Why you should remove the use of Kerberos Unconstrained Delegation?
In simple term unconstrained delegation allows a service ability to impersonate your account to a service. For example you have in-house custom web application running on IIS windows web server and the application pool is configured with unconstrained delegation and the server has native windows authentication enabled and a domain admin browse the in-house application from his/her domain connected workstation. You might think so what’s wrong with browsing an application with unconstrained delegation enabled? Well… Your domain admin TGT ticket granting ticket is copied to IIS web server LSSAS memory, which means any one with the local admin can extract valid ticket granting ticket and resubmit the domain admin ticket… Worse case scenario ? The attacker could get Kerberos Ticket Granting Ticket (KRBTGT) hash from domain controller and use the hash to create golden/silver ticket, access, pivot, persist in the network.
Sean Metacalf brilliant description with unconstrained delegation ( How compromise a of a single Server Can Compromise the Domain) Link here.
Link by Harmj0y for better weaponize of constrained delegation abuse.
fileshare.cryptolab.local properties delegation enabled.
Assume you compromised a file server with unconstrained delegation enabled on a file server with smb shared service allowing user to access share remotely.
fileshare.cryptolab.local 192.168.1.21 ( Server with unconstrained delegated)
primary.cryptolab.local 192.168.1.18 ( primary domain controller)
secondary.cryptolab.local 192.168.1.19 (secondary domain controller)
windows10.cryptolab.local 192.168.1.22 ( windows 10 to access smbservice share with domain administrator credentials)
Server 2012 R2 server SMB share service.
Figure 2 Configuring SMB share on the fileshare.cryptolab.local.
c:\smbservice folder shared on the fileshare server.
Figure 3 smbservice file shared.
File share server configured with unconstrained delegation to any service (Kerberos only)
Figure 4 File share server properties set to trust this computer for delegation to any service ( This is of course very bad)
Accessing shared file from windows 10 enterprise with DA Domain Admin Privilege.
Figure 5 TGS Ticket Granting Service TGT ticket is copied to local Security Authority Subsystem Service ( DA TGT ticket is waiting for an attacker extract and create new valid session)
Klist on the fileshare.cryptolab.local shows my current logged in as servicedeskuser which is local administrator only ( no domain admin)
Figure 6: Klist shows valid kerberos session key ( Not a domain admin yet)
servicedeskuser has local admin access – Mimikatz to extract all the existing kerberos tickets ( privilege::debug > sekurlsa::export tickets)
Client Name: Administrator Ticket Granting Ticket valid kerberos session copied to LSSAS to impersonate access SMB services as opposed to Ticket Granting Service (TGS) Unconstrained delegation expected behavior.
Figure 7: Domain Admin kerberos session in the file share server.
Pass The Ticket (PPT) using extracted administrator (DA)
Figure 8: Kerberos ticket is re-injected into memory ( Valid Domain Admin Session)
Klist command to validate the ticket successfully injected.
Figure 9 Cached Ticket with domain admin privilege.
Listing C:\\ directory on the domain controller using valid TGT ticket.
Figure 10 authentication to the domain controller with the TGT ticket.
Why stop here when you have 8 hours valid domain admin kerberos session?
Armed with domain admin KRBTGT Hash we go ahead and create golden tickets to gain access to domain controller or file share server and fully patched windows 10 enterprise.
Figure 11 created golden ticket with user fakeadmin ( fakeadmin.ccache) kerberos ticket.
Shell on the primary domain controller using fakadmin user ( Golden ticket)
Figure 12 wimexec with -k flag and -no-pass set to use fakeadmin.ccache ticket as opposed to password based authentication.
- Avoid using delegation all together if works in your environment
- Use constrained delegation
- Set service account with complex strong password
- Audit users/services with delegation enabled.