Delegations

Theory

Kerberos delegations allow services to access other services on behalf of domain users.

Types of delegation

The "Kerberos" authentication protocol features delegation capabilities described as follows. There are three types of Kerberos delegations

Unconstrained delegations (KUD): a service can impersonate users on any other service.
Constrained delegations (KCD): a service can impersonate users on a set of services
Resource based constrained delegations (RBCD) : a set of services can impersonate users on a service

With constrained and unconstrained delegations, the delegation attributes are set on the impersonating service (requires SeEnableDelegationPrivilege in the domain) whereas with RBCD, these attributes are set on the target service account itself (requires lower privileges).

Extensions

Kerberos delegations can be abused by attackers to obtain access to valuable assets and sometimes even escalate to domain admin privileges. Regarding constrained delegations and rbcd, those types of delegation rely on Kerberos extensions called Service-for-User (S4U).

Want to know more about S4U2self and S4U2proxy (required to understand some delegation abuses) : click here.

Simply put, Service for User to Self (S4U2self) allows a service to obtain a Service Ticket, on behalf of another user (called "principal"), to itself. Service for User to Proxy (S4U2proxy) allows a service to obtain a Service Ticket, on behalf of a user to a different service.

Some of the following parts allow to obtain modified or crafted Kerberos tickets. Once obtained, these tickets can be used with Pass-the-Ticket.

Practice

Recon

From UNIX-like systems, Impacket's findDelegation (Python) script can be used to find unconstrained, constrained (with or without protocol transition) and rbcd.

findDelegation.py "DOMAIN"/"USER":"PASSWORD"

At the time of writing (13th October 2021), a Pull Request is pending to feature a -user filter to list delegations for a specific account.

findDelegation.py -user "account" "DOMAIN"/"USER":"PASSWORD"

From Windows systems, BloodHound can be used to identify unconstrained and constrained delegation.

The following queries can be used to audit delegations.

// Unconstrained Delegation
MATCH (c {unconstraineddelegation:true}) return c

// Constrained Delegation (with Protocol Transition)
MATCH (c) WHERE NOT c.allowedtodelegate IS NULL AND c.trustedtoauth=true return c

// Constrained Delegation (without Protocol Transition)
MATCH (c) WHERE NOT c.allowedtodelegate IS NULL AND c.trustedtoauth=false return c

// Resource-Based Constrained Delegation
MATCH p=(u)-[:AllowedToAct]->(c) RETURN p

The Powershell Active Directory module also has a cmdlet that can be used to find delegation for a specific account.

Get-ADComputer "Account" -Properties TrustedForDelegation, TrustedToAuthForDelegation,msDS-AllowedToDelegateTo,PrincipalsAllowedToDelegateToAccount

TrustedForDelegation

Unconstrained Delegation

TrustedToAuthForDelegation

Constrained Delegation with Protocol Transition

AllowedToDelegateTo

Constrained Delegation, and list of services allowed to delegate to

PrincipalsAllowedToDelegateToAccount (i.e. refers to the msDS-AllowedToActOnBehalfOfOtherIdentity attribute)

RBCD, list of services that can delegate to the account

Abuse

(KUD) Unconstrained

(KCD) Constrained

(RBCD) Resource-based constrained

Talk 🎤

14MB

Insomnihack 2022 - Delegating Kerberos To Bypass Kerberos Delegation Limitations.pdf

PDF

Open

Resources

Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active DirectoryShenanigans Labs

Another Word on Delegationharmj0y

S4U2PwnageMedium

PreviousKerberoast Next(KUD) Unconstrained

Last updated 1 year ago

Was this helpful?