TL:DR

Compromise of a server with unconstrained deleg allows extraction of TGTs of any user/system that connects. It could be combined with the printer bug to allow forest compromise.

Background

Back in server 2000 first introduced Active Directory, Microsoft had to find a way to allow Servers authenticate to other resources in the context of a user.

The implemented it by user authenticates to a service on a server via service ticket (TGS). The target service extracts the user’s TGT from the TGS to use for other TGS requests.

Unconstrained Delegation is a privilege that can be granted to User Accounts or Computer Accounts in a active directory environment that allows a resources to authenticate to another resource on BEHALF of a user.

Example:

The user Stuart Authenticates to Workday (Web app) which authenticate to the Payroll server on behalf of stuart to fetch information.

Step by step:

1. Stuarts sends TGS to Workday, and as part of the TGS ticket it also sends a TGT ticket (That's normal to all TGS request).
2. The Workday server extracts the TGT out of the TGS and store it in memory (cached).
3. The workday Server uses the TGT to extract data in behalf of Stuart from Payroll by sending it the user TGT
4. The payroll server send back the data to the workday with the information.

By compromising the 'Workday' server which is set with unconstrained delegation, we can monitor incoming TGS tickets and extract the TGT and use it in further attacks.

Visio-KerberosUnconstrainedDelegation-visio

Worth Noting

Tickets in memory

The TGS ticket the hosts sends to the server are stored in the server memory, and they could be extracted.

The printer bug <a id="UnconstrainedDelegation-Theprinterbug"></a>

This attack combined with the printer bug is very dangerous for domains, and highly beneficial for attackers..