Introduction
Post Windows 2000, Microsoft
introduced an option where users could authenticate to one system via Kerberos
and work with another system. This was made possible via delegation option.
Unconstrained delegation is achieved via TGT forwarding technique which is what
we’ll talk about in this article.
Kerberos Delegation
Kerberos Delegation
enables a service to impersonate a computer or user in order to engage with a
second service using the user's privileges and permissions.
The classic
illustration of why delegating is necessary, for instance when a user
authenticates to a web server using Kerberos or other protocols, and the server
wishes to interact with a SQL backend or file server.
Type of Kerberos Delegation:
·
Unconstrained
delegation
·
Constrained
delegation
·
RBCD (Resource Based
Constrained Delegation)
Service Principal Name
A unique name (identifier) of a
service instance. SPNs are used by Kerberos authentication to associate a
service instance with a service logon account. This allows a client application
to request that the service authenticate an account even if the client does not
have account name.
Unconstrained Delegation
The feature debut initially in
Windows Server 2000 but it is still there for backwards compatibility.
Basically, if a user requests a service ticket for a service on a server set
with unconstrained delegation, that server will extract user’s TGT and cache it
in its memory for later use. Which means, server can pretend to be that user to
any resource on the domain.
On a computer account, an admin
can set the following property for unconstrained delegation.
·
AD Users and
Computers -> Computers -> Trust this computer for delegation to any
service.
Key features of unconstrained
delegation are:
·
Usually, the
privilege is given to computers running services like IIS, MSSQL because these
computers usually require some back-end connectivity to other resources.
·
When given Delegation
rights, these computers ask for a user’s TGT and store them in their cached
memory.
·
With this TGT, they
can access back-end resource on behalf of the authenticated user.
·
Catch is that these
systems can also request access to any resource on the domain using this TGT!
An attacker may Abuse Unconstrained
Delegation by requesting TGS for any domain services (SPN) using user delegated
TGT.
TGT extraction via Unconstrained
Delegation
It is obvious that we need to run
our attack on the machine that has delegation enabled. So we are assuming the
attacker has compromised one such machine. Assumption 1: Attacker compromised
DC1$ system running IIS on Kerberos authentication.
·
Assumption 2: Attacker
has access to a domain joined system (Here, powershell window running on that
system)
·
User: Administrator
Now, in real life scenario you
might not have direct access to DC system for simplicity we have installed IIS
on DC and using that only so that you get the gist.
Moving on with our extraction, we
need to learn the systems that have unconstrained delegation enabled. This can
be done by using PowerShell and AD module.
Get-ADComputer
-Filter {TrustedForDelegation -eq $true} -Properties trustedfordelegation,serviceprincipalname,description
The same can also be achieved by
using the powerview script which is part of the PowerSploit framework created
for offensive security using PowerShell. You can find it here.
Once an AD system is compromised,
you can install and use powerview.
Import-Module
.\powerview.ps1
Get-NetComputer
-Unconstrained
Now, on the target system we need
to run Rubeus in monitor mode on the dc1 system. After that, whenever a user
connects/authenticates to dc1$ Rubeus will dump TGT of the user.
rubeus.exe monitor
/monitorinterval:10 /targetuser:dc1$ /nowrap
Now, let’s wait for genuine users
to connect to dc1$ running IIS service. For simplicity, let’s do that manually
using the IWR module.
Invoke-WebRequest
http://dc1.offense.local -UseDefaultCredentials -UseBasicParsing
As you can see, Rubeus has now
captured a new ticket granting ticket (TGT) from the user IGNITE\Administrator.
Now, you can use this TGT to
request access to any resource by requesting a TGS to that resource. You can
use Rubeus asktgs for that purpose. Follow detailed Rubeus guide here for more.
Conclusion
The article demonstrated a
delegation technique called Unconstrained Delegation because as the name
suggests, there are no restrictions upon how the system that has delegation
rights use a user’s authentication information. The security loopholes made
Microsoft introduce Constrained Delegation. You’ll read more about that in the
next article. Hope you liked the article. Thanks for reading.
References: https://www.harmj0y.net/blog/activedirectory/
0 comments:
Post a Comment