Skip to content

Commit a71ad73

Browse files
ThatTotallyRealMythThatTotallyRealMyth
authored
Merge pull request #45 from WADComs/abduls-dev-branch
fixed merge issue
2 parents 0f86444 + 5a1843f commit a71ad73

File tree

1 file changed

+33
-0
lines changed

1 file changed

+33
-0
lines changed

_wadcoms/PwshADmodule-DelegationAttack-Enum.md

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
---
2+
description: |
3+
Having imported the pwsh AD module referenced in the project, we can begin to use it to enumerate for potential points of exploit
4+
one of the prime being kerberos delegation attacks. The following 4 line commands will enumerate the entire AD forest for RBCD, Constrained and Unconstrained delegation attacks.
5+
Note that we will also factor in protocol trainsiton as those change the attack vector slightly. See references below
6+
7+
command: |
8+
# 1. Unconstrained (turned on for all Domain controllers by default)
9+
(Get-ADForest).Domains | % { Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Server $_ | select Name,DNSHostName; Get-ADUser -Filter {TrustedForDelegation -eq $true} -Server $_ | select Name,SamAccountName }
10+
11+
12+
# 2. Constrained (with protocol transition check)
13+
(Get-ADForest).Domains | % { Get-ADComputer -Filter {msDS-AllowedToDelegateTo -like "*"} -Properties msDS-AllowedToDelegateTo,TrustedToAuthForDelegation -Server $_ | select Name,TrustedToAuthForDelegation,msDS-AllowedToDelegateTo; Get-ADUser -Filter {msDS-AllowedToDelegateTo -like "*"} -Properties msDS-AllowedToDelegateTo,TrustedToAuthForDelegation -Server $_ | select Name,TrustedToAuthForDelegation,msDS-AllowedToDelegateTo }
14+
15+
# 3. RBCD (which object is already configured)
16+
(Get-ADForest).Domains | % { Get-ADComputer -Filter * -Properties msDS-AllowedToActOnBehalfOfOtherIdentity -Server $_ | ? {$_."msDS-AllowedToActOnBehalfOfOtherIdentity"} | select Name,DNSHostName }
17+
18+
# 4. RBCD (which object can configure it - write access)
19+
(Get-ADForest).Domains | % { Get-ADComputer -Filter * -Properties nTSecurityDescriptor -Server $_ | ? {$_.nTSecurityDescriptor.Access | ? {$_.ActiveDirectoryRights -match "GenericWrite|WriteProperty" -and $_.IdentityReference -notmatch "SYSTEM|Domain Admins"}} | select Name }
20+
21+
items:
22+
- PowerShell
23+
OS:
24+
- Windows
25+
attack_types:
26+
- Enumeration
27+
references:
28+
- https://redfoxsec.com/blog/attacking-kerberos-delegation/
29+
- https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
30+
- https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/
31+
- https://github.com/samratashok/ADModule
32+
33+
---

0 commit comments

Comments
 (0)