GitBook: [master] 109 pages and 17 assets modified

post-exploitation/windows/ad/kerberos-attacks.md

@@ -4,27 +4,27 @@
 
 ### How it works
 
-![](../../../.gitbook/assets/imagen%20%284%29.png)
+![](../../../.gitbook/assets/imagen%20%2810%29.png)
 
 ### Step 1
 
-![](../../../.gitbook/assets/imagen%20%285%29.png)
+![](../../../.gitbook/assets/imagen%20%2811%29.png)
 
 ### Step 2
 
-![](../../../.gitbook/assets/imagen%20%286%29.png)
+![](../../../.gitbook/assets/imagen%20%2813%29.png)
 
 ### Step 3
 
-![](../../../.gitbook/assets/imagen%20%288%29.png)
+![](../../../.gitbook/assets/imagen%20%2818%29.png)
 
 ### Step 4
 
-![](../../../.gitbook/assets/imagen%20%287%29.png)
+![](../../../.gitbook/assets/imagen%20%2815%29.png)
 
 ### Step 5
 
-![](../../../.gitbook/assets/imagen%20%283%29.png)
+![](../../../.gitbook/assets/imagen%20%288%29.png)
 
 ## Bruteforcing
 
@@ -78,6 +78,11 @@ With [Rubeus](https://github.com/GhostPack/Rubeus):
 ```text
 # check ASREPRoast for all users in current domain
 .\Rubeus.exe asreproast  /format:<AS_REP_responses_format [hashcat | john]> /outfile:<output_hashes_file>
+
+# Powerview
+Get-DomainUser -PreauthNotRequired
+
+# https://github.com/HarmJ0y/ASREPRoast
 ```
 
 Cracking with dictionary of passwords:
@@ -377,3 +382,44 @@ python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "<
 > * Any process belonging to the same user can perform the same actions in Kerberos, regardless of whether it is a service or not.
 > * Unable to delegate if  NotDelegated \(or ADS\_UF\_NOT\_DELEGATED\) flag is set in the User-Account-Control attribute of the user account or user in Protected Users group.
 
+### Unconstrained delegation
+
+1. _User1_ requests a TGS for _ServiceZ_, of _UserZ_.
+2. The KDC checks if _UserZ_ has the _TrustedForDelegation_ flag set \(Yes\).
+3. The KDC includes a TGT of _User1_ inside the TGS for _ServiceZ_.
+4. _ServiceZ_ receives the TGS with the TGT of _User1_ included and stores it for later use.
+
+![](../../../.gitbook/assets/imagen%20%2819%29.png)
+
+### Contrained delegation and RBCD \(Resource Based Constrained Delegation\)
+
+Delegation is constrained to only some whitelisted third-party services.
+
+* S4U2Proxy Contrained
+
+![](../../../.gitbook/assets/imagen%20%285%29.png)
+
+* S4U2Proxy RBCD
+
+![](../../../.gitbook/assets/imagen%20%284%29.png)
+
+* S4U2Proxy Service Name Change
+
+![](../../../.gitbook/assets/imagen%20%2817%29.png)
+
+* S4U2Self
+
+![](../../../.gitbook/assets/imagen%20%283%29.png)
+
+* S4U2Self & S4U2Proxy combined Contrained
+
+![](../../../.gitbook/assets/imagen%20%286%29.png)
+
+* S4U2Self & S4U2Proxy combined RBCD
+
+![](../../../.gitbook/assets/imagen%20%289%29.png)
+
+* RBCD attack
+
+![](../../../.gitbook/assets/imagen%20%2816%29.png)
+