In my previous post on resource-based constrained delegation (RBCD), I created a tool called Get-RBCD-Threaded to enumerate AD environments for possible RBCD attack paths. Get-RBCD-Threaded worked by finding AD users, groups, and computer objects that had either GenericAll, GenericWrite, or WriteOwner privileges on another computer object. These permissions would allows you to modify the ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity…
All posts in Active Directory Attacks
Resource Based Constrained Delegation
Earlier this year on a internal penetration test for my employer, I was stuck on Active Directory (AD) escalation. I had gotten a foothold in the environment by cracking a user’s hashed credentials that I had captured through DHCPv6 spoofing. However, the user didn’t belong to any privileged groups and didn’t have local admin privileges…
Constrained Delegation
In previous posts, I have discussed how to setup an AD lab in AWS, attack AD using Kerberoast, and attacking AD with Unconstrained Delegation. In this post I am going to discuss another attack I built into my lab Constrained Delegation. This will all be done through Covenant C2, which I discussed how to setup…
Unconstrained Delegation
One of the weaknesses that I configured in my lab environment was “Unconstrained Delegation.” Systems in an Active Directory (AD) environment can be configured for unconstrained delegation. This means that a system can “delegate”, or impersonate users that authenticate to it. Normally, when a user authenticates to a service running on a system, the user…
Kerberoasting
This post will demonstrate how to perform a “Kerberoasting” attack in an Active Directory (AD) environment. In a previous post, I detailed how to create an AD lab in AWS and how to configure a user with a Service Principal Name (SPN) that will allow for the Kerberoasting attack. Background Information Kerberoasting is an attack…