search
The Hacker's Notes
githubEdit

Kerberos Unconstrained Delegation

This lab explores a security impact of unrestricted kerberos delegation enabled on a domain computer.

Overview

  • Unrestricted kerberos delegation is a privilege that can be assigned to a domain computer or a user;

  • Usually, this privilege is given to computers (in this lab, it is assigned to a computer IIS01) running services like IIS, MSSQL, etc.;

  • Those services usually require access to some back-end database (or some other server), so it can read/modify the database on the authenticated user's behalf;

  • When a user authenticates to a computer that has unrestricted kerberos delegation privilege turned on, authenticated user's TGT ticket gets saved to that computer's memory;

  • The reason TGTs get cached in memory is so the computer (with delegation rights) can impersonate the authenticated user as and when required for accessing any other services on that user's behalf.

Essentially this looks like so: User --- authenticates to ---> IIS server ---> authenticates on behalf of the user ---> DB server

Any user authentication (i.e CIFS) to the computer with unconstrained delegation enabled on it will cache that user's TGT in memory, which can later be dumped and reused by an adversary.

Setup

Let's give one of our domain computers/our victim computer IIS01 unrestricted kerberos delegation privilege:

To confirm/find computers on a domain that have unrestricted kerberos delegation property set:

We can see our victim computer IIS01 with TrustedForDelegation field set to $true — we are good to attack:

Execution

1

hashtag
Inspect IIS01 memory for Kerberos tickets

On the computer IIS01 with kerberos delegation rights, run mimikatz to list tickets:

Example output:

Note: At this point we do not have a TGT for offense\administrator.

2

hashtag
Trigger authentication from a privileged user

From DC01 (as offense\administrator) send an HTTP request to IIS01 so the privileged user's TGT is cached on IIS01:

You should see an HTTP 200 OK response:

3

hashtag
Re-inspect IIS01 memory for the new TGT

Check IIS01 again for kerberos tickets:

You should now see a TGT for offense\administrator in IIS01 memory:

This indicates the domain has effectively been compromised.

4

hashtag
Export Kerberos tickets from IIS01

Export all kerberos tickets from IIS01 memory so the administrator TGT can be reused:

Example UI:

5

hashtag
Validate current session and import the TGT (Pass-the-Ticket)

Before importing, you can attempt a PSRemoting to DC01 from IIS01 to confirm you currently lack DA rights.

Import the dumped offense\administrator TGT into the current session on IIS01:

After importing, check available tickets and connect to DC01 (C$ or PSSession). The session should now contain a krbtgt for offense\administrator and enable access with Domain Admin privileges:

Reminder

Note that successful authentication to ANY service on the IIS01 will cache the authenticated user's TGT. Below is an example of a user offense\delegate accessing a share on IIS01 — the TGT gets cached:

Mitigation

Some of the available mitigations:

  • Disable kerberos delegation where possible.

  • Be cautious of whom you give privilege "Enable computer and user accounts to be trusted for delegation" — these are users who can enable unrestricted kerberos delegation.

  • Enable "Account is sensitive and cannot be delegated" for high privileged accounts.

References

Privacy

This site uses cookies to deliver its service and to analyze traffic. By browsing this site, you accept the privacy policy: https://policies.google.com/privacy?hl=en-US

PreviousKerberoasting: Requesting RC4 Encrypted TGS when AES is EnabledNextKerberos Constrained Delegation

Last updated