Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Kerberos Constrained Delegation

If you have compromised a user account or a computer (machine account) that has kerberos constrained delegation enabled, it's possible to impersonate any domain user (including administrator) and authenticate to a service that the user account is trusted to delegate to.

User Account

Prerequisites

Hunting for user accounts that have kerberos constrained delegation enabled:

attacker@target
Get-NetUser -TrustedToAuth

In the below screenshot, the user spot is allowed to delegate or in other words, impersonate any user and authenticate to a file system service (CIFS) on a domain controller DC01.

User has to have an attribute TRUSTED_TO_AUTH_FOR_DELEGATION in order for it to be able to authenticate to the remote service.

TRUSTED_TO_AUTH_FOR_DELEGATION - (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.

https://support.microsoft.com/en-gb/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties

Attribute msds-allowedtodelegateto identifies the SPNs of services the user spot is trusted to delegate to (impersonate other domain users) and authenticate to - in this case, it's saying that the user spot is allowed to authenticate to CIFS service on DC01 on behalf of any other domain user:

The msds-allowedtodelegate attribute in AD is defined here:

The TRUSTED_TO_AUTH_FOR_DELEGATION attribute in AD is defined here:

Execution

Assume we've compromised the user spot who has the constrained delegation set as described earlier. Let's check that currently we cannot access the file system of the DC01 before we impersonate a domain admin user:

Let's now request a delegation TGT for the user spot:

Using rubeus, we can now request TGS for administrator@offense.local, who will be allowed to authenticate to CIFS/dc01.offense.local:

We've got the impersonated TGS tickets for administrator account:

Which as we can see are now in memory of the current logon session:

If we now attempt accessing the file system of the DC01 from the user's spot terminal, we can confirm we've successfully impersonated the domain administrator account that can authenticate to the CIFS service on the domain controller DC01:

Note that in this case we requested a TGS for the CIFS service, but we could also request additional TGS tickets with rubeus's /altservice switch for: HTTP (WinRM), LDAP (DCSync), HOST (PsExec shell), MSSQLSvc (DB admin rights).

Computer Account

If you have compromised a machine account or in other words you have a SYSTEM level privileges on a machine that is configured with constrained delegation, you can assume any identity in the AD domain and authenticate to services that the compromised machine is trusted to delegate to.

In this lab, a workstation WS02 is trusted to delegate to DC01 for CIFS and LDAP services and I am going to exploit the CIFS services this time:

Using powerview, we can find target computers like so:

Let's check that we're currently running as SYSTEM and can't access the C$ on our domain controller DC01:

Let's now impersonate administrator@offense.local and try again:

References

https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/www.harmj0y.net
https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/www.harmj0y.net
LogoDelegation tab in ADUC not available until a SPN is setMicrosoftLearn
LogoKDC_ERR_BADOPTION when attempting constrained delegationMicrosoftLearn
LogoUserAccountControl property flags - Windows ServerMicrosoftLearn
PreviousKerberos Unconstrained DelegationNextKerberos Resource-based Constrained Delegation: Computer Object Takeover

Last updated