Kerberos Constrained Delegation
If you have compromised a user account or a computer (machine account) that has kerberos constrained delegation enabled, it's possible to impersonate any domain user (including administrator) and authenticate to a service that the user account is trusted to delegate to.
Hunting for user accounts that have kerberos constrained delegation enabled:
In the below screenshot, the user
spotis allowed to delegate or in other words, impersonate any user and authenticate to a file system service (CIFS) on a domain controller DC01.
msds-allowedtodelegatetoidentifies the SPNs of services the user
spotis trusted to delegate to (impersonate other domain users) and authenticate to - in this case, it's saying that the user spot is allowed to authenticate to CIFS service on DC01 on behalf of any other domain user:
msds-allowedtodelegateattribute in AD is defined here:
TRUSTED_TO_AUTH_FOR_DELEGATIONattribute in AD is defined here:
Assume we've compromised the user
spotwho has the constrained delegation set as described earlier. Let's check that currently we cannot access the file system of the DC01 before we impersonate a domain admin user:
Let's now request a delegation TGT for the user spot:
# ticket is the base64 ticket we get with `rubeus's tgtdeleg`
We've got the impersonated TGS tickets for administrator account:
Which as we can see are now in memory of the current logon session:
If we now attempt accessing the file system of the DC01 from the user's spot terminal, we can confirm we've successfully impersonated the domain administrator account that can authenticate to the CIFS service on the domain controller DC01:
Note that in this case we requested a TGS for the CIFS service, but we could also request additional TGS tickets with rubeus's
/altserviceswitch for: HTTP (WinRM), LDAP (DCSync), HOST (PsExec shell), MSSQLSvc (DB admin rights).
If you have compromised a machine account or in other words you have a SYSTEM level privileges on a machine that is configured with constrained delegation, you can assume any identity in the AD domain and authenticate to services that the compromised machine is trusted to delegate to.
In this lab, a workstation WS02 is trusted to delegate to DC01 for CIFS and LDAP services and I am going to exploit the CIFS services this time:
Using powerview, we can find target computers like so:
Let's check that we're currently running as SYSTEM and can't access the C$ on our domain controller DC01:
[Reflection.Assembly]::LoadWithPartialName('System.IdentityModel') | out-null
$idToImpersonate = New-Object System.Security.Principal.WindowsIdentity @('administrator')
[System.Security.Principal.WindowsIdentity]::GetCurrent() | select name