Unconstrained delegation
Unconstrained delegation
More specifically, the domain controller places a copy of the user’s TGT into the service ticket. When the user’s service ticket (TGS) is provided to the server for service access the server opens the TGS and places the user’s TGT into the LSASS for later use allowing the server to impersonate the user. Obtaining the ticket could lead to domain escalation as the ticket might belong to the machine account of the domain controller or a high privilege account like the domain administrator. For a computer to authenticate on behalf of other services (unconstrained delegation) two conditions are required:
Account has the TRUSTED_FOR_DELEGATION flag in the User Account Control (UAC) flags.
User account has not the NOT_DELEGATED flag set which by default non domain accounts have this flag.
Detecting
AD Module
Other interesting properties that can be enumerated are the:
TrustedToAuthForDelegation
msDS-AllowedToDelegateTo
PrincipalsAllowedToDelegateToAccount
Powerview 3.0
Exploiting
Force authentication
There are multiple protocols which can coerce the machine account of the domain controller to authenticate with other hosts on the system such as spoolsample and encrypting file services remote procedure call. However, capturing the ticket of the machine account requires Rubeus to run in monitor state mode.
Execution of the printer bug will coerce the domain controller to authenticate with the workstation which is configured for unconstrained delegation.
The ticket granting ticket (TGT) of the domain controller machine account will received and captured by Rubeus.
The ticket will be in base64 format and therefore cannot be used directly. However, from a PowerShell console execution of the command below will convert the ticket and write the contents to a file with the .kirbi extension.
Using the Pass the Ticket within Mimikatz the current user account will get high privilege rights on the domain controller. This can be verified by using the DCSync technique to dump the NTLM hash of the domain admin account and get command execution via pass the hash on the domain controller.
References
Last updated