Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Charlie Bromberg « Shutdown » Profile picture
@_nwodtuhs
Oct 29, 2021 9 tweets 3 min read Read on X
Scrolly
[thread 🧵] Kerberos delegations. This meta-thread gathers three sub-threads, one for each delegation type. I’ll talk about Unconstrained, Constrained, Resource-Based Constrained (RBCD), S4U2self, S4U2proxy and abuse scenarios.
Kerberos delegations is a set of features included in the Kerberos authentication protocol. It allows services to access other services on behalf of domain users.
3 types of delegations exist
- Unconstrained: service can access any other service on behalf of any user
- Constrained: service can access a set of services on bhalf of any user
- Resource-Based Constrained (RBCD): service grants that « impersonating access » to a set of services
Nota bene: « any user » is not 100% true. There are limitations that I will cover later on. But TL;DR: some users are secured and cannot be delegated. Services cannot act on their behalf.
What purpose do delegations serve? They allow services to access remote resources and limit what the service account has access to. This is nice! Users have specific access that some service accounts configured for delegation can temporarily profit from by acting on their behalf
Now, let’s dive in the different types of delegations and how to abuse those shall we?
Kerberos Unconstrained Delegations
Kerberos Constrained Delegations
Kerberos Resource-Based Constrained Delegations

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Charlie Bromberg « Shutdown »

Charlie Bromberg « Shutdown » Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @_nwodtuhs

Charlie Bromberg « Shutdown » Profile picture
Jul 3, 2022
So apparently Microsoft ninja-patched two things lately in KB5014692 (06/14/2022)
1. ShadowCoerce (auth coercion abusing MS-FSRVP)
2. Self-RBCD trick to bypass limitations of Kerberos Constrained Delegation without Protocol Transition
Identified this with @Geiseric4 and @mkolsek
That being said, the second scenario may be something they unintentionally broke, who knows. MS bulletin says KB patched CVE-2022-30154 but nothing on coercion/self-rbcd 🤷‍♂️
Any insight @tiraniddo @_dirkjan @SteveSyfuhs (we need to know 👀)
Want to know more?
1⃣ thehacker.recipes/ad/movement/mi…
2⃣ thehacker.recipes/ad/movement/ke…
Read 4 tweets
Charlie Bromberg « Shutdown » Profile picture
Apr 30, 2022
✨After 8 months of hard work with @Dramelac_ , now's the time ⏰ Exegol, a community-driven and fully-featured hacking environment, updates to v4.0

An opportunity to show you why you should probably drop your current pentesting env and get started with Exegol (10min read)
Exegol uses Docker. There are Exegol images that can be used to deploy Exegol containers.
This first concept allows its users to easily deploy environments that are separated from the host, that could be dedicated for some engagements tools, etc.
While we, as pentesters, help companies secure their infrastructure, our community itself has a lot of room for improvement when it comes to our tools and our practices 🤔 Having a unique, solid, environment for each client/engagement is a starter. Exegol allows that.
Read 23 tweets
Charlie Bromberg « Shutdown » Profile picture
Feb 8, 2022
Here is one of my latest paths to Domain Admin 😈 it took ~2h30 (I was relying on network traffic that was not so present at the beginning)

This path was a bit long and involved NTLM, Kerberos, network protocols, credential dump, etc 👁️👅👁️

[12 steps detailed below 🧵]
1. LLMNR, NBT-NS and mDNS spoofing combined with WPAD spoofing to redirect some network traffic using @PythonResponder's Responder

➡️ LLMNR, NBT-BS mDNS: thehacker.recipes/ad/movement/mi…

➡️ WPAD spoofing: thehacker.recipes/ad/movement/mi…
2. DHCPv6 spoofing combined with DNS spoofing to redirect more traffic 😈 using @_dirkjan's mitm6

➡️ DHCPv6 spoofing: thehacker.recipes/ad/movement/mi…

➡️ DNS spoofing: thehacker.recipes/ad/movement/mi…
Read 21 tweets
Charlie Bromberg « Shutdown » Profile picture
Dec 10, 2021
[thread 🧵] lets all welcome the new kid in town 😈
✨ Kerberos sAMAccountName spoofing ✨ from regular user to domain admin, because Microsoft didn't care enough about it's $$$

thehacker.recipes/ad/movement/ke…
** CVE-2021-42278 - Name impersonation
Before patch, there was no validation process to make sure computer accounts names end with an "$"
** CVE-2021-42287 - KDC bamboozling
Before patch, there was a weird behavior on the KDC. When requesting a service ticket, if the KDC wasn't able to find the user behind the TGT, it would make another lookup, but this time with an "$" at the end of the name
Read 10 tweets
Charlie Bromberg « Shutdown » Profile picture
Nov 17, 2021
🥇 new personal record for Domain Admin today 🥳

DA in ~150 seconds (≈ 3 guns per square seconds in 🇺🇸 units)

Last record was 23 minutes 😨
(not bragging here, the maturity was reaaaally low and path to DA really easy, but still what a blast I had! Just wanted to share the fun here 🤗)
Okay so here was the path

1. Authentication coercion with an MS-EFSR abuse (PetitPotam) against a Domain Controller
thehacker.recipes/ad/movement/mi…
Read 6 tweets
Charlie Bromberg « Shutdown » Profile picture
Nov 16, 2021
Latest paths to DA 😈
- Kerberoast of a domain admin
- AD CS insecure configuration (ESC6)
- AD CS insecure web endpoints (ESC8)

[more info below ⬇️ ]
Kerberoasting thehacker.recipes/ad/movement/ke…
AD CS insecure CA configuration (User Specified SAN) thehacker.recipes/ad/movement/ad…
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(