More sAMAccountName Impersonation
Posted on Sat 11 December 2021 in Active Directory
So in my excitement to put out the previous post I forgot something and since then I've thought of another attack path that may come in useful for some people.
For these examples I'm using the internal.user account in the internal.zeroday.lab domain, as shown below:
This is just a generic low privileged user.
Trusts
I did reply to my tweet afterwards, but I thought it'd be best to explain a little more that this works across trusts.
As mentioned in a previous post I did, creating machine accounts across trusts is not only possible but can be incredibly useful. This is another example of that.
A forest trust is configured between the internal.zeroday.lab and external.zeroday.lab forests:
A new machine account (named NewComputer) is created across this trust on the external.zeroday.lab domain:
The SPNs can be cleared from this newly created account:
It's best to get the distinguishedname of the machine account for changing the name:
Lastly, the name can be changed to the same as the domain controller minus the '$':
At this point the attack is exactly the same as the initial example I gave in the original post, ie. request a TGT for EDC1, rename machine account back, perform S4U2self.
User Account
Another example of exploitation involved user account control. 2 more prerequisites are required to perform the attack using a user account, The GenericAll privilege over the user account and access to the account credential. Any user account can be used to perform the attack.
There are several potential ways of obtaining the user account password when you have GenericAll over it, including tageted Kerberoasting from Will Schroeder, Shadow Credentials by Elad Shamir, just resetting the user password and probably more I'm forgetting right now. Point is, I'm not going to go into all of the potential ways you might do this, I'm just going to assume the password has been obtained.
So the user I'm running as (internal.user) has GenericAll over the target user (new.user):
Changing the samaccountname to that of the DC minus the '$' is also possible using PowerView:
The attack from this point is exactly the same as in the original post, I'm not going to duplicate all of that here, you can try it for yourself if you want. Interestingly on patched servers you can rename a user account this way with GenericAll over it, but the S4U2self part fails with KDC_ERR_TGT_REVOKED
error due to the new Requestor PAC_INFO_BUFFER being included within the TGT's PAC.
EDIT: Charlie BROMBERG suggested GenericAll isn't actually required and this works with GenericWrite or even WriteProperty on sAMAccountName for changing the samaccountname, but it is important to remember that the ability to request a TGT for this account is required too, so the higher the privileges, the more likely you are to be able to do this.
Conclusion
It is very important that all domain controllers throughout the whole enterprise is patched against these issues due to the impact of exploitation and the ease with which it can be performed.
While more limited, it may still be possible in situations where a machine account cannot be created/controlled or renaming of machine account fails.