Unconstrained Delegation

Unconstrained Delegation & Printer Bug

• What it is: A configuration where a service account can impersonate any user to any service after authentication.

• How it works: When a user authenticates to a service (e.g., a web server) with unconstrained delegation, their credentials are cached on that service. This allows the service to request access to other resources on behalf of the user.

• Security Risk: If an attacker compromises a service account with unconstrained delegation, they can impersonate any user, including domain admins, to access other services and resources within the domain.

How do we trick a high priv user to authenticate to a machine with Unconstrained Delegation?

Printer Bug:

1. What it is: An attack that exploits the way Windows handles printer requests, allowing an attacker to coerce a domain controller to authenticate to a machine controlled by the attacker.

2. How it works:

   • An attacker sends a printer request to a domain controller.

   • The domain controller responds by authenticating to the attacker-controlled machine using the machine's account credentials.

3. Security Risk: When combined with unconstrained delegation, this allows the attacker to capture the domain controller’s credentials. With these credentials, they can perform actions as the domain controller, leading to full domain compromise.

Exploitation Flow:

1. Compromise a machine with unconstrained delegation:

   • The attacker identifies and compromises a service account or machine with constrained delegation enabled.

2. Trigger the Printer Bug:

   • The attacker uses the Printer Bug to force a domain controller to authenticate to their controlled machine.

3. Capture the credentials:

   • The domain controller's credentials are cached on the compromised machine due to unconstrained delegation.

4. Impersonate the domain controller:

   • With the captured credentials, the attacker can now impersonate the domain controller and perform actions across the domain.