Share this page!

Shutdown (Charlie BROMBERG) Profile picture
Twitter logo
29 Oct, 20 tweets, 5 min read
[thread 🧵] this is a sub-thread about Kerberos Constrained Delegation (KCD) and abuse scenarios.
Similarly to Unconstrained Delegations, service account configured for KCD can act on behalf of other principals on other services. The difference is that with KUD, it’s possible to delegate to any service whereas with KCD it’s possible to delegate to a specific set of services
User granted with the SeEnableDelegationPrivilege right in the domain (really high priv ⚠️) can configure service accounts for delegation (unconstrained or constrained).
Principals « sensitive for delegation » or member of the « Protected Users » group cannot be delegated
There are two types of Kerberos Constrained Delegations
- with protocol transition (« Use any authentication protocol »)
- without protocol transition (« Use Kerberos only »)
Let’s see how KCD-with-protocol-transition works
1. Service (A) configured for delegation can obtain a ticket to itself, on behalf of a user through a legitimate technique called S4U2self, which is a Kerberos extension
(S4U2self = service for user to self)
2. Service (A) obtains a Service Ticket and uses it in an S4U2proxy request, which is another Kerberos extensions. This allows the service to obtain an ST to another service (B), on behalf of the user impersonated previously.
3. (A) can access (B) on behalf of the user.
With KCD-without-protocol-transition, the process is a bit different: the S4U2self produces a non-forwardable Service Ticket.
The thing is S4U2proxy needs to use the ST obtained with S4U2self in order to work. And that ST needs to be forwardable*. With KCD-without-protocol-transition, since S4U2self results in a non-forwardable ST, S4U2proxy doesn’t work

*except with RBCD, but this is another topic
And if S4U2proxy doesn’t work, service (A) cannot obtain a ticket to service (B) on behalf of another user.
So how does KCD-without-PT works?
Instead of being able to obtain a forwardable ST, the KCD-without-PT service (A) is supposed to wait for for a user to send his Service Ticket. Service (A) then has a ST than can be used for S4U2proxy.
Now let’s get to the funny parts. How can we abuse Kerberos Constrained Delegations? 😈
Abusing KCD-with-protocol-transition is straight forward: S4U2self + S4U2proxy + pass the ticket. The S4U2* steps can be done with getST on UNIX-like systems and with Rubeus on Windows.
More info on The Hacker Recipes thehacker.recipes/ad/movement/ke…
Abusing KCD-without-PT is a bit trickier. While waiting for users to send their Service Tickets and use those for S4U2proxy would work, @elad_shamir found and shared a trick to bypass the « S4U2self doesn’t produce a forwardable ST » limitation shenaniganslabs.io/2019/01/28/Wag…
This trick relies on the fact that S4U2proxy always produces a forwardable ticket. So, what if there was a way to do what S4U2self does, but with S4U2proxy (i.e. service obtains a ST for a user to itself)? Well there is.
The trick relies on the following requirement: another service account (C) that has an SPN, can delegate to service (A)
This can be done by configuring service (A) for RBCD (Resource-Based Constrained Delegation), but it’s another topic.
If service (C) can delegate, through RBCD, to service (A)
And service (A) can delegate, through KCD-without-PT, to service (B), the the following drawing shows what steps to follow to act on (B) as another user.
All of this can be done with getST or Rubeus.
More info on The Hacker Recipes thehacker.recipes/ad/movement/ke…
ICYMI

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Shutdown (Charlie BROMBERG)

Shutdown (Charlie BROMBERG) Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @_nwodtuhs

Shutdown (Charlie BROMBERG) Profile picture
29 Oct
[thread 🧵] Kerberos delegations. This meta-thread gathers three sub-threads, one for each delegation type. I’ll talk about Unconstrained, Constrained, Resource-Based Constrained (RBCD), S4U2self, S4U2proxy and abuse scenarios.
Kerberos delegations is a set of features included in the Kerberos authentication protocol. It allows services to access other services on behalf of domain users.
3 types of delegations exist
- Unconstrained: service can access any other service on behalf of any user
- Constrained: service can access a set of services on bhalf of any user
- Resource-Based Constrained (RBCD): service grants that « impersonating access » to a set of services
Read 9 tweets
Shutdown (Charlie BROMBERG) Profile picture
29 Oct
[thread 🧵] This is a sub-thread on Kerberos Unconstrained Delegations (KUD) and abuse scenarios
User granted with the SeEnableDelegationPrivilege right in the domain (really high priv ⚠️) can configure service accounts for delegation (unconstrained or constrained).
If an attacker owns a service account configured for Unconstrained Delegation, escalation to domain ad rights is almost guaranteed. The service account can act on behalf of any* other AD principal on any service.
Read 11 tweets
Shutdown (Charlie BROMBERG) Profile picture
29 Oct
[thread 🧵] this is a sub-thread about Kerberos Resource-Based Constrained (RBCD) and abuse scenarios.
While configuring accounts for Unconstrained and Constrained delegations requires high privileges in the domain, configuring RBCD is simpler. RBCD is configured on the service others delegate to.
This can be done by filling the service’s msDS-AllowedToActOnBehalfOfOtherIdentity attribute with other services SIDs. This allows other services to delegate to it.
Abusing high-priv users to edit that attribute on another account is an Access Control abuse and is another topic
Read 11 tweets
Shutdown (Charlie BROMBERG) Profile picture
22 Oct
[thread 🧵] Kerberos basics & (ab)use of Certificates within Active Directory (i.e. AD CS and PKINIT)

- Kerberos 101
- Pass-the-Certificate
- UnPAC-the-Hash
- Shadow Credentials
- AD CS escalation (ESC1 to ESC8)

(Links and credits at the end)
[Kerberos 101 ⬇️]

AD-DS offer two main auth protocols: NTLM and Kerberos. Kerberos works with tickets in order to authenticate a user.

A TGT (Ticket Granting Ticket) can be used to obtain a Service Ticket. A Service Ticket can be used to access a service. This is how it works.
1. User requests a TGT (Ticket Granting Ticket)
2. Domain Controller requires pre-authentication
3. User pre-auths and receives a TGT
4. User requests a Service Ticket and gives his TGT
5. DC sends the Service Ticket
6. User can now use the ST and access a service
Read 23 tweets
Shutdown (Charlie BROMBERG) Profile picture
21 Oct
[thread 🧵] ⚠️ nothing technical here, just sharing about my life

Since 2018, I’ve been creating or contributing to open-source projects, and I was wondering how many hours I spent of my personal time on this.

TL; DR: In 3 years, I squeezed in 1 year of additional free work.
Usually working from 7pm to 9pm almost every day, and from 1pm to 7pm almost every Saturday. This equals to, roughly, 2000+ hours.

I wasn’t very consistent and there were times I was doing 2h/week, some times 20h/week w/o lunch break.
There were also times I switched personal and professional work slots in order to optimise both, but the number of hours is ~ the same

ADHD signals here? Dunno 🤷‍♂️
Read 14 tweets
Shutdown (Charlie BROMBERG) Profile picture
19 Oct
Shouldn't we all agree that using a certificate to go through a PKINIT Kerberos pre-auth to obtain a TGT should be called Pass-the-Certificate? Or is there a reason we should avoid using that term?
Pass-the-Certificate is useful for the following attacks
- AD CS ESC8 NTLM relay cc/ @harmj0y @tifkin_ @ExAndroidDev
- Shadow Credentials (ACE abuse on accounts' msDs-KeyCredentialLink attribute) cc/ @MGrafnetter @elad_shamir
- UnPAC-the-hash cc/ @_dirkjan @elad_shamir
It can be operated when obtaining a certificate with Rubeus or @_dirkjan's PKINITtools (gettgtpkinit).
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @_nwodtuhs has new unrolls!

Check out other threads from @_nwodtuhs!

Read all threads by @_nwodtuhs

:(