Kerberos Unconstrained Delegation
This lab explores a security impact of unrestricted kerberos delegation enabled on a domain computer.
Overview
Unrestricted kerberos delegation is a privilege that can be assigned to a domain computer or a user;
Usually, this privilege is given to computers (in this lab, it is assigned to a computer IIS01) running services like IIS, MSSQL, etc.;
Those services usually require access to some back-end database (or some other server), so it can read/modify the database on the authenticated user's behalf;
When a user authenticates to a computer that has unresitricted kerberos delegation privilege turned on, authenticated user's TGT ticket gets saved to that computer's memory;
The reason TGTs get cached in memory is so the computer (with delegation rights) can impersonate the authenticated user as and when required for accessing any other services on that user's behalf.
Essentially this looks like so:
User
--- authenticates to ---> IIS server
---> authenticates on behalf of the user ---> DB server
Any user authentication (i.e CIFS) to the computer with unconstrained delegation enabled on it, will cache that user's TGT in memory, which can later be dumped and reused by an adversary.
Setup
Let's give one of our domain computers/our victim computer IIS01
unrestricted kerberos delegation privilege:
To confirm/find computers on a domain that have unrestricted kerberos delegation property set:
We can see our victim computer IIS01
with TrustedForDelegation
field set to $true
- we are good to attack:
Execution
On the computer IIS01 with kerberos delegation rights, let's do a base run of mimikatz to see what we can find in memory:
Note that we do not have a TGT for offense\administrator
(Domain Admin) just yet.
Let's now send an HTTP request to IIS01
from a DC01
host from the context of offense\administrator:
We see the request got a HTTP 200 OK
response:
Let's check the victim host IIS01
for new kerberos tickets in memory:
We can see that the IIS01 has now got a TGT for offense\administrator - this means that we have effectively compromised the entire offense.local domain. We will get back to this in a moment.
First, let's export all kerberos tickets from IIS01 memory, so we can load offense\administrator ticket TGT into the current session and assume its privileges:
..but before we proceed with pass-the-ticket
attack and become a DA, let's try PSRemoting to the DC01
from IIS01
and check currently available kerberos tickets in a current logon session - just to make sure we currently do not have DA rights:
Above screenshow shows that there are no tickets and PSSession could not be established - as expected.
Let's now proceed and import the previously dumped offense\administrator TGT into our current logon session on the IIS01
host:
Once the TGT is imported on IIS01, let's check available tickets and try connecting to the DC01
again:
As you can see from the above screengrab, the IIS01
system now contains a krbtgt
for offense\administrator, which enables this session to access DC01
C$ share and establish a PSSession with an interactive shell with Domain admin privileges.
Reminder
Note that successful authentication to ANY service on the IIS01 will cache the authenticated user's TGT. Below is an example of a user offense\delegate
accessing a share on IIS01
- the TGT gets cached:
Mitigation
Some of the available mitigations:
Disable kerberos delegation where possible
Be cautious of whom you give privilege Enable computer and user accounts to be trusted for delegation - these are users who can enable unrestricted kerberos delagation
Enable Account is sensitive and cannot be delegated for high privileged accounts
References
Last updated