💾
👁️
infosec stuff
infosec stuffwriteups
infosec stuff
infosec stuffwriteups
  • infosec stuff
  • Archive
    • Kerberos
  • Cheatsheet
    • Mimikatz
    • Rubeus
  • Initial Access
    • Passwords
    • Payloads
    • Recon-AssetDiscovery
  • Linux
    • Linux Enumeration
    • Command Cheatsheet
      • TAR
    • Privilege Escalation
      • Cron Jobs
      • Kernel Exploit
      • SUID
      • Sudo
      • Weak File Permission
  • Physical
    • Basics
  • Tools
    • Impacket
    • Msfvenom
    • psexec
  • Uncategorized
    • Alternate Data Stream
    • Check applocker rules/policy
    • UACme
    • Data Exfilteration
    • Port Forwarding
    • WebDAV Exploitation
    • WinRM
    • winexe
  • Windows
    • Windows Enumeration
    • Commands
      • net
      • reg
      • sc
    • Evasion
      • Query Installed Antivirus
    • Local Privilege Escalation
      • Automated Tools
      • Enterprise Application
      • Insecure GUI Apps
      • Kernel Exploitation
      • Passwords
      • Potato
      • Registry Exploits
      • Scheduled Tasks
      • Service Exploits
      • Startup Apps
      • Vulnerable Software
      • Windows Privileges
    • Persistence
      • Adding Privileged Users
      • Backdoor Files
      • Existing Services
      • Login Screen (RDP)
      • Logon Triggered
      • Scheduled Tasks
      • Services
    • Powershell
      • Cheatsheet
      • Detections & Bypass
    • System Programming
      • Fundamentals
    • Windows Internals
      • Process & Jobs
        • Fundamentals
        • Process Internals
      • Security
        • Access Token
        • Elevation
        • Integrity Levels
        • Privilege
        • SID
        • Security Descriptor
        • User Account Control
      • System Architecture
        • Architecture Overview
        • Operating System Model
      • Uncategorized
        • DPAPI
        • LocalAccountTokenFilterPolicy
        • Privileges
        • SID
        • accesschk.exe
        • WMI
  • Active Directory
    • AD Concepts
      • Authentication
      • Authorization
      • Basics
      • Computers
      • Credentials
      • Database
      • Group Policy
      • Groups
      • Kerberos
      • Logon Types
      • NetNTLM
      • Services
      • Trusts
      • Users
    • Credential Dumping
      • Credential Manager
      • DC Sync
      • Domain Controller
      • LAPS
      • LSASS
      • Local Credentials
    • Domain Enumeration
      • CMD
      • Credential Injection
      • Defence
      • Management Console
      • Sharphound-BloodHound
      • Powershell
        • ACLs
        • Computers
        • Domain
        • Forest
        • GPOs
        • Groups
        • Organisational Unit
        • Shares and File Servers
        • Trusts
        • Powerview
        • Users
    • Exploitation
      • ACLs
    • Initial Foothold
      • ASREPRoast
      • Kerberos
    • Lateral Movement and Pivoting
      • Abusing User Behaviour
      • Kerberos
      • NTLM
      • PSEXEC
      • Remote Windows Service
      • Schedule Tasks
      • WMI-CIM
      • WimRM (PowerShell Remoting)
    • Persistence
      • ACLs
      • Custom SSP
      • DSRM
      • Diamond Ticket
      • Golden Certificates
      • Golden Tickets
      • SID History
      • Silver Tickets
      • Skeleton Key
    • Privilege Escalation
      • Constrained Delegation
      • DNSAdmins
      • Kerberoast
      • Unconstrained Delegation
    • Protocols
      • MSRPC
      • SMB
      • WinRM
Powered by GitBook
On this page
Edit on GitHub
  1. Active Directory
  2. Privilege Escalation

Unconstrained Delegation

#powerview #ldap #mimikatz #powershell When a user requests for ST, and if the service owner has the TRUSTED_FOR_DELEGATION flag set in User Account Control, the ST received from the KCD will have the OK_AS_DELEGATE flag set. To set TRUSTED_FOR_DELEGATION flag in User Account Control, the user needs to have SeEnableDelegationPrivilege privilege.

Ticket Acquisition

  • Client requests for the ST for a service with SPN HTTP\webserv which is owned by websrv$ machine account.

  • The KDC checks for TRUSTED_FOR_DELEGATION in websrv$ account's UAC. KDC returns an ST with OK_AS_DELEGATE and FORWARDABLE flag set.

  • The Client checks of these flags and asks a FORWARDED TGT. The KDC responds with a TGT with FORWARDED flag set.

  • The Client sends the ST and the FORWARDED TGT to the service for access.

  • The Serivice uses this TGT to request ST for MSSQLSvc\dbsrv serivce.

  • Websrv uses the ST to get access to the MSSQL service.

Flaw

If the service account that is TRUSTED_FOR_DELEGATION is compromised, we get access to TGTs for uses that have tried to connect to this service. Mimikatz can be used to get access to the TGTs cached in lsass process.

mimikatz sekurlsa::tickets

Identifying accounts with unconstrained delegation

  • LDAP query

(UserAccountControl:1.2.840.113556.1.4.803:=524288)

  • Powerview

Get-DomainComputer -unconstrained

  • Active Directory Module

Get-ADComputer -Filter {TrustedForDelegation -eq $True}
Get-ADUser -Filter {TrustedForDelegation -eq $True}

Last updated 6 months ago