Scribd
Upload
140 views30 pages

Kerberos Delegation Slides

This document discusses Kerberos delegation in Active Directory domains. It begins with an overview of Kerberos authentication and privileged attribute certificates. It then covers the different types of Kerberos delegation, including unconstrained delegation, Kerberos constrained delegation, and resource-based constrained delegation. It discusses trends in attacks that abuse delegation, such as SPN modification and RBCD attacks. It also outlines vulnerabilities when delegation is configured across domain trusts. Finally, it provides mitigations such as enabling LDAP signing and machine account quotas.

Uploaded by

SaiPrasad Thavayil
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
140 views30 pages

Kerberos Delegation Slides

This document discusses Kerberos delegation in Active Directory domains. It begins with an overview of Kerberos authentication and privileged attribute certificates. It then covers the different types of Kerberos delegation, including unconstrained delegation, Kerberos constrained delegation, and resource-based constrained delegation. It discusses trends in attacks that abuse delegation, such as SPN modification and RBCD attacks. It also outlines vulnerabilities when delegation is configured across domain trusts. Finally, it provides mitigations such as enabling LDAP signing and machine account quotas.

Uploaded by

SaiPrasad Thavayil
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 30

Its Just Kerberos Delegation,

Trust me…..
Darryl G. Baker, CISSP, CEH

@DFIRDeferred
Security Consultant @ Trimarc Security
Spec Ops Army Veteran
Microsoft Identity Specialist
Team Purple
Creator of Identity Security Village
Ham Radio Extra
Agenda

• Kerberos Authentication
• Types of Kerberos Delegation
• “Trending” Kerberos Delegation Attacks
• KrbRelayUp
• Delegation Behavior Across AD Trusts
• Attack Vectors for Delegation in Hybrid AD
• Mitigations
What is Kerberos?
Kerberos Authentication
• Kerberos is a computer-network authentication protocol. It uses
a ticket paradigm based on secret-key cryptography and a
trusted third party. This allows for trusted hosts authenticate
securely over insecure networks.
• Preferred Authentication method for Windows Domains.
• Before Windows, Microsoft used NTLM for authentication. NTLM is still
used for authentication when either sever or client is not domain
joined (although Kerberos and be strictly configured).
Privileged Attribute Certificate

• When a user requests a TGT, the PAC is included with it (containing the user’s security information). The PAC is
signed by Key Distribution Center (KDC) on the DC so it cant be tampered with. When the user requests a Service
Ticket, the KDC validates the signature of the PAC in the user's TGT and copies it into the Service Ticket that is
then sent to the user. When the user authenticates to a service, the service validates the signature of the PAC
and uses the data in the PAC to create a logon token for the user.

• [HKLMSYSTEMCurrentControlSetControlLsaKerberosParameters]
• 0- Disabled — Reverts the update
• 1- (default)Deployment — Adds the new PAC. If an authenticating user has the new PAC structure, the authentication is validated.
• 2- Enforcement — Adds the new PAC. Old PAC structures will be denied
What is Kerberos Delegation in AD??
Delegation == Impersonation
Types Kerberos Delegation
• Unconstrained Delegation
• Enables an object to impersonate ANY other object when requesting access to ANY
target resource
• TGT from impersonated user is forwarded
• Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties
trustedfordelegation,serviceprincipalname,description
• If an attacker can get admin access to this computer, they can use tools
like Mimikatz to dump all TGT’s in the computer memory hoping to find
one belonging to a user with elevated domain permission. The attacker
then “Passes the Ticket” of the elevated user and requests service tickets
on the user’s behalf to any other resource in the domain.
Kerberos Constrained Delegation

• Called for the Service-For-User Extensions


• TGT’s are not forwarded. TGS plus S4U extensions are forwarded to request service
tickets. These two extensions are S4U2Proxy and S4U2Self.

• Constrained Delegation falls into 3 subtypes


• Kerberos Constrained Delegation (KCD)
• Kerberos Constrained Delegation with Protocol Transition
• Resource Based Constrained Delegation (RBCD)
Constrained Delegation
• Considered the most secure type of Delegation due to
control of constraints
• Msds-allowedtodelegateto attribute
• S4U2Proxy
• Allows a service to send a valid TGS to KDC and
request TGS to another service
Constrained Delegation w/ Protocol Transition
• Used when initial authentication is not
Kerberos; NTLM for example.
• TRUSTED_TO_AUTH_FOR_DELEGATION
• S4U2Self
• S4U2Self allows a service to request a
TGS to itself. Then use this TGS with
S4U2Proxy to request TGS to another
service.

Note: the initial authentication of the client is not


verified by the KDC
Resource Based Constrained Delegation
• msDS-allowedToActoOnBehalfOfOtherIdentity
• Does not require the TrustedToAuthForDelegation
• Transfers the ability to configure
constrained delegation for the service from
the domain administrator to the service
administrator.
• Configured directly on the target resource object.
• Any user with write access to a computer object
can configure RBCD on that object.
Unconstrained Kerberos Delegation
Interesting Trends in KCD Attacks
• SPN Modification
• Kerberos uses SPNs to identify the • This means an attacker who has
security principal of a service or compromised a system with KCD
application. An SPN consists of either configured, can modify the service
two parts or three parts. The first part portion of the SPN to authenticate to
is the service class, the second part is another service on the resource. For
the host name, and the third part (if instance:
present) is the domain name • Cifs/targetmachine.domain.corp
• The target service can validate inbound Can be replaced with:
service tickets because they are https/targetmachine.domain.corp
encrypted with the hash of the service
account’s password. The SPN is not With intentions to RCE via WinRM
validated in this process and the SPN is
part of the unencrypted part of the
ticket.
Trending RBCD Attacks
• Why RBCD? 1. An attacker configure RBCD on a machine 1
• Write privileges to a computer object which they have write access to.
are all that is needed to configure 2. Another attacker-controlled machine,
RBCD machine 2, is added to the machine 1’s msDS-
• Default Machine Account Quota AllowedToActOnBehalfOfOtherIdentity
Settings allow for users to create 10 attribute, meaning that machine 2 can
domain computer objects (with write impersonate any user (including domain
access). admins) on machine 1.
• Privilege Escalation is typically the goal 3. Using a tool like Rubeus the attacker can
of this attack.
request an S4U2Self on behalf of machine two
impersonating a domain admin.
4. Then, the S4U2Self would be used to
request an S4U2Proxy back to itself as an
elevated user
PWN.
KrbRelayUp
Summary Of Cross-Trust KCD Vulnerabilities

In a domain that has taken steps to make attacking Kerberos delegation harder, such as
setting the machine account quota to 0, if a trust is in place with another, less secure
domain, constrained delegation attacks could still be possible.

“a chain is no stronger than its weakest link”


-Thomas Reid
Attack Vectors for Delegation in Hybrid AD
• Azure AD VMs joined to on-premise • Application Proxy
Domain Controllers • Azure Application Proxies are
• Vulnerable to KrbRelup, and other connected directly to on-premise
KCD attack methods Application Proxy connectors which
• Synchronized Accounts configured for can be configured with KCD.
Azure Global Administrator or Intune
Administrator (or any other Azure
Admin Role)
• These Azure Roles have the ability
to run scripts as SYSTEM on all
Azure AD and hybrid joined
devices.
Mitigations
• Enable LDAP Signing and Channel • MS Defender for Identity
Binding • Suspicious Kerberos delegation
attempt by a newly created
• Enable Extended Protection for computer.
Authenticaiton (EPA) • Suspicious edit of the Resource
• Set Machine Account Quota to 0 Based Constrained Delegation
Attribute by a machine account
• MS Defender for Endpoint (KrbRelayUp).
• Defender for Endpoint leverages these
network signals and looks for suspicious • Use a SIEM or SOAR to monitor
LDAP and Kerberos requests to Active for these activities.
Directory domain controllers to accurately
detect attacks using KrbRelayUp
Special Thanks to the hard work and research by:
Charlie Clark

Will Schroeder

Elad Shamir

Benjamin Delpy

Sean Metcalf

Andy Robbins

Mor Davidovich
Thank You!
Questions?

You might also like