Playing with Microsoft Unconstrained Delegation Permissions

Why you should remove the use of Kerberos Unconstrained Delegation?

In simple term unconstrained delegation allows a service ability to impersonate your account to a service. For example you have in-house custom web application running on IIS windows web server and the application pool is configured with unconstrained delegation and the server has native windows authentication enabled and a domain admin browse  the in-house application from his/her domain connected workstation. You might think so what’s wrong with browsing an application with unconstrained delegation enabled?  Well…  Your domain admin TGT ticket granting ticket is copied to IIS web server LSSAS memory, which means any one with the local admin can extract valid ticket granting ticket and resubmit the domain admin ticket… Worse case scenario ? The attacker could get Kerberos Ticket Granting Ticket (KRBTGT) hash from domain controller and use the hash to create golden/silver ticket, access, pivot, persist in the network.

Sean Metacalf brilliant description with unconstrained delegation ( How compromise a of a single Server Can Compromise the Domain) Link  here.

Link by Harmj0y  for better weaponize of constrained delegation abuse.

fileshare.cryptolab.local  properties delegation enabled.

Attack Scenario:

Assume you compromised a file server with unconstrained delegation enabled on a file server with smb shared service allowing user to access share remotely.

fileshare.cryptolab.local   192.168.1.21  ( Server with unconstrained delegated)

primary.cryptolab.local    192.168.1.18    ( primary domain controller)

secondary.cryptolab.local 192.168.1.19 (secondary domain controller)

windows10.cryptolab.local 192.168.1.22 ( windows 10 to access smbservice share with domain administrator credentials)

Server 2012 R2 server SMB share service.

SMB Share

Figure 2 Configuring SMB share on the fileshare.cryptolab.local.

 

c:\smbservice folder shared on the fileshare server.

smbservice

Figure 3  smbservice file shared.

 

File share  server configured with unconstrained delegation to any service (Kerberos only)

delegation-first

Figure 4 File share server properties set to trust this computer for delegation to any service ( This is of course very bad)

Accessing shared file from windows 10 enterprise with  DA Domain Admin Privilege.

 

serverdesktop

Figure 5 TGS Ticket Granting Service TGT ticket is copied to local Security Authority Subsystem Service ( DA TGT ticket is waiting for an attacker extract and create new valid session)

Klist on the fileshare.cryptolab.local shows my current logged in as servicedeskuser which is local administrator only ( no domain admin)

logged-in-as-servicedeskuser

Figure 6: Klist shows valid kerberos session key ( Not a domain admin yet)

servicedeskuser has local admin access – Mimikatz to extract all the existing kerberos tickets ( privilege::debug > sekurlsa::export tickets)

Client Name:  Administrator  Ticket Granting Ticket valid kerberos session copied to LSSAS to impersonate access SMB services as opposed to Ticket Granting Service (TGS) Unconstrained delegation expected behavior.

Administrator-KRBTGT-Kerberos-Ticket-via-CIFS

Figure 7: Domain Admin kerberos session in the file share server.

Pass The Ticket (PPT) using extracted administrator (DA)

ppt-injection

Figure 8: Kerberos ticket is re-injected into memory ( Valid Domain Admin Session)

Klist command to validate the ticket successfully injected.

ppt-injected

Figure 9 Cached Ticket with domain admin privilege.

Listing  C:\\ directory on the domain controller using valid TGT ticket.

showdiractivedirectory

Figure 10 authentication to the domain controller with the TGT ticket.

Why stop here when you have 8 hours valid domain admin kerberos session?

Extracting KTBTGT ticket? my previous OWASP Red Team talk, steps by steps to extract kerberos master key  to create golden/silver tickets. (Link to OWASP PowerPoint)

Armed with domain admin KRBTGT Hash we go ahead and create golden tickets to gain access to domain controller or file share server and fully patched windows 10 enterprise.

fakeadmins

Figure 11 created golden ticket with user fakeadmin  ( fakeadmin.ccache) kerberos ticket.

Shell on the primary domain controller using fakadmin user ( Golden ticket)

wmi

Figure 12 wimexec with -k flag and -no-pass set to use fakeadmin.ccache ticket as opposed to password based authentication.

Mitigation:

  • Avoid using delegation all together if works in your environment
  • Use constrained delegation
  • Set service account with complex strong password
  • Audit users/services with delegation enabled.