Unconstrained Delegation
As we mentioned before what is the risk to having Unconstrained Delegation, is that anytime an account connects to the compromised computer for any reason, their ticket (TGT) is stored in memory so it can be used later by the computer for impersonation.
How does this look like, well let's setup an account for this.
Right-Click on the proper Computer Name and move to the Delgation Tab. And click apply to finish the setup.
From the Domain Controller we can query for the Unconstrained Computers.
Active Directory Module
From here a Administrator user on the Compromised machine is needed
But when we compromise a Domain user we can use PowerView to find the Unconstrained computer with a syntax
Get-NetComputer -Unconstrained
Get-NetComputer -Unconstrained -FullData |ConvertFrom-UACValue
The next step in our attack to listen for a connection on a Domain User (in this case the Domain Admin). All the Domain Admin needs to do here is authenticate to our compromised workstation. Even just listing the directory is enough for us to capture a ticket. And we can use mimikatz to extract the ticket from our session with the compromised Admin.
With mimikatz we can see the tickets saved. In the current session. Currently as another Domain User (Kevin)
And with kevin I can dump the tickets once gaining higher access and finally we can use this ticket until it expires by using mimikatz "Pass the Ticket" method.
And just to verify I will list the C directory of the Domain Controller. Currently as the user Kevin but the Domain Admins Ticket
We can enumerate the DC directories, as we can see this gives us no limits on who we want to impersonate as this attack is just a waiting game because we need a user to authenticate to our compromised machine, just a matter of time for automated scripts, there are numerous way's to approach this situation, such as Covenant just a few syntax, Rubeus and SpoolCheck that is able to "force" an authentication to our machine using the "Printer Bug", and also using the impacket tool set.
Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)
Active Directory Security
โ€œRelayingโ€ Kerberos - Having fun with unconstrained delegation
Copy link