Sunday, December 22, 2024
HomeInformation SecurityAttacking Kerberos Unconstrained Delegation | by Nairuz Abulhul | R3d Buck3T

Attacking Kerberos Unconstrained Delegation | by Nairuz Abulhul | R3d Buck3T


Belief this consumer/laptop for delegation to any service

Credit to marcoventuriniautieri

Delegation is the act of giving somebody authority or duty to do one thing on behalf of another person. An analogous idea is utilized within the Lively Listing surroundings; delegation permits an account with the delegate property to impersonate one other account to entry sources inside the community.

There are three (3) recognized kinds of delegations allowed with Kerberos: Unconstrained, Constrained, and Useful resource-based constrained delegations. For this publish, we are going to concentrate on abusing the primary sort — Unconstrained delegation. We’ll study to abuse it throughout a pentest engagement to carry out a privilege escalation to the next degree consumer such because the area admin😈.

The assault demonstration steps might be on the Pentester Academy Lively Listing Lab by Nikhil Mittal related to the CRTP course.

📝KEY CONCEPTS

  • Unconstrained Delegation Overview
  • Evaluation Circulation
  • Assault Necessities
  • Escalation Vectors
  • Used Instruments
  • Demonstration Steps
  • Mitigation
  • References

Unconstrained delegation permits a consumer or laptop with the choice “Belief This consumer/laptop for delegation to any service” enabled to impersonate ANY consumer authenticates to it and request entry to ANY service.

The consumer can entry the service, whether or not hosted on the authenticated server or hosted on one other server on the identical or a distinct area.

Determine 1 — exhibits the configuration of Unconstrained Delegation for a pc
Determine 2 — exhibits the configuration of Unconstrained Delegation for a consumer

To grasp it higher, let’s take an instance of a consumer authenticating to an internet server and desires to request knowledge from different servers like SQL, Utility, or Mail that aren’t hosted on that net server; they’re hosted on totally different servers as within the case under.

With out delegation, the webserver can’t present the requested info from different providers because it doesn’t have permission to speak to those providers instantly.

Determine 3— exhibits the delegation possibility is disabled on the internet server

Nevertheless, if the delegation is enabled, the online server can impersonate the authenticated consumer (common consumer or service account) and fetch the requested info on behalf of the consumer as if it was the consumer themselves accessing the service instantly.

Determine 4 — exhibits the delegation possibility is enabled on the internet server

Impression

Suppose we compromise a service account with administrator privileges via an assault like Kerberoasting, and that account is related to a pc with the “Unconstrained Delegation” function enabled. On this case, we are able to dump the TGT tickets of all accounts authenticated to the webserver, impersonate any consumer we would like, and ask the Kerberos area controller (KDC) for any service tickets we want to entry.

The large and dangerous a part of that sort of delegation is that if the area admin have been one of many customers authenticated to the server, we might be capable to impersonate the DA with their TGT ticket and entry any useful resource on the community with area admin privileges 🎲

Let’s bounce into the delegation move with the Kerberos Authentication:

1- A consumer authenticates to the KDC (Kerberos Area Controller) by sending an encrypted request with their credentials. The KDC verifies their id, and sends the consumer a TGT ticket.

2- The consumer receives the TGT ticket and sends it again to the KDC, requesting a service ticket for a particular service, let’s say an internet service. The KDC checks the TGT validity and sends again the service ticket (TGS) for the requested service.

3- At this level, the consumer can use the service ticket (TGS) to entry the requested net service. Nevertheless, if the requested service just like the net service in our instance must entry one other service like SQL, the consumer should acquire a Forwardable TGT ticket to cross it to the online service together with the TGS ticket.

Determine 5 — exhibits the consumer sending the forwardable TGT and TGS to the online server

5- The net server caches the consumer’s Forwardable TGT domestically and makes use of it to request a TGS ticket from the KDC to entry the SQL service on behalf of the consumer.

Determine 6 — exhibits the online server impersonates the consumer with the forwardable TGT and ask for a SQL TGS

6- The KDC verifies the offered TGT and offers the webserver with the SQL TGS to entry the SQL server because the consumer.

Determine 7— exhibits the online server accesses the SQL server with the SQL TGS

◼️ Determine The Delegated Host

We are able to use the PoweView script from PowerSploit or the AD module to find out if the delegation possibility is enabled by inspecting the Trusted delegation property worth set as True.

For the PowerView, use the Get-NetComputer -UnConstrained command.

Determine 8 — exhibits the PowerView command for returning unconstrained delegation accounts

And for the AD Module, use the Get-ADComputer cmdlet and filter for the TrustedForDelegation property.

Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties trustedfordelegation,serviceprincipalname,description

As we see within the under instance, the command returned 2 (two) computer systems the area controller (DCORP-DC) and the app server (DCORP-APPSRV).

Determine 9 — exhibits the AD module returned the computer systems which have TrustedForDelegation property set as True

◼️ Entry The Recognized Server

This step assumes that you’ve entry to the delegated machine as an admin. In my entry, I compromised the machine through the use of the appadmin hash obtained whereas dumping the hashes on one other machine. I then used overpass the hash to entry the dcorp-appsrv server because the appadmin consumer.

Determine 10 — exhibits overpass the hash with the appadmin account
Determine 11 — exhibits we have now PS remoting session on the dcorp-appsrv machine as appadmin

◼️ Export All TGT Tickets

Since we’re the native admin on the delegated machine, I uploaded the Invoke-Mimkatz script with PS Remoting (the machine has WinRM Service open), and dumped all the cached TGT tickets.

▪️ Create PS session

$session = New-PSSession -Pc ComputerNAEM

Copy the Invoke-Mimikatz file to the distant machine. You have to to bypass AMSI to make use of it.

sET-ItEM ( ‘V’+’aR’ + ‘IA’ + ‘blE:1q2’ + ‘uZx’ ) ( [TYpE]( “{1}{0}”-F’F’,’rE’ ) ) ; ( GeT-VariaBle ( “1Q2U” +”zX” ) -VaL ).”A`ss`Embly”.”GET`TY`Pe”(( “{6}{3}{1}{4}{2}{0}{5}” -f’Util’,’A’,’Amsi’,’.Administration.’,’utomation.’,’s’,’System’ ) ).”g`etf`iElD”( ( “{0}{2}{1}” -f’amsi’,’d’,’InitFaile’ ),( “{2}{4}{0}{1}{3}” -f ‘Stat’,’i’,’NonPubli’,’c’,’c,’ )).”sE`T`VaLUE”( ${n`ULl},${t`RuE} )
Determine 12– exhibits coping the Mimikatz script to the distant dcorp-appsrv machine

▪️ Import the script and export all of the cached tickets.

Import-Module .Invoke-Mimikatz.ps1Invoke-Mimikatz –Command '"sekurlsa::tickets /export"'
Determine 13 —exhibits exporting all the cached TGT tickets

As we see under, we have been capable of get the area admin TGT as a result of the DA logged into the dcorp-appsrv machine, and for the reason that delegated machine caches all of the TGTs, we might dump the ticket.

Determine 14 — exhibits the Administrator TGT ticket

◼️ Impersonate Excessive Privileged Consumer

Now that we have now the TGT ticket for the area admin, we are able to use Invoke-Mimikatz or Rubeus to request service tickets from the KDC to any service with DA privileges.

For our case, I used Mimikatz to impersonate the administrator.

Invoke-Mimikatz -Command ‘“kerberos::ptt Ticket.kirbi”’
Determine 15 -shows impersonating the administrator with Mimikatz

As seen under, the KDC accepted the TGT ticket from us and was capable of request an HTTP service ticket to run PowerShell remotely with the Invoke-Command cmdlet.

📌 PS Remoting makes use of HTTP because the protocol for transmitting instructions and outputs.

Determine 16 — exhibits the KDC returns a TGS for HTTP service

We are able to use Invoke-command and confirm that we’re certainly logged into the area controller 😈

Invoke-Command -ScriptBlock{whoami;hostname} -computername dcorp-dc
Determine 17— exhibits that we’re logged into the area controller as area admin
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments