Bronze Bit

CVE-2020-17049

Theory

When abusing Kerberos delegations, S4U extensions usually come into play. One of those extensions is S4U2proxy. Constrained and Resource-Based Constrained delegations rely on that extensions. A requirement to be able to use S4U2proxy is to use an additional service ticket as evidence (usually issued by after S4U2self request). That ticket needs to have the forwardable flag set. There are a few reasons why that flag wouldn't be set on a ticket

the "impersonated" user was member of the "Protected Users" group or was configured as "sensitive for delegation"
the service account configured for constrained delegation was configured for Kerberos only/without protocol transition

In 2020, the "bronze bit" (CVE-2020-17049) was released, allowing attackers to edit a ticket and set the forwardable flag.

Practice

The Impacket script getST (Python) can perform all the necessary steps to edit a ticket's flags and obtain a ticket through S4U2proxy to act as another user on a target service (in this case, "Administrator" is impersonated/delegated account but it can be any user in the environment).

The input credentials are those of the compromised service account configured for constrained delegations.

getST.py -force-forwardable -spn $Target_SPN -impersonate Administrator -dc-ip $Domain_controller -hashes :$Controlled_service_NThash $Domain/$Controlled_service_account

The SPN (ServicePrincipalName) set will have an impact on what services will be reachable. For instance, cifs/target.domain or host/target.domain will allow most remote dumping operations (more info on adsecurity.org).

Resources

CVE-2020-17049: Kerberos Bronze Bit Attack - OverviewNetSPI

PreviousS4U2self abuse NextShadow Credentials

Last updated 2 years ago