Kerberos Constrained Delegation
If you have compromised a user account or a computer (machine account) that has kerberos constrained delegation enabled, it's possible to impersonate any domain user (including administrator) and authenticate to a service that the user account is trusted to delegate to.
User Account
Prerequisites
Hunting for user accounts that have kerberos constrained delegation enabled:
In the below screenshot, the user spot
is allowed to delegate or in other words, impersonate any user and authenticate to a file system service (CIFS) on a domain controller DC01.
User has to have an attribute TRUSTED_TO_AUTH_FOR_DELEGATION
in order for it to be able to authenticate to the remote service.
TRUSTED_TO_AUTH_FOR_DELEGATION - (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
Attribute msds-allowedtodelegateto
identifies the SPNs of services the user spot
is trusted to delegate to (impersonate other domain users) and authenticate to - in this case, it's saying that the user spot is allowed to authenticate to CIFS service on DC01 on behalf of any other domain user:
The msds-allowedtodelegate
attribute in AD is defined here:
The TRUSTED_TO_AUTH_FOR_DELEGATION
attribute in AD is defined here:
Execution
Assume we've compromised the user spot
who has the constrained delegation set as described earlier. Let's check that currently we cannot access the file system of the DC01 before we impersonate a domain admin user:
Let's now request a delegation TGT for the user spot:
Using rubeus, we can now request TGS for administrator@offense.local
, who will be allowed to authenticate to CIFS/dc01.offense.local
:
We've got the impersonated TGS tickets for administrator account:
Which as we can see are now in memory of the current logon session:
If we now attempt accessing the file system of the DC01 from the user's spot terminal, we can confirm we've successfully impersonated the domain administrator account that can authenticate to the CIFS service on the domain controller DC01:
Note that in this case we requested a TGS for the CIFS service, but we could also request additional TGS tickets with rubeus's
switch for: HTTP (WinRM), LDAP (DCSync), HOST (PsExec shell), MSSQLSvc (DB admin rights)./altservice
Computer Account
If you have compromised a machine account or in other words you have a SYSTEM level privileges on a machine that is configured with constrained delegation, you can assume any identity in the AD domain and authenticate to services that the compromised machine is trusted to delegate to.
In this lab, a workstation WS02 is trusted to delegate to DC01 for CIFS and LDAP services and I am going to exploit the CIFS services this time:
Using powerview, we can find target computers like so:
Let's check that we're currently running as SYSTEM and can't access the C$ on our domain controller DC01:
Let's now impersonate administrator@offense.local and try again:
References
Last updated