Skip to content

Delegation

Info

This note is still in development.

What is Delegation?

Delegation allows a system to store the TGT of an account that authenticates to it in its memory, then request access to specified resources within the domain on behalf of the end-user that has authenticated to it.

Why does this exist? It allows applications to access resources hosted elsewhere on behalf of users, without having to allow said application full unfettered access to the backend resource. An example of this would be a public facing web server having delegation rights to a backend SQL server. The web server does NOT have access to the SQL database, however the web server can request access to the database on behalf of a logged on user. This allows the user to access the data they're provisioned to within the SQL database (without ever touching the database itself), while also making sure the web server account doesn't have unrestricted access to the database.

Types of Delegation

To help aid in understanding, the following terms/variables will be used in examples:

Name Description
$Bobby Authenticated user to be impersonated.
$DelegServer Application with a type of delegation (e.g., www/server1.domain).
$Resource Domain resource being accessed / delegated to (e.g., mssql/server2.domain).

Unconstrained Delegation

Unconstrained Delegation rights allow a service to authenticate on a user's behalf to any service or system within the entire domain without restrictions, which means that it has broad, unconstrained access.

  • Example:
    • $Bobby authenticates to $DelegServer, and his TGT is stored in $DelegServer's memory. Depending on what rights $Bobby has, $DelegServer can access any $Resource within the domain on his behalf.
  • Tip:
    • The tool SpoolSample.exe can force a Domain Controller (DC) computer account to authenticate to any other AD computer. This means if an attacker has access to a system with Unconstrained Delegation, using SpoolSample.exe they can delegate to any system in the network as the DC (i.e., Domain Admin).
  • Attributes:
    • UserAccountControl: TRUSTED_FOR_DELEGATION

Constrained Delegation

Constrained Delegation rights restrict delegation by specifying which services can be delegated to within the domain, allowing a service to authenticate on a user's behalf to only the services explicitly configured (e.g., delegation rights ONLY to mssql/server2.domain).

  • Example:
    • $DelegServer can request a ST for $Bobby (or ANY user not marked as 'Sensitive') without needing their TGT stored in memory, and subsequently ser to specified $Target.
  • Tip:
    • Bruh
  • Attributes:
    • UserAccountControl: TRUSTED_FOR_DELEGATION
    • msDS-AllowedToDelegateTo: Contains the SPN of $Resource

Resource-Based Constrained Delegation (RBCD)

Resource-Based Constrained Delegation rights further refines the scope of delegation by allowing a service to authenticate on a user's behalf to only the specific resources on systems explicitly configured (e.g., CIFS access on a specific Domain Computer).

  • Example:
    • Bruh
  • Tip:
    • Bruh
  • Attributes:
    • msDS-AllowedToActOnBehalfOfOtherIdentity: Contains the SPN of a $DelegServer

Delegation Spark Notes (Ugly)

# Helper Variables
$Deleg  = Application with a type of delegation
$User   = User to be impersonated
$Target = Domain resource being delegated to

# Unconstrained Delegation
- Description: a system with unconstrained delegation can impersonate an authenticated user to ANY service in the domain.
- $Deleg UAC Attribute: TRUSTED_FOR_DELEGATION
- Usage: $User authenticates to $Deleg, and their TGT is stored in $Deleg memory. $Deleg can now impersonate $User to any $Target in the domain.
- Tips: SpoolSample.exe can force a DC to authenticate to any AD computer, meaning a DC computer TGT can be acquired (i.e., Domain Admin privs).

# Constrained Delegation
- Description: a system with constrained delegation can impersonate an authenticated user to only a specified service in the domain (e.g., www/server1.domain).
- $Deleg UAC Attribute: TRUSTED_TO_AUTH_FOR_DELEGATION
- $Deleg msDS-AllowedToDelegateTo: Contains SPN of $Target
- Usage: $Deleg can request a ST for any $User (not marked as 'Sensitive') and impersonate them to specified $Target.
- Tips: Specified service can be changed to any service on the $Target computer object (e.g., www/server1.domain changed to cifs/server1.domain).

# Resource-Based Constrained Delegation (RBCD)
- Description: a target service uses RBCD to specify which system is allowed to delegate to it (inverse of prior delegation types).
- $Target msDS-AllowedToActOnBehalfOfOtherIdentity: Contains SPN of any system to act as $Deleg
- Usage: $Target has set $Deleg to be allowed to delegate to it.$Deleg can request a ST for any $User (not marked as 'Sensitive') and impersonate them to $Target.
- Tips: Unprivileged users with ms-DS-MachineAccountQuota attribute set above 0 (default: 10) can create a new domain computer account with an SPN.

Exploitation

Info

WIP

# Constrained Delegation

# Query DC for User/Computer Accounts with Constrained Delegation
Get-DomainUser -TrustedToAuth 2>$NULL
Get-DomainComputer -TrustedToAuth 2>$NULL