Unconstrained Delegation

When a user accesses a server with unconstrained delegation enabled, the user sends their TGT to the server. The server can then impersonate the user by using their user's TGT to authenticate to other services in the network.

But what is delegation? Delegation is a feature in Active Directory that allows a user or a computer to impersonate another account. Microsoft had to provide a simple mechanism to support scenarios where a user authenticates to a Web Server via Kerberos and needs to update records on a back-end database server on behalf of the user. This is typically referred to as the "Kerberos double-hop issue" and requires delegation.

What the risk?

Once you turn on unconstrained delegation to a computer, any time an account connects to that computer for any reason, their ticket (TGT) is stored in memory so it can be used later by the computer for impersonation. Let's say you enable this option on a computer you have administrative access to and then get a Domain Admin user to access the computer over the Common Internet File System (CIFS) by accessing a shared folder. Without unconstrained delegation on, only the ticket-granting server (TGS) would be stored in memory on your compromised machine. This ticket gives access only to the CIFS service on your machine so you can't use it to move laterally. However, with unconstrained delegation enabled, when the privileged user connects to your machine, their TGT will be stored in memory, which can be replayed to move laterally and compromise a domain controller.

TL;DR

As we mentioned before what is the risk to having Unconstrained Delegation, is that anytime an account connects to the compromised computer for any reason, their ticket (TGT)is stored in memory so it can be used later by the computer for impersonation.

Attack

First to setup this attack path this needs to be done from the DC, we right click on the PC name and "Trust this computer for delegation to any service (Kerberos only)" option checked.

Now it's time to search for the machine that has the Unconstrained Delegation available for it. We find this with utilizing PowerView

Get-NetComputer -Unconstrained

Now let's say our goal is to reach Desktop-Alpha and we have no permissions to access the machine.

Administrator Privileges from here

Now we will need to elevate our privileges on the host machine to start capturing tickets once that is done we have to wait for a user that has access to Desktop-Alpha and we can use the ticket to access the target machine (For the sake of Demo I will have a user access a folder on Desktop-Charlie)

We run Rubeus in monitor mode, I used an interval of 10 seconds after this I managed to capture the ticket.

Successfully done this I will save the ticket then pass it onto my current session.

Rubeus ptt /ticket:<TICKET BASE64>

Then we try and list the C$ share on the machine and we are successful

We are aware this user is a Local Administrator to the Machine so we can also grab a shell. Will create a process for this and inject our ticket to this PID so we are allowed to do Network Actions

Rubeus createnetonly /program:C:\Windows\System32\cmd.exe

Then we will inject the ticket in the newly created process take a note in the LUID

Rubeus ptt /luid:0x302756 /ticket:<TICKET BASE64>

Now Impersonate the Process

With this we can use PSEXEC to gain a Shell on the remote machine

And we get a new Grunt on the Target Machine as SYSTEM (PSEXEC does this since it’s a service and these run with the highest privileges)

whoami, hostname

Now that we understand unconstrained delegation this is not the only user we can impersonate on this machine I used this sample since the user was a LOCAL Administrator on the target machine, usually when using this attack we are trying to impersonate Domain Admins but the truth is we can use any user that helps us reach our goal.