Kerberos Constrained Delegation
Description
Kerberos Delegation
enables an application to access resources hosted on a different server; for example, instead of giving the service account running the web server access to the database directly, we can allow the account to be delegated to the SQL server service. Once a user logs into the website, the web server service account will request access to the SQL server service on behalf of that user, allowing the user to get access to the content in the database that they’ve been provisioned to without having to assign any access to the web server service account itself.
We can configure three types of delegations in Active Directory:
Unconstrained Delegation
(most permissive/broad)Constrained Delegation
Resource-based Delegation
Knowing and understanding that any
type of delegation is a possible security risk is paramount, and we should avoid it unless necessary.
As the name suggests, unconstrained delegation
is the most permissive, allowing an account to delegate to any service. In constrained delegation
, a user account will have its properties configured to specify which service(s) they can delegate. For resource-based delegation
, the configuration is within the computer object to whom delegation occurs. In that case, the computer is configured as I trust only this/these accounts
. It is rare to see Resource-based delegation
configured by an Administrator in production environments ( threat agents often abuse it to compromise devices). However, Unconstrained
and Constrained
delegations are commonly encountered in production environments.
Attack
We will only showcase the abuse of constrained delegation
; when an account is trusted for delegation, the account sends a request to the KDC
stating, "Give me a Kerberos ticket for user YYYY because I am trusted to delegate this user to service ZZZZ", and a Kerberos ticket is generated for user YYYY (without supplying the password of user YYYY). It is also possible to delegate to another service, even if not configured in the user properties. For example, if we are trusted to delegate for LDAP
, we can perform protocol transition and be entrusted to any other service such as CIFS
or HTTP
.
To demonstrate the attack, we assume that the user web_service
is trusted for delegation and has been compromised. The password of this account is Slavi123
. To begin, we will use the Get-NetUser
function from PowerView to enumerate user accounts that are trusted for constrained delegation in the domain:
We can see that the user web_service
is configured for delegating the HTTP service to the Domain Controller DC1
. The HTTP service provides the ability to execute PowerShell Remoting
. Therefore, any threat actor gaining control over web_service
can request a Kerberos ticket for any user in Active Directory and use it to connect to DC1
over PowerShell Remoting
.
Before we request a ticket with Rubeus
(which expects a password hash instead of cleartext for the /rc4
argument used subsequently), we need to use it to convert the plaintext password Slavi123
into its NTLM
hash equivalent:
Then, we will use Rubeus
to get a ticket for the Administrator
account:
To confirm that Rubeus
injected the ticket in the current session, we can use the klist
command:
With the ticket being available, we can connect to the Domain Controller impersonating the account Administrator
:
If the last step fails (we may need to do klist purge
, obtain new tickets, and try again by rebooting the machine). We can also request tickets for multiple services with the /altservice
argument, such as LDAP
, CFIS
, time
, and host
.
Prevention
Fortunately, when designing Kerberos Delegation, Microsoft implemented several protection mechanisms; however, it did not enable them by default to any user account. There are two direct ways to prevent a ticket from being issued for a user via delegation:
Configure the property
Account is sensitive and cannot be delegated
for all privileged users.Add privileged users to the
Protected Users
group: this membership automatically applies the protection mentioned above (however, it is not recommended to useProtected Users
without first understanding its potential implications).
We should treat any account configured for delegation as extremely privileged, regardless of its actual privileges (such as being only a Domain user). Cryptographically secure passwords are a must, as we don't want Kerberoasting
giving threat agents an account with delegation privileges.
Detection
Correlating users' behavior is the best technique to detect constrained delegation
abuse. Suppose we know the location and time a user regularly uses to log in. In that case, it will be easy to alert on other (suspicious) behaviors—for example, consider the account 'Administrator' in the attack described above. If a mature organization uses Privileged Access Workstations (PAWs), they should be alert to any privileged users not authenticating from those machines, proactively monitoring events with the ID 4624
(successful logon).
In some occasions, a successful logon attempt with a delegated ticket will contain information about the ticket's issuer under the Transited Services
attribute in the events log. This attribute is normally populated if the logon resulted from an S4U
(Service For User
) logon process.
S4U is a Microsoft extension to the Kerberos protocol that allows an application service to obtain a Kerberos service ticket on behalf of a user; if we recall from the attack flow when utilizing Rubeus
, we specified this S4U
extension. Here is an example logon event by using the web service to generate a ticket for the user Administrator, which then was used to connect to the Domain Controller (precisely as the attack path above):
Q & A
1) Use the techniques shown in this section to gain access to the DC1 domain controller and submit the contents of the flag.txt file.
First, import the module and run the Get-NetUser function.
We can see that the user web_service is set up to delegate the HTTP service to the Domain Controller DC1.
Since we know the web_service user’s password is Slavi123, let’s use Rubeus to convert the plaintext password to an NTLM hash.
Then, we will use Rubeus
to get a ticket for the Administrator
account:
Now let's connect to the Domain Controller impersonating the account Administrator
Answer: C0nsTr@in3D_F1@G_Dc01!
Last updated