returnreturn
Follina a silent Client-Side

By:
Caique Garbim
(Offensive Operations Team)

SHARE

Twitter Facebook linkedin

Kerberos delegation: when security becomes a vulnerability

In Active Directory (AD), constrained delegation is a security feature that allows a service (service account or server) to act on behalf of a user only for specific defined services. Constrained delegation is configured to prevent the misuse of credentials and limit the possible exposure of credentials.

However, this functionality has presented critical vulnerabilities. These flaws can allow malicious attackers to elevate privileges and improperly access sensitive resources.

Usage

Imagine an environment where a web server needs to access a SQL database on behalf of authenticated users. With restricted delegation, you would configure the web server service account so that it can only delegate credentials to the SQL service. This prevents this account from accessing other unrelated services. That is:

 • The web server, with restricted delegation configured, can use the user's Kerberos ticket to request a service ticket for the SQL database.

 • Active Directory checks the web server's restricted delegation settings to ensure that it is authorized to delegate credentials only to the SQL SPN database.

Example

 • A user, John, authenticates to the web service (running under the service account "webservice") using an authentication mechanism (not supported by Kerberos).

 • The web service requests a Key Distribution Center (KDC) ticket for John's account without providing a password, such as the "webservice" account.

 • The KDC checks the webservice's userAccountControl value for the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION attribute and that John's account is not blocked for delegation. If OK, it returns a forwardable ticket for John's account (S4U2Self).

 • The service then returns this ticket to the KDC and requests a service ticket for the service "CIFS/arg-mssql.argentina.contoso.corp".

 • The KDC checks the "msDS-AllowedToDelegateTo" field in the webservice account. If the service is listed, it will return a service ticket for "arg-mssql" (S4U2Proxy).

 • The web service can now authenticate to CIFS in "arg-mssql" as John using the supplied TGS.


Enumeration

To enumerate users with restricted delegation we can use PowerView. Run the following command in a PowerShell session:


The command lists the users with the "Trusted to Authenticate for Delegation" permission and shows that the "webservice" user can delegate credentials to the specified CIFS services.

Abuse

In theory, restricted delegation limits the damage that could result if an AD account is compromised. But restricted delegation can be abused: an adversary who compromises the plaintext password or password hash of an account that is configured with restricted delegation to a service can impersonate any user in the environment to access that service. For example, if restricted delegation is configured on a Microsoft SQL SPN, an attacker could gain privileged access to that database.

To abuse the restricted delegation in the above scenario, we need to have access to the webservice account. Initial access may be possible through vulnerabilities in the webservice that could allow command execution in the operating system or other vulnerabilities in Active Directory.

If we have access to this account, we can access the services listed in "msDS-AllowedToDelegateTo" of the "webservice" account as ANY user.

Note that we do not yet have access to the C$ admin share on the target host:


To perform the scan, we can use the following command:


The above command is an execution of Rubeus (a post-exploitation tool for handling Kerberos tickets on Windows). This particular command uses the S4U (Service for User) functionality to perform a restricted delegation to obtain a service ticket (TGS) for another service on behalf of a user:

 • /user:webservice: Indicates the name of the service user (service account) to be used. In this case, the user is "webservice".

 • /aes256:7d214...: Provides the AES256 key of the "webservice" user. This key is required to generate Kerberos tickets.

 • /impersonateuser:Administrator: Specifies the user to impersonate, in this case "Administrator".

 • /msdsspn: "CIFS/arg-mssql.argentina.contoso.corp: Defines the Service Principal Name (SPN) of the service you want to access. Here the SPN is for the CIFS service on the server "arg-mssql.argentina.contoso.corp".

 • /ptt: Stands for "Pass-The-Ticket". This parameter tells Rubeus to inject the generated TGS ticket directly into the current session, effectively "passing" the ticket.

After execution, the ticket is successfully imported:


By executing the following command, we can see that the ticket exists:


In this way we can access the file system in "arg-mssql", demonstrating that lateral movement is possible using this technique:


Mitigation

Account settings

One technique to defend against delegation-related attacks is to place sensitive accounts that should not be delegated in the Protected Users group or to check the "Account is sensitive and cannot be delegated" box under "Active Directory Users and Computers" on the "Account" tab.

Monitor safety records

Implement a detailed audit of Windows security logs, especially Kerberos-related events:

 • 4768 (Ticket Granting Ticket request)
 • 4769 (Service Ticket request)
 • 4770 (TGT renewal)
 • 4771 (Kerberos pre-authentication failure)

Use SIEM tools

Security information and event management (SIEM) tools can help detect anomalous patterns and suspicious behavior.

Regular rotation of passwords and keys

Periodically change passwords and keys for service accounts and elevated privileges to reduce the window of opportunity for attackers.