Understanding and Attacking Delegations in Active Directory

today we are going to talk about understanding and attacking delegations in active directory so let's get started then so why is this session important Kos delegation is a very common and needed aspect in active dirting environment when you go for a PST or an adversary liation uh you would be commonly facing the BR delegation here so abuse case of this functionality takes advantage of the inherent process or the protocol flow rather than exploiting a vulnerability present in a software version so ideally the systems or the environment that uses delegation would be vulnerable for uh the abuse cases and uh this session would also help you to escalate your privileges uh to domain admin and uh you

would also get insights on lateral movement phases once you have an initial foothold over the network or a system so uh this is who on my slide uh my name is wut Raman Kumar goes by the handle Redwolf I'm working as a security Analyst at Walt infos I hold a couple of certifications like crtp couple of other certifications from hack the Box Etc uh I am currently the chapter lead at OAS CH I am also the technical member of uh Tamil NAD cyber security Council it's a group where uh we infoset professionals share our knowledge from various aspects of uh cyber security domain I also love solving red team labs and environments in currently researching on active

directory attacks on adverse simulation and EDR bypass stuffs more of a red teaming stuff I would also love to collaborate on doing Labs currently I'm doing ABD Labs from AC the box if you want to collaborate uh do reach out to me over Twitter or Instagram check out my blogs at red wol and uh my getbook too hope you find it useful there so the agenda today uh I will be walking you through the basics of K Bros Authentication technical jargons like KDC TGT service tickets would be explained along with the protocol flow we would also understand why and how care Bros delegation was introduced the types of Delegation along with the abuse case scenarios would be explained in

detail I have also attached a demo of the abuse cases I have pre-recorded it so that uh while presenting I don't have any glitches so this is just a quick disclaimer here all the demos and the explanation uh would give you basic insight about the attacks and the uh authentication flow here if you want to understand better research more I have attached couple of reference links at each of each uh section hope you find it useful and uh another major disclaimer is that better to watch these demos over a big screen uh I highly recommend not watching over mobile devices since I would be using lot of commands and you won't understand that if you are watching in a small

scheme so what is care Bros authentication basically uh care Bros is a Authentication Protocol uh uh which is pretty complex than native ntlm so K Bros provides an centralized environment uh that functions to authenticate the users to the servers and the vice versa the key components that you must understand before going into the Kos flow are KDC TGT and uh the service ticket so let's get to it then so KDC stands for key distribution center this provides service tickets and TGT to the client upon verification of their request KDC in turn has two parts one is authentication server which performs the initial or the pre-authentication phase and issues the TGT to the client and the

ticket granting service would send the client service ticket upon verification of the submitted TGT so what is TGT here after pre-authentication phase is completed KDC provides a credential material on the ticket that is in encrypted using the krbtgt accounts password or the it's nlms so the krbtgt account is natively the called as care Bros account which is uh present in the domain controller so and one important aspect about TGT is that TGT is gets catched in the client's Mission so that when a clients tries to access any other resource the pre-authentication would not be repeated rather this TGT would be used to invoke the service ticket request again when we are talking about service ticket service ticket is issued

to the client once the TGT uh is verified by the ticket granting service and one part of this service ticket is encrypted using the service accounts inh let's talk about the flow here as I said ear earlier this is the pre-authentication phase here client tries to access SQL Server so the client Summits a request asking TGT to the KDC here once the KDC which is present in the domain controller verifies the request it issues the TGT and a session key here the session key is encrypted using the clients nlm as and this is known as as response once the once the client uh receives the TGT it makes a service ticket request to access SQL Server which is sent to the

KDC the KDC verifies the submitted TGT once the verification is completed uh it sends the service ticket and a new session key and one part of this service ticket is encrypted using the service accounts ntlm with this service ticket it authenticates to the SQL server and the SQL Server which has the service ticket now decrypts it and verifies the client uh really has access over the SQL server or not this verification is completely based on a uh something called as pack which actually describes more about the client uh what is the Sid of uh the client what are the access privileges uh in the domain more of that stuff sorry these are couple of references

that have uh attached to understand K Bros better hope you check that out uh let's now get into why kbros delegation was introduced imagine a situation where a user John tries to access a web server which is uh present in the domain so the access is done by care Bros and the access is successful here now some part of the application needs to access files related to John which is present in the file server here now the access is denied for the web server since the web server does not have any credential material so uh related to John so it can impersonate the user John to the files Ser here so how this so-called credential

material be provided to the web server so that it can impersonate the user John and access the files present in the file server so that's why care delegation was introduced this is the flow uh where uh uh care Bros delegation is configured on a web server I wouldn't be talking about which type of Delegation is configured here that I would be saving it for later part of the session so the now as far as now it's concerned the user John tries to access a web server that has one type of Delegation configured and the web server now has some sort of credential material let just say it's it may be a John's TGT or service deck anything it

has uh some part of credential material so that it can impersonate user John so it makes a request to access the files present in the file server on behalf of John and the authentication is successful here the files related to John are retrieved by the web server and hence the flow is successful so these are the three types of Delegation uh which we will be seeing it in the today's session so unconstraint delegation constraint delegation and resource based constraint delegation so what is unconstraint delegation basically when unconstrained is unconstrained delegation is configured over a particular server this has uh simply uh put it in the Layman W it has unlimited privileges to access any Services present in the domain

impersonating a user who accesses that server when a user accesses a server with un uh that has unconstrained delegation configured the user sends their TGT to the service uh server itself so if you could uh recollect the care flow here the service ticket request is made by the TGT alone so there is no place of any other uh credential material like password comes into place simply put the TGT of the user is used to invoke a service ticket to the KDC so here the user sends their TGT itself to the web server so that the impersonation of the user by the web server gets perfectly fine I mean gets perfectly done so yeah so imagine a situation where you

have access over a server that has unconstrained delegation configured so if a user who is part of a sensitive uh group like domain admin or Enterprise admin accesses that service then you would be able to capture their TGT and replay it to gain privileges of that particular user so this type of unconstrained delegation can be configured over a mission account or a user account that doesn't really matter and the abuse case would remain same for both so this is just a victorial representation of what I have explained to you earlier here the user tries to access a web server that has unconstraint delegation configured now the web server can impersonate this user uh in order to

access any Services present in the domain let that be a file server or a main server or uh a directory uh server so this is the uh domain controller configuration or the configuration perspective of this unconstrained deligation here domain admin has to explicitly configure this trust this computer for delegation to any service this must be the check box that must be done by the domain admin here I have configured it for the SQL Server so so as I said earlier uh the unconstraint delegation uh can be configured over an Mission account or a mission account or a user account here so that doesn't doesn't make a big difference here the let's talk about the flow

analysis I have analyzed the delegation flows using wire shark and I have formed a protocol flow here in order to explain it to you in a clear way so let's talk about it first request is that uh client makes a reest in order to access web SVC it's in service uh to the KDC the KDC verifies this request and issues uh a TGT ticket here once the client receives this TGT ticket it sends back to the KDC again and makes a request for service ticket the TGT is verified by the KDC and the service ticket is return return to the client here as the web service account has unconstrained delegation configured the KDC expects another TGT

request from the client as expected the client sends out another TGT request now this TGT is more in a specialized way this TGT can be forwarded to web service so that unconstrained delegation flow gets executed once the TGT request is verified the KDC returns a TGT with a forwardable flag set so once the client retrieves the TGT with the forwardable flag set it's sends the service ticket for accessing web SVC along with the forwardable TGT the web server uh Returns the required content to the client and some part of the application needs to access the SQL server on behalf of the client so since the web server has the forwardable TGT here what it does is it

makes a service ticket request to KDC using this forwardable TGT impersonating the client here so the KDC uh would verify the forwardable uh TGT ticket and since the ser ticket to web service in order to access the SQL Server now uh once the service ticket for accessing SQL Server is retrieved by the web server it accesses the SQL server and the SQL Server Returns the required content here so that's that is the basic flow of how an unconstrained delegation would work so let's now talk about about the abuse case scenario here uh there are three important or two important consideration that need to be done before talking about the abuse case scenarios here one is that uh you need

to have it is better to have administrative privileges over a computer account for each type of delegations configured uh in order to abuse them abuse them and and another thing is that uh you must have bypassed the Windows Defender or any antivirus solution so that it can uh work perfectly without h a hurle so here I have imported Power view script into the memory so let's talk about the command get domain computer unconstrained would list the do machine accounts that has unconstrained delegation configured access the server that has unconstrained delegation configured monitor the K stickets that are getting catched in the server and wait for any kind of domain admin or a sensitive user to access that service and this can be

used by uh done by using rubers or mimic an here once the TGT gets captured import it using rubers or mimic ads into the memory or into more specific into the last process so this is the recorded video uh so now I'm starting rubus in the monitoring mode with the interval of 3

seconds I'm giving this uh flag called no rap so that I don't want any spaces in between the capture TGT if you give uh without this lag you would have some spaces in between the ticket it won't be a whole string uh to put it in the simple words so I don't have any uh sensitive uh user whose TGT is captured here and this is the domain controller where a domain admin tries to access a web server that is hosted in this computer and in order to access the web server or the website domain authentication is required so let's see and uh the domain admin Deadpool would log in into this computer would log in using the domain

controller in order to access my web server

yeah so the access gets successful and you could see that Deadpool's TGT is captured in my screen so using this TGT uh I would be able to uh get the Privileges of domain admin

here so before importing the TGT into my memory I'm just just seeing whether I'm able to access the files present in the domain controller as far as now I get an permission denied error here so now I am importing the ticket into the last process and the ticket is imported I'm able to access it successfully even I can take uh PS remoting to uh

yep so this is the abuse of unconstraint Delegation here uh these are the references hope uh you check that out let's now talk about constraint delegation here so while comparing unconstraint delegation it had access to any Services present in the domain and it can uh impersonate the users there while considering constraint delegation the access is limited and it are specified by the domain admin when a user accesses a server that has constraint delegation configured the server can impersonate the user to access specific Services alone so mark this word specific Services alone and these services are explicitly mentioned in the object called MSDS allowed to delegate to attribute uh which would give the list of services uh that can be used for

delegating there are two major extension when uh you need to consider when you are talking about constraint delegation one is Kos protocol transition extension and another one is constraint delegation extension which is more oftenly called as for you to self and for you to proxy here so let's now see what is s for you to self and as for you to proxy here before that I need to show my uh configuration that I have done and I have used it in my demo video so this is the web service account and I have configured here the constraint delegation and I have used use any Authentication protocol which means that s for you to self and S for you to proxy

would be invoked so let's now start what is s for you to self and S for you to proxy here s for you to self basically allows a service to request a service ticket for itself impersonating a user so uh this service ticket would have a special flag set which is for forwardable flag set and this is called forwardable service ticket so cases where this comes into play is that when a user accesses a server or a service that has uh all type of uh I mean to say uh which you authenticates uh when a user authenticates to a server or a service using non Bros Authentication Protocol like that may be ntlm or CED SSP then in order to invoke

s foru to proxy this needs to have a service ticket with forward double flag set this would be only retrived from s for you to self there are two major misconceptions here one is that s for you to self can be invoked by any service accounts that is present in the domain the catch here is is that the forwardable service ticket would be retrieved only by the service accounts that has trusted to AR for delegation here so uh if any other service account that is invoking as for you to self and that doesn't have trusted to for delegation would end up retrieving a service ticket that does not have this forwardable flag set so so only if you have a service

ticket which has the forwardable flag set you will be able to invoke S4 you to proxy here so what is s for you to proxy S4 you to proxy basically allows a service to request a service ticket for the SPN or the services specified in MSDS allowed to delegate to on behalf of a particular user or impersonating a user the service ticket that is required to access uh or required to make a service ticket request to start this ticket forwardable service ticket is required for making this request so that's it this is the flow here here a user tries to access a web server which has constraint delegation configured and it is explicitly specified by the domain

admin that this can delegate only to SI service present in the file server it cannot delegate to any other services present the domain so this is the configuration that is explicitly done by the domain admin here so again this is in repres uh this is just screen talk uh to show you you can have constraint delegation configured over a user account or an Mission account that doesn't make a big difference in the abuse case scenario so this is just in flow analysis of uh the protocol transition I mean to say there are two processes getting involved one is s for you to self and S for you to proxy here so this is that thing

here uh the client authenticates to the web service initially using the ntlm authentication and later part uh the web service needs to impersonate the client and access the SQL Server here uh the web server now makes a service ticket request to the KDC uh that need to have the forward aable Flags set upon verification the KDC Returns the service ticket and this service ticket is again used to make a service ticket request for accessing SQL Server previously the service ticket request for is was for the web service itself now it is for SQL Server so that is s for you to self and S for you to proxy here so and the KD notices that uh the web service has in

configuration uh MSD is allowed to delegate to pointing to the SQL Server so this verifies the request and uh sends the service ticket to access SQL Server the web server impersonating the client access the SQL server and the required content is sent to the web server again so let's now talk about the abuse case scenario again I would be using domain um I mean power viiew script for this

purpose uh get domain user trusted to or get domain computer trusted to O would list the user uh service accounts that has constraint delegation configured we must either have access over any one of these accounts the access might be through password or a uh shell directly you can use you rubers for this entire process and you can also use another tool called Kyo here both would be useful at the end so let's now start with the demo here I would be uh I would be explaining you two scenarios where I have the ntlm hash of the web service account in another scenario I mean the next thing I would be having the control of web service account I don't uh I'm

considering that I didn't knew the ntlm during first exam uh example I would be using Kiko next one I would be using robus so let's get started this is just uh the domain controller page where you could see that delegation is configured and web service has uh constraint delegation configured pointing to the shft service of uh the domain controller here so here uh get domain user trusted to I would be able to list the user accounts that has constraint delegation configured here you could see that MSDS allowed to delegate to points to the sift service of the domain controller here red DC is the domain controller in my domain which is red. local so now I'm using Kiko

here okay so here what I'm initially doing is that I am retrieving the TGT uh ticket for the web service account here specifying the ntlm ash so Hey sir sorry about that your your screen stopped sharing I believe we can't see what you're seeing right currently okay

okay is it okay now yes sir perfect thank you okay uh is it uh before or it is uh just now started I mean my screen it was probably just about uh two minutes ago right when you started talking about this new uh this new breakout okay okay so let me explain it from the starting hope that would be fine thank you sir yeah so as I explained earlier this is the domain controller page where I have configured constraint delegation on web service account here you could see that uh constraint delegation is configured over the sift service of the domain controller domain controller is redf DC and rf. loal is my domain so yep here you could see that I have

imported I have bypass the amsa and Power view I didn't have any other antivirus solution installed in my uh virtual environment here so now what I'm doing is that uh I listing the user account that has trusted to I mean that has constraint delegation

configured so here you could see that MSD is allowed to delegate to option is set to the sift service of the domain controller I am now using Kiko to perform the abuse scenario here what I'm doing is that uh I'm retrieving the TGT account of the uh web service account here using specifying the ntlm as this is the ntlm as this is the domain and this is the account here I have retrieved the TGT of web service using this

command okay so let me just explain it here now what I'm doing is that I am trying to invoke s for you to self and S for you to proxy using Kiko here I am uh mentioning the TGT ticket of the web service account that was retrieved earlier I'm mentioning that and this user flag is set to the impersonating user now I impersonating the user Deadpool who is the domain of been of of course and I service flag is said to the uh service that is pointed in uh MSDS allowed to delegate to option and I and this in between pipe symol specify that I am invoking another service ticket which is for L app in the same

Mission account I'm doing this in order to perform the DC sync attack that would end up retrieving the domain admin creden or uh krbtgt accounts password so successfully I have retrieved the TGs ticket here for the L service now I am importing that ticket into my memory using mimic ads so this was successful let me just list the active careb tickets here you could see that uh L app service ticket has been here now I'm performing the DC sync attack using mimic ads

again so I'm able to retrieve the krbtgt accounts password so that's it we'll now talk about a scenario where I didn't have the web service accounts nlm rash rather than I have an ACC over a mission that has uh with the Privileges of web service account so again I'm listing the user that has manin delegation configured let me skip it so now I am using grus to get the dgt ticket of the user web SVC this is the command used for that purpose I have captured the TGT here so now I would be replaying that TGT in order to uh gain the Privileges of the domain admin here so again as for you to self is used

for invoking

it okay okay so let me explain this command so rubus s for you to self I mean I'm using rubers here and I'm uh mentioning the service account and the T captured the TGT uh along with it I'm also mentioning the domain I am mentioning the impersonating user that uh I want to impersonate which is Deadpool and MSDS SPN is a flag where I would be mentioning the service that was listed earlier so this is the service and alternate service is L app here too I would be performing the DC sync attack that's why I'm importing that one year so I am now importing the ticket directly into memory using PT so the ticket is successfully

imported now let me try to yeah again I have the active care brate for accessing the L tab service of red DC here now again I would perform the DC syn attack y so that's it so these are couple of references that I highly recommend recommend you to watch or give it a read after the session gets over and if you guys have any doubt about any type of delegations or any aspect of active directory kindly reach out to me over Discord I would be happy to explain it to you next let's now talk about resource based constraint delegation this resource based constraint delegation is quite different from classic constraint delegation while considering classic constraint delegation the delegation

configuration was done on the system or the server which can delegate to any other services present in the domain right while considering resource based constraint delegation the configuration is done on the service that receives the delegated credential the key difference would be is that uh let me explain it to you with the example that we are walking through all this time so in previous uh previous case we had the constraint delegation configured on the web service account whereas while considering resource based constraint delegation we would have the delegation configuration done over the SQL Server which receives the delegated credential from the web service account so this configuration is also must be explicitly done uh not by the domain

admin it need not be in domain admin so this is the uh configuration that needs to be done here MSD is allowed to act on behalf of other identify identity the common abuse case of this resource based constraint delegation would be when uh when a user or when you have an right permissions over a mission account these are the permission generic call generic right right dle or right property you would be able to set this object which is MSDS allowed to on act on behalf of other identity and this does not require administrative privileges you would just simply need the right permissions over the machine account then you would be able to configure rbcd which is resource

based constraint delegation and abuse it so this is just the pictorial representation if you could recollect while considering the classic constraint delegation the configuration was done here where whereas in rbcd you have the configuration done on the file server so here the user accesses the web server and since the web server is allowed to delegate and it is explicitly specified in the file server it can access uh the file server impersonating the user so this is basic difference between the classic constraint delegation and resource based constraint delegation in con classic constraint delegation the delegation property is set on the service a pointing to service B whereas in resource based constraint delegation the delegation property is

set on service B which is pointing to the service a so this is the last session so uh last section of this topic hold on guys I have said lot more of delegations here so this is an configuration page where I have generic right permissions over the domain controller with the user privileges web service so this is the flow analysis this flow Remains the Same here I mean uh this part doesn't have a big difference let me skip it uh as because I don't have much of a time now uh let's talk about five from five the client after getting the service ticket for web SVC makes a service request using the service ticket and the service verifies it and Returns

the ticket I I mean Returns the required content here the web service makes a service ticket request for accessing SQL Server impersonating the user here the KDC notices that SQL server has a delegation configuration pointing to the web server so that SQL Server can accept delegated Service uh credentials from the web service alone here the KDC verifies this and sends the service ticket in order to access the SQL server using this SQL service ticket or the service ticket for SQL service the web server accesses uh the SQL server and uh the SQL Server Returns the required content so let's talk about the abuse case here here uh what we would be doing is that uh there are two major things that you

need to consider before this one is that you need to have control over a user account that has generic right permissions over the target computer you are willing to take over another one is that you need to have uh access over account that has s for you to self enabled here of course there is another way to abuse it but I won't be talking about that here and once that is done you have two configuration now you need to uh store the target computer in a variable I'm storing it here and now what we would be doing is that we would find Targets that has s for you to self enabled and this must have trusted to off for delegation

flag set and and once that is done we would be uh storing the attacker S I mean uh the security identifier of the account that has generic right permissions over the Target in this variable which is attacker it then we would be verifying the permission here so what I have done is that I have listed the object ACLS for the Target comp computer and I have matched that with my security identifier of the web SVC here so once that is done we will be storing another variable here which is uh the account that has s for you to self enabled in the demo or in my scenario both accounts are same which is uh the permission or the account that

has generic right permission over the target computer is same as the account that has s for you to self enabled here so I'm storing again the web service account into a variable now I am uh allocating a security identifier to the service account here and later part what I'm doing here is that I am substituting the security identifier or the S into the raw sddl format which stands for security descriptor definition language so why this process is happening is that we can set object only if these things are converted here so once the SEC uh it is converted we would have it stored in a variable and we would convert that into binary format and later part we would be setting the

object MSDS allowed to act on behalf of other identity here using sdes here which is in turn points to this uh I mean uh web server here so once that is done we would access we will be able to retrieve uh the service tickets using the web service account here so let me just pop out the domain uh video here so you could see that I have generic right permissions over it so let me quickly okay so here I'm as I said earlier I am storing the target account in a variable I'm also listing the user accounts that has constraint delegation configured uh and it has trusted to off for delegation property set and now getting the security

identifier of the account that has generic right permissions over the target computer I am checking my access through this command you could see that I have generic right permissions [Music] so okay so what I'm doing here is that I am uh storing the uh account that has s foru to self enabled in a variable I'm converting that into a security identifier here and in turn I'm turning that into a raw sdl format I'm in turn converting that into binary uh format and then I am setting that to The Domain object here MSD is allowed to act on behalf of other ident itty and the permission is set I mean the object gets updated here so now I'm able to use rubers

and impersonate

yep now I'm able to use rubers here and uh invoke the service tickets using uh the credentials or the nlms or web service here I'm trying to impersonate the user Deadpool here and this in the flag of MSDS SN any type of service can be specified simply have specified C Service here you can specify L daab 2 since there is no uh configuration like while you consider constraint delegation there so alternate service tickets I am requesting for L app HTTP vrm sfts again all the tickets are imported successfully here again I'm using mimic ads so let me try to list the Active Care Bros tickets here you could see that there are these the tickets that I

have specified in alt service flag L HTTP vrm CS wsn and one more thing is that these are the native Services which do not require to be configured explicitly on a machion account so here we are talking about the machion account redw DC right these are the services which are natively present in it so yeah so let me perform the DC Sy attack

here yep now I'm able to retri the krbtgt accounts password so that's it guys here are the references and hope you check them out uh thank you everyone for listening to my session and I would also like to thank bites and on new for providing me an opportunity to present my research special thanks to uh cherel who mentored me during my present ation preparation my Tamil Nadu cyber security Council guys they have inspired me a lot and last but not the least K who is my mentor who teaches me how to handle things and he inspires me a lot basically so that's it [Music]

[Music]

[Music]

[Music]

[Music]