📓
Red Team Notes 2.0
  • Introduction
  • Red Team
  • Red Team Techniques
    • Initial Access
      • T1659: Content Injection
      • T1190: Exploit Public-Facing Applications
        • Rejetto HTTP File Server (HFS) 2.3
      • T1133: External Remote Services
        • SMB/Windows Admin Shares
        • RDP Service
      • T1566: Phishing
        • Phishing: Spearphishing via Service
        • Phishing: Spearphishing Link
          • Links: Social Engineering Toolkit
          • Links: Binaries
          • Links: HTA Files
        • Phishing: Spearphishing Attachment
          • Attachments: LNK Files
          • Attachments: SCR Files
          • Attachments: Dynamic Data Exchange
          • Attachments: Macros
          • Attachments: Macros - Linux
          • Attachments: Scripting Files
          • Attachments: Desktop Files
      • T1195: Supply Chain Compromise
        • Compromise Hardware Supply Chain
        • Compromise Software Supply Chain
        • Compromise Software Dependencies and Development Tools
      • T1078: Valid Accounts
        • Local Accounts
        • Domain Accounts
        • Default Accounts
      • T1199: Trusted Relationship
    • Execution
      • T1047:Windows Management Instrumentation
      • T1204: User Execution
        • Malicious File
        • Malicious Link
      • T1569: Service Execution
      • T1053: Scheduled Tasks/Job
        • Shared Modules
        • Scheduled Task
        • At (Windows)
      • T1106: Native API
      • T1559: Inter-Process Communication
        • Dynamic Data Exchange
        • Component Object Model
      • T1203: Exploitation for Client Execution
        • Common Third-Party Applications
        • Office Applications
      • T1059: Command and Scripting Interpreter
        • Network Device CLI
        • JavaScript/JScript
        • Python
        • Visual Basic
        • Unix Shell
        • Windows Command Shell
        • PowerShell
        • AutoHotKey & AutoIT
        • Deploy Container
        • Native API - Linux
    • Persistence
      • T1574: Hijack Execution Flow
        • Service File permissions Weakness
        • Path Interception by Unquoted Path
        • Path Interception by Search Order Hijacking
        • Path Interception by PATH Environment Variable
        • Executable Installer File Permissions Weakness
        • DLL Side-Loading
        • DLL Search Order Hijacking
        • Dynamic Linker Hijacking
      • T1133:External Remote Services
        • SMB/Windows Admin Shares
        • RDP Service
      • T1546:Event Triggered Execution
        • Component Object Model Hijacking
        • PowerShell Profile
        • Application Shimming
        • Accessibility Features
        • Netsh Helper DLL
        • Screensaver
        • Default File Association
        • Unix Shell Configuration Modification
        • Trap
        • Installer Packages
      • T1543:Create or Modify System Process
        • Windows Services
        • Systemd Service
      • T1136: Create Account
        • Domain Account
        • Local Account
      • T1554:Compromise Client Software Binary
      • T1547:Boot or Logon AutoStart Execution
        • Shortcut Modification
        • Winlogon Helper DLL
        • Time Providers
        • Registry Run Keys / Startup Folder
      • T1037: Boot or Logon Initialization Scripts
        • RC Scripts
      • T1197: BITS Jobs
      • T1053: Scheduled Tasks/Job
        • Shared Modules
        • Scheduled Task
        • At (Windows)
        • Cron
        • Systemd Timers
      • T1098: Account Manipulation
        • SSH Authorized Keys
      • T1556: Modify Authentication Process
        • Pluggable Authentication Modules
      • T1653: Power Settingss
      • T1505: Server Software Component
        • WebShell
    • Privilege Escalation
      • T1546:Event Triggered Execution
        • PowerShell Profile
        • Component Object Model Hijacking
        • Application Shimming
        • Accessibility Features
        • Screensaver
        • Default File Association
      • T1612: Build Image on Host
      • T1574: Hijack Execution Flow
        • Service File permissions Weakness
        • Path Interception by Unquoted Path
        • Path Interception by Search Order Hijacking
        • Path Interception by PATH Environment Variable
        • Executable Installer File Permissions Weakness
        • DLL Side-Loading
        • DLL Search Order Hijacking
      • T1543:Create or Modify System Process
        • Windows Services
      • T1547:Boot or Logon AutoStart Execution
        • Winlogon Helper DLL
        • Shortcut Modification
        • Time Providers
        • Registry Run Keys / Startup Folder
      • T1134: Access Token Manipulation
        • Parent PID Spoofing
        • Make and Impersonate Token
        • Create Process with Token
        • Token Impersonation/Theft
      • T1548: Abuse Elevation Control Mechanism
        • Bypass User Account Control
        • Setuid and Setgid
        • Sudo and Sudo Caching
      • T1611: Escape to Host
    • Defense Evasion
      • T1497: Virtualization/Sandbox Evasion
        • Time Based Evasion
        • User Activity Based Checks
        • System Checks
      • T1550: Use Alternate Authentication Material
        • Pass the Ticket
        • Pass the Hash
      • T1127: Trusted Developer Utilities Proxy Execution
        • MSBuild
      • T1221: Template Injection
      • T1553: Subvert Trust Controls
        • SIP and Trust Provider Hijacking
        • Code Signing
      • T1216: Signed Script Proxy Execution
      • T1218: Signed Binary Proxy Execution
        • Compiled HTML File
        • Control Panel
        • CMSTP
        • InstallUtil
        • MSHTA
        • MSIEXEC
        • ODBCCONF
        • Regsvcs/Regasm
        • Regsvr32
        • Rundll32
        • Verclsid
      • T1055: Process Injection
        • Dynamic-Link Library Injection
        • Portable Execution Injection
        • Thread Execution Hijacking
        • Asynchronous Procedure Call
        • Thread Local Storage
        • Extra Window Memory Injection
        • Process Hollowing
        • Process Doppelganging
      • T0127: Obfuscated Files or Information
        • Binary Padding
        • Software Packing
        • Steganography
        • Compile After Delivery
        • Indicator Removal from Tools
      • T1036: Masquerading
        • Invalid Code Signature
        • Right-to-Left-Override
        • Rename System Utilities
        • Masquerade Task or Service
        • Match Legitimate Name or location
      • T1202: Indirect Command Execution
      • T1562: Impair Defenses
        • Disable or Modify Tools
        • Disable Windows Event Logging
        • Impair Command History Logging
        • Disable or Modify System Firewall
        • Disable or Modify Linux Audit System
        • Indicator Blocking
      • T1070: Indicator Removal on Host
        • Clear Windows Event Logs
        • Clear Command History
        • File Deletion
        • Network Share Connection Removal
        • TimeStomping
      • T1574: Hijack Execution Flow
        • Path Interception by Unquoted Path
        • Service File permissions Weakness
        • Path Interception by Search Order Hijacking
        • Path Interception by PATH Environment Variable
        • Executable Installer File Permissions Weakness
        • DLL Side-Loading
        • DLL Search Order Hijacking
      • T1564: Hide Artifacts
        • VBA Stomping
        • Run Virtual Instance
        • NTFS File Attributes
        • Hidden Window
        • Hidden File System
        • Hidden Users
        • Ignore Process Interrupts
        • File/Path Exclusions
        • Hidden Files and Directories
      • T1222: File Directory Permissions Modification
        • Linux and Mac File and Directory Permissions Modification
        • Windows File and Directory Permissions Modification
      • T1480: Execution Guardrails
        • Environmental Keying Linux
        • Environmental Keying
      • T1197: BITS Jobs
      • T1134: Access Token Manipulation
        • Parent PID Spoofing
        • Make and Impersonate Token
        • Create Process with Token
        • Token Impersonation/Theft
      • T1548: Abuse Elevation Control Mechanism
        • Bypass User Account Control
      • De-obfuscate/Decode Files or Information
    • Credential Access
      • T1552: Unsecured Credentials
        • Group Policy Preferences
        • Private Keys
        • Credentials in Registry
        • Credentials in Files
      • T1558: Steal or Forge Kerberos Tickets
        • AS-REP Roasting
        • Kerberoasting
        • Silver Ticket
        • Golden Ticket
      • T1003: OS Credential Dumping
        • DCSync
        • Cached Domain Credentials
        • LSA Secrets
        • NTDS
        • Security Account Manager
        • LSASS Memory
      • T1040: Network Sniffing
      • T1556: Modify Authentication Process
        • Password Filter DLL
        • Domain Controller Authentication
      • T1557: Man-in-the-Middle
        • Arp Cache Poisoning
        • LLMNR/NBT-NS Poisoning and SMB Relay
      • T1056: Input Capture
        • Web Portal Capture
        • GUI Input Capture
        • Keylogging
      • T1187: Forced Authentication
      • T1555: Credentials from Password Stores
        • Credentials from Web Browsers
      • T1110: Brute Force
        • Credential Stuffing
        • Password Spraying
        • Password Cracking
        • Password Guessing
    • Discovery
      • T1124: System Time Discovery
      • T1007: System Service Disvcovery
      • T1033: System Owner/User Directory
      • T1049: System Network Connections Discovery
      • T1016: System Network Configuration Discovery
      • T1082: System Information Discovery
      • T1518: Software Discovery
        • Security Software Discovery
      • T1018: Remote System Discovery
      • T1012: Query Registry
      • T1057: Process Discovery
      • T1069: Permissions Groups Discovery
        • Local Groups
        • Domain Groups
      • T1120: Peripheral Device Discovery
      • T1201: Password Policy Discovery
      • T1040: Network Sniffing
      • T1135: Network Share Discovery
      • T1046: Network Servie Scanning
      • T1083: File and Directory Discovery
      • T1486: Domain Trust Discovery
      • T1217: Browser Bookmark Discovery
      • T1010: Application Window Discovery
      • T1087: Account Discovery
        • Domain Account
        • Local Account
    • Lateral Movement
      • T1080: Taint Shared Content
      • T1072: Software Deployment Tools
      • T1021: Remote Services
        • Windows Remote Management
        • VNC
        • Distributed Component Object Model
        • SMB/Windows Admin Shares
        • Remote Desktop Protocol
      • T1563: Remote Service Session Hijacking
        • RDP Hijacking
      • T1570: Lateral Tool Transfer
      • T1534: Internal Spearphishing
      • T1210: Exploitation of Remote Services
      • T1550 Use Alternate Authentication Material
        • Pass the Ticket
        • Pass the Hash
  • Active Directory
    • Active Directory
      • Lightweight Directory Access Protocol
      • Kerberos
      • Forest, Tress and Domains
    • Active Directory Attacks
      • Kerberoasting
      • Unconstrained Delegation
      • Constrained Delegation
      • DCSync
      • Golden Tickets
      • Silver Tickets
      • Skeleton Keys
      • Active Directory Certificate Services
      • NTLMRelay
      • AS-REP Roasting
  • Red Team Infrastructure
    • RED TEAM INFRASTRUCTURE
    • Domain Name and Categorization
    • Reconnaissance
      • Passive
      • Active
    • Weaponization
      • Macros
      • HTA
      • ZIP
      • ISO
    • Delivery
      • Gophish
      • EvilGinx
      • PwnDrop
  • Situational Awareness
    • Covenant and C#
    • Empire and PowerShell
  • Credential Dumping
    • Mimikatz
    • Lsass Dumping
    • SharpChromium
  • Persistence
    • Userland Persistence
    • Elevated Persistence
  • Defense Evasion
    • Disable or Modify Tools
    • Obfuscating Files
  • Privilege Escalation
    • PowerUp
    • PrivescCheck
  • Lateral Movement
    • RDP
    • PowerShell Remoting
  • Files
    • Red Team Guide
Powered by GitBook
On this page

Was this helpful?

  1. Active Directory
  2. Active Directory Attacks

Unconstrained Delegation

PreviousKerberoastingNextConstrained Delegation

Last updated 2 years ago

Was this helpful?

When a user accesses a server with unconstrained delegation enabled, the user sends their TGT to the server. The server can then impersonate the user by using their user's TGT to authenticate to other services in the network.

But what is delegation? Delegation is a feature in Active Directory that allows a user or a computer to impersonate another account. Microsoft had to provide a simple mechanism to support scenarios where a user authenticates to a Web Server via Kerberos and needs to update records on a back-end database server on behalf of the user. This is typically referred to as the "Kerberos double-hop issue" and requires delegation.

What the risk?

Once you turn on unconstrained delegation to a computer, any time an account connects to that computer for any reason, their ticket (TGT) is stored in memory so it can be used later by the computer for impersonation. Let's say you enable this option on a computer you have administrative access to and then get a Domain Admin user to access the computer over the Common Internet File System (CIFS) by accessing a shared folder. Without unconstrained delegation on, only the ticket-granting server (TGS) would be stored in memory on your compromised machine. This ticket gives access only to the CIFS service on your machine so you can't use it to move laterally. However, with unconstrained delegation enabled, when the privileged user connects to your machine, their TGT will be stored in memory, which can be replayed to move laterally and compromise a domain controller.

TL;DR

As we mentioned before what is the risk to having Unconstrained Delegation, is that anytime an account connects to the compromised computer for any reason, their ticket (TGT)is stored in memory so it can be used later by the computer for impersonation.

Attack

First to setup this attack path this needs to be done from the DC, we right click on the PC name and "Trust this computer for delegation to any service (Kerberos only)" option checked.

Now it's time to search for the machine that has the Unconstrained Delegation available for it. We find this with utilizing PowerView

Get-NetComputer -Unconstrained

Now let's say our goal is to reach Desktop-Alpha and we have no permissions to access the machine.

Administrator Privileges from here

Now we will need to elevate our privileges on the host machine to start capturing tickets once that is done we have to wait for a user that has access to Desktop-Alpha and we can use the ticket to access the target machine (For the sake of Demo I will have a user access a folder on Desktop-Charlie)

We run Rubeus in monitor mode, I used an interval of 10 seconds after this I managed to capture the ticket.

Successfully done this I will save the ticket then pass it onto my current session.

Rubeus ptt /ticket:<TICKET BASE64>

Then we try and list the C$ share on the machine and we are successful

We are aware this user is a Local Administrator to the Machine so we can also grab a shell. Will create a process for this and inject our ticket to this PID so we are allowed to do Network Actions

Rubeus createnetonly /program:C:\Windows\System32\cmd.exe

Then we will inject the ticket in the newly created process take a note in the LUID

Rubeus ptt /luid:0x302756 /ticket:<TICKET BASE64>

Now Impersonate the Process

With this we can use PSEXEC to gain a Shell on the remote machine

And we get a new Grunt on the Target Machine as SYSTEM (PSEXEC does this since it’s a service and these run with the highest privileges)

whoami, hostname

Now that we understand unconstrained delegation this is not the only user we can impersonate on this machine I used this sample since the user was a LOCAL Administrator on the target machine, usually when using this attack we are trying to impersonate Domain Admins but the truth is we can use any user that helps us reach our goal.