| description |
|---|
Windows AD feature abuse -- Exploiting unrestricted kerberos delegation enabled on a domain computer |
Usually, this privilege is given to computers (in this lab, it is assigned to a computer IIS01) running services like IIS, MYSQL, etc.Overview
- The user's TGT will be cached in memory
- This can then be dumped later and reused by an adversary
- Unrestricted kerberos delegation is a privilege that can be assigned to a domain computer or a user
- Usually, this privilege is given to computers (in this lab, it is assigned to a computer IIS01) running services like IIS, MSSQL, etc.
- Those services usually require access to some back-end database (or some other server), so it can read/modify the database on the authenticated user's behalf
- When a user authenticates to a computer that has unrestricted kerberos delegation privilege turned on, authenticated user's TGT ticket gets saved to that computer's memory
- The reason TGTs get cached in memory is so the computer (with delegation rights) can impersonate the authenticated user as and when required for accessing any other services on that user's behalf
{% embed url="https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation" %}