,dc=local user account can be delegated to access HOST service of a Domain Controller (another computer account could be selected too).
Exploitation:
S4U2Pwnage - harmj0y
harmj0y

5. Modify a computer account for Constrained Kerberos Delegation Attack

Modification:
addConstrained option can be used to modify a computer account that has been obtained access with local administrator privilege (high mandatory level) for the constrained Kerberos delegation attack. For example, CN=SEC560STUDENT,CN=Computers,DC=kandemir,DC=local computer account can be delegated to access HOST service of a Domain Controller (another computer account could be selected too).
Exploitation:
S4U2Pwnage - harmj0y
harmj0y
Last modified 2mo ago
Copy link