Uncostrained Delegation
Unconstrained Delegation
Unconstrained delegation allows a service to impersonate a user to any other service in the domain. When this is enabled, the domain controller includes the user's TGT in the TGS. The TGT is then extracted by the service and stored in LSASS, allowing it to be reused for impersonation. This behavior makes unconstrained delegation highly abusable.
Delegation Process Flow:
A user authenticates to the Domain Controller and receives a TGT.
The user requests a TGS for a service (e.g., a web server).
The user sends both the TGT and the TGS to the service.
The service extracts the user's TGT and requests a new TGS to access another resource (e.g., a database server).
The service authenticates to the second server as the user.
Enumeration
To identify domain machines or users with unconstrained delegation enabled:
PowerView:
ActiveDirectory Module:
Abusing Unconstrained Delegation
Compromise a server with unconstrained delegation enabled.
Wait for or coerce a domain admin to authenticate to it.
Dump cached TGTs:
Inject a Domain Admin’s TGT:
Coercion Techniques
Certain Windows services allow any authenticated user to coerce one machine into authenticating to another. These include:
MS-RPRN
Print Spooler
Yes
445 SMB
MS-WSP
Windows Search
No
445 SMB
MS-DFSNM
DFS Namespace Mgmt
No
445 SMB
Use these coercion techniques to force authentication from a DC to a controlled host.
Capturing and Reusing the TGT
On the attacker's controlled server (e.g.,
dcorp-appsrv
), monitor for TGTs:On the student's VM, coerce authentication using MS-RPRN:
Once the TGT is captured (Base64 encoded), inject it into memory:
Dump secrets using DCSync:
Lab
Learning Object 15
Labs
Last updated