Service Name Substitution
Service Name Substitution is an advanced technique that allows an adversary to "switch" a service ticket for one service to another. And it is all down to a fundamental design flaw in the Kerberos ticket structure.
Both KDC responses (AS-REP and TGS-REP) share a data structure called KDC-REP. Inside this, the ticket [5] is the actual service ticket.
If we look inside the Ticket structure, we see it has an encrypted part (enc-part) and an unencrypted part. The encrypted part contains sensitive data like the session key.
However, the SPN (the sname field [2]) sits in the unencrypted part of the ticket.
This means that if an adversary obtains a service ticket for, say, HTTP/PC1, they can simply overwrite this field in the ticket with another SPN, such as CIFS/PC1.
Why is the ticket still valid? Because the sname field is not included in the ticket's checksum calculation.
The Only Limitation
This only works if the substituted SPN runs under the same account as the original service. You cannot switch HTTP/PC1 for CIFS/PC2 (different machines), but you can almost always switch HTTP/PC1 for CIFS/PC1, as both services usually run as SYSTEM (the PC1$ machine account).
Since both services run with the same account, the encrypted part of the ticket (which is encrypted with that account's key) can be decrypted by the substituted service without any issue.
The Abuse Scenario: Bypassing "Useless" Delegation
Here is where this technique becomes powerful. Imagine we have compromised lon-ws-1 and, after enumerating it, we find it has constrained delegation to a Domain Controller. Brilliant!
But wait... look closely:
sAMAccountName: LON-WS-1$
msDS-AllowedToDelegateTo: time/lon-dc-1.contoso.com, time/lon-dc-1Delegation is only allowed to the TIME service (time/lon-dc-1). This service is useless for lateral movement; we cannot use it to pop a shell or list files. Our real target is services like CIFS (for file system access) or HOST/HTTP (for WinRM).
This is where we apply Service Name Substitution.
We use S4U to legitimately request a ticket for
time/lon-dc-1(which is allowed).We intercept that ticket before using it.
We overwrite the SPN
time/lon-dc-1withcifs/lon-dc-1.We use the modified ticket to access CIFS on the DC.
And the best part is that Rubeus automates all of this with the /altservice parameter.
The Attack with Rubeus
Assuming we have compromised lon-ws-1 (and have its TGT) and that protocol transition is enabled, the command is:
Let's break down the key parameters:
/user:lon-ws-1$: The principal we control and which is configured for delegation./msdsspn:time/lon-dc-1: The "useless" service we are allowed to delegate to./altservice:cifs: This is the magic. It tells Rubeus to substitute the SPN of the final ticket withcifs./ticket:...: The TGT forlon-ws-1$./impersonateuser:Administrator: The user we want to impersonate.
Tip: The
/altserviceparameter supports a comma-separated list, e.g.,/altservice:cifs,host,http. This will generate three tickets, one for each service.
Rubeus handles the entire process
As you can see, Rubeus requested the ticket for time/lon-dc-1 but then gave us a ticket for cifs/lon-dc-1.
"Game Over": Using the Forged Ticket
Now we just have to use this newly created CIFS ticket to access the Domain Controller as Administrator.
And that is how we turn a "useless" constrained delegation into a total Domain Controller compromise.
Última actualización