Domain Escalation: Unconstrained Delegation – Hacking Articles

Introduction

Post-Windows 2000, Microsoft introduced an option where users could authenticate to one system via Kerberos and work with another system. This was made possible via the delegation option. Unconstrained delegation is achieved via TGT forwarding technique which is what we’ll talk about in this article.

Kerberos Delegation

Kerberos Delegation enables a service to impersonate a computer or user in order to engage with a second service using the user’s privileges and permissions.

The classic illustration of why delegating is necessary, for instance when a user authenticates to a web server using Kerberos or other protocols, and the server wishes to interact with a SQL backend or file server.

Type of Kerberos Delegation:

  • Unconstrained delegation
  • Constrained delegation
  • RBCD (Resource-Based Constrained Delegation)

Service Principal Name

A unique name (identifier) of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have an account name.

Unconstrained Delegation

The feature debuted initially in Windows Server 2000 but it is still there for backwards compatibility. Basically, if a user requests a service ticket for a service on a server set with unconstrained delegation, that server will extract the user’s TGT and cache it in its memory for later use. This means the server can pretend to be that user to any resource on the domain.

On a computer account, an admin can set the following property for unconstrained delegation.

  • AD Users and Computers -> Computers -> Trust this computer for delegation to any service.

Key features of the unconstrained delegation are:

  • Usually, the privilege is given to computers running services like IIS, and MSSQL because these computers usually require some back-end connectivity to other resources.
  • When given Delegation rights, these computers ask for a user’s TGT and store them in their cached memory.
  • With this TGT, they can access back-end resources on behalf of the authenticated user.
  • Catch is that these systems can also request access to any resource on the domain using this TGT!

An attacker may Abuse Unconstrained Delegation by requesting TGS for any domain services (SPN) using user delegated TGT.

TGT extraction via Unconstrained Delegation

It is obvious that we need to run our attack on the machine that has delegation enabled. So we are assuming the attacker has compromised one such machine. Assumption 1: Attacker compromised DC1$ system running IIS on Kerberos authentication.

  • Assumption 2: Attacker has access to a domain-joined system (Here, powershell window running on that system)

Now, in real-life scenario, you might not have direct access to the DC system for simplicity we have installed IIS on DC and using that only so that you get the gist.

Moving on with our extraction, we need to learn the systems that have unconstrained delegation enabled. This can be done by using PowerShell and AD module.

Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties trustedfordelegation,serviceprincipalname,description

The same can also be achieved by using the powerview script which is part of the PowerSploit framework created for offensive security using PowerShell. You can find it here.

Once an AD system is compromised, you can install and use powerview.

Import-Module .\powerview.ps1
Get-NetComputer -Unconstrained

Now, on the target system we need to run Rubeus in monitor mode on the dc1 system. After that, whenever a user connects/authenticates to dc1$ Rubeus will dump TGT of the user.

rubeus.exe monitor /monitorinterval:10 /targetuser:dc1$ /nowrap

Now, let’s wait for genuine users to connect to dc1$ running IIS service. For simplicity, let’s do that manually using the IWR module.

Invoke-WebRequest http://dc1.offense.local -UseDefaultCredentials -UseBasicParsing

As you can see, Rubeus has now captured a new ticket granting ticket (TGT) from the user IGNITE\Administrator.

Now, you can use this TGT to request access to any resource by requesting a TGS to that resource. You can use Rubeus asktgs for that purpose. Follow the detailed Rubeus guide here for more.

Conclusion

The article demonstrated a delegation technique called Unconstrained Delegation because as the name suggests, there are no restrictions upon how the system that has delegation rights use a user’s authentication information. The security loopholes made Microsoft introduce Constrained Delegation. You’ll read more about that in the next article. Hope you liked the article. Thanks for reading.

References: https://www.harmj0y.net/blog/activedirectory/

Author: Harshit Rajpal is an InfoSec researcher and left and right brain thinker. Contact here

Start a discussion …