πŸ““
πŸ““
πŸ““
πŸ““
Red Team Notes
Search…
πŸ““
πŸ““
πŸ““
πŸ““
Red Team Notes
Introduction
Red Team Notes 2.0
Red Team
Initial Access
Execution
Persistence
Privesc
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
Active Directory
Introduction
Enumeration
Attacks
Unconstrained Delegation
Constrained Delegation
DCSync
Kerberoasting
Silver Tickets
Golden Tickets
Detection
Detection
Initial Access
Execution
Resources & References
References & Resources
Powered By GitBook
Unconstrained Delegation
As we mentioned before what is the risk to having Unconstrained Delegation, is that anytime an account connects to the compromised computer for any reason, their ticket (TGT) is stored in memory so it can be used later by the computer for impersonation.
How does this look like, well let's setup an account for this.
Right-Click on the proper Computer Name and move to the Delgation Tab. And click apply to finish the setup.
From the Domain Controller we can query for the Unconstrained Computers.
Active Directory Module
From here a Administrator user on the Compromised machine is needed
But when we compromise a Domain user we can use PowerView to find the Unconstrained computer with a syntax
1
Get-NetComputer -Unconstrained
Copied!
1
Get-NetComputer -Unconstrained -FullData |ConvertFrom-UACValue
Copied!
The next step in our attack to listen for a connection on a Domain User (in this case the Domain Admin). All the Domain Admin needs to do here is authenticate to our compromised workstation. Even just listing the directory is enough for us to capture a ticket. And we can use mimikatz to extract the ticket from our session with the compromised Admin.
With mimikatz we can see the tickets saved. In the current session. Currently as another Domain User (Kevin)
And with kevin I can dump the tickets once gaining higher access and finally we can use this ticket until it expires by using mimikatz "Pass the Ticket" method.
And just to verify I will list the C directory of the Domain Controller. Currently as the user Kevin but the Domain Admins Ticket
We can enumerate the DC directories, as we can see this gives us no limits on who we want to impersonate as this attack is just a waiting game because we need a user to authenticate to our compromised machine, just a matter of time for automated scripts, there are numerous way's to approach this situation, such as Covenant just a few syntax, Rubeus and SpoolCheck that is able to "force" an authentication to our machine using the "Printer Bug", and also using the impacket tool set.
https://www.riccardoancarani.it/exploiting-unconstrained-delegation/
www.riccardoancarani.it
Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)
Active Directory Security
β€œRelaying” Kerberos - Having fun with unconstrained delegation
dirkjanm.io
​
Active Directory - Previous
Attacks
Next
Constrained Delegation
Last modified 2yr ago
Copy link