Delegation is the act of doing something on behalf of another. Kerberos utilizes this since authentication isn’t inherently transitive.
Relevant Example
dylan
uses windows authentication on a website.svc_web
needs to grab his data from the mssql serversvc_sql
svc_web
will impersonate dylan
and access data from mssql;
svc_web
requests a TGS to svc_sql
under the context of dylan
A service can use client’s TGT to request a ticket for delegation. The computer the service is run on must be configured to do so via having TrustedForDelegation
enabled. With this configuration, TGTs are cached in the computer’s memory so the service account can delegate.
A SYSTEM compromise of this computer allows for the impersonation of any user of those TGTs. We can simply just harvest the tickets from memory and pass them into a session.
Rubeus dump
Rubeus monitor
Furthering this, we can try to use tools like spoolsample
to coerce authentication from other hosts so we can grab their TGTs too. This is similar to the basis of NTLM relaying
SpoolSample.exe <TARGET> <Compromised Unconstrained Host>
printerbug.py 'domain/username:password'@<Printer IP> <Compromised Unconstrained Host>
A computer or service account with TrustedToAuth
may impersonate any user for the service specified by the msds-allowedtodelegateto
property. This works by the service/computer account utilizing S4U2SELF
to obtain a forwardable TGS to itself, on behalf of any user. Then, S4U2PROXY
is utilized; the forwardable TGS requested via S4U2SELF is used to request another ticket, to the service specified in the msds-allowedtodelegateto
property of the service account.