tgtdeleg confusion
commiterrOftheYear opened this issue · comments
hi @S1ckB0y1337 , I'm trying to conduct RBCD, and really confused with this note:
In Constrain and Resource-Based Constrained Delegation if we don't have the password/hash of the account with TRUSTED_TO_AUTH_FOR_DELEGATION that we try to abuse, we can use the very nice trick "tgt::deleg" from kekeo or "tgtdeleg" from rubeus and fool Kerberos to give us a valid TGT for that account. Then we just use the ticket instead of the hash of the account to perform the attack.
suppose I have machine acc MACHINE$ which has RBCD over DC
userAccountControl : WORKSTATION_TRUST_ACCOUNT, TRUSTED_TO_AUTH_FOR_DELEGATION
msDS-AllowedToDelegateTo : cifs/DC01.domain.local
but I dont know MACHINE$'s pass/rc4, how exctly I can request TGT for it? Rubeus.exe tgtdeleg
will return TGT for my current user, and I cannot run it under machnie's context since I dont now its passwd
Hey! If lets say you have a shell or an implant as that machine$ account on a system by impersonating NT AUTHORITY\SYSTEM user, you can then use this "tgtdeleg" trick to make kerberos to provide you with a valid TGT of the machine without needing the actual hash or password of the machine account. Essentialy it uses the current running context you have to grab a valid TGT bypassing the credential providing need.
I hope this helped :)
hi @S1ckB0y1337 , thank you for explanation! unfortunately it not my case, but at least I got exactly the use case of tgtdeleg
:)
Cheers mate!