Where kerberos is used
In both examples, if the box is checked for “account is confidential and cannot be delegated”, these are not security issues. It is also possible to create a system/role where these capabilities exist, but are tightly controlled. That box should be checked for administrative accounts, such as members of the Administrators group of organization, because (hopefully) those accounts will rarely need to use applications that require impersonation. It’s also a good idea for senior executives who have access to sensitive information, such as CIO, COO, head of Finance/Treasury, etc.
This is the second part of an article on the capabilities of the Kerberos attack tool, Rubeus. The first one can be read here . This time we will consider how to use the tool to implement the following attacks:
Much has already been written about why these attacks are possible, what mechanisms exist for their implementation, what principle underlies the work of Kerberos (for example, colleagues from Jet Infosystem have published a good article with analysis ), so in my article I will focus on the implementation of attacks with using Rubeus.
This attack is similar to Overpass-the-hash / Pass-the-key, the attacker tries to get a domain user ticket (preferably with maximum privileges in the domain) and load it into the current session. One way to obtain TGT tickets is to dump tickets locally on the current domain machine from the lsass.exe(Local Security Authentication Server) process. To do this, you must have local administrator privileges, and preferably NT AUTHORITY / SYSTEM. Rubeus can download tickets stored in lsass using the dump action, and the sort action will show which tickets are currently stored on the system.
What is kerberos
This article provides step-by-step instructions for implementing Service for User to Proxy (S4U2Proxy) or Kerberos Only Constrained Delegation on a custom service account for web enrollment proxy pages.
This article provides step-by-step instructions for implementing Service for User to Proxy (S4U2Proxy) or Kerberos Only Constrained Delegation for web enrollment proxy pages. The following configuration scenarios are described in this article:
The workflows described in this article are specific to a given environment. The same workflows may not work for a different situation. However, the principles remain the same. The following figure summarizes this environment.
This section describes how to implement limited delegation of service for user to proxy (S4U2Proxy) or Kerberos only when using a custom service account for web enrollment proxy pages.
I have spent hours and hours trying to learn and understand Windows authentication, Kerberos, SPN and restricted delegation in IIS 7.5. One thing I don’t understand is why it is “risky” to leave delegation enabled (i.e., not disable delegation for sensitive accounts) for administrators, CEOs, etc. Can someone explain this to me in layman’s terms? Frame your answer with respect to an intranet environment.
Please forgive my ignorance. I’m primarily a developer, but my company runs very lean these days and I’m also forced to wear the server admin hat … unfortunately, it still doesn’t fit very well, hahaha.
That box should be checked for administrative accounts, such as members of the Enterprise Admins group, because (hopefully) those accounts rarely need to use applications that require impersonation. It’s also a good idea for senior executives who have access to sensitive information, like a CIO, COO, head of Finance/Treasury, etc.