johnmccash
commented
3 years ago Open johnmccash opened 3 years ago
johnmccash
commented
3 years ago johnmccash
commented
3 years ago Another thought on this: After looking through the above posting, there appear to be a couple of constraints on exploitation of user accounts with unconstrained delegation. Specifically, as best I can tell, the attacker needs to either be able to write the SPN of the account, or else needs administrative access rights to the host where the service backed by the user account is running. The article lists the first of these, and the 2nd occurred to me after thinking about it a bit. Basically, the article talks about adding a SPN to the user, which points to a host the attacker controls, where the attacker can intercept the authentication request, and redirect it to the service running under the delegating account. My idea for the extension of this to the case where the attacker has admin rights on the host where the service is running, but NOT rights to modify the user's SPN, is based on simply doing the same thing, but using the host where the service is running, rather than an external one, thus removing the requirement for a different SPN. Note that I haven't tested this, but it seems like it should work.
yellow-starburst
commented
2 years ago Wasn’t this exploitation path of addspn added to bloodhound in the recent push?
johnmccash
commented
2 years ago They did create an addspn edge, but it's unclear to me whether the associated exploitation path is intended to include user accounts with unconstrained delegation. Also, if you gain admin on the host where such an account is employed to back a service, as I noted above, there's no requirement that you be able to write the accounts's SPN. It seems to me that user (service really) accounts with unconstrained delegation should be included in the existing unconstrained delegation edge.
I spoke to you guys at the last Derbycon about this, but the feature never materialized, so I thought I'd put in a formal feature request. I've seen, in some environments, services that allow kerberos authentication, which are backed by normal user 'service' accounts with unconstrained delegation enabled, rather than machine accounts. This isn't currently handled by Bloodhound's delegation edge, and should be added. For reference, here's an article I found on the topic of exploiting such a configuration: