Posts

Showing posts from May, 2019

The mind-blowing Kerberos "Use Any Authentication Protocol" Delegation

Image
Kerberos delegation has been in the spot light for some time now and the risks behind it have been outlined in quite a few blogs and conference presentations - I particularly recommend reading https://adsecurity.org/?p=1667 and https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/. For some time, it was my incorrect understanding that unconstrained delegation is a massive problem while constrained/resource based is less destructive. That is however not the case, and the exploitation that is to follow absolutely blew my mind the first time I saw it in "action".

When a service account is set for "Use any authentication protocol" delegation, it means that the service account is allowed to delegate without being required to prove that a user authenticated to it! In normal words, just saying "I shall pass because I am the administrator, trust me!" opens the door with no questions asked and no one verifying that you are in fact the administrator. …