Unconstrained Delegation: Active Directory-র কনফিগারেশন ত্রুটি কাজে লাগিয়ে পুরো ডোমেইনের অ্যাক্সেস নেওয়ার হ্যাকিং পদ্ধতি!

Active Directory-এ Kerberos delegation তিন form-

Unconstrained Delegation

RFC ১৫১০ থেকে inherited concept। Service-এর userAccountControl attribute-এ TRUSTED_FOR_DELEGATION flag set। Service whoever authenticate করে তাঁর TGT receive করে এবং সেই TGT যে কোনো other service-এ use করতে পারে।

Constrained Delegation (S4U)

Windows Server 2003-এ introduced। Service কেবল pre-specified target service-এ delegate করতে পারে। userAccountControl-এ TRUSTED_TO_AUTH_FOR_DELEGATION flag এবং msDS-AllowedToDelegateTo attribute।

দুটি sub-protocol — S4U2Self (service nij user-এর জন্য ticket request), S4U2Proxy (forwarded ticket দিয়ে other service-এ authenticate)।

Resource-Based Constrained Delegation (RBCD)

Windows Server 2012-এ। Target resource owner control করেন কে তাঁর behalf-এ act করতে পারে। Target resource-এর msDS-AllowedToActOnBehalfOfOtherIdentity attribute।

Unconstrained Delegation সবচেয়ে dangerous, কারণ scope unlimited। Modern best practice — এটি avoid করা, Constrained বা RBCD-এ migrate।

Step-by-step flow-

1. User Alice একটি Unconstrained Delegation-enabled server (webapp.contoso.com)-এ authenticate করতে চান।
2. Alice তাঁর KDC থেকে service ticket request করেন। Standard scenario-এ ticket-এ Alice-এর authorization data থাকে, কিন্তু Alice-এর TGT নয়।
3. কিন্তু webapp Unconstrained Delegation-এ enabled, তাই KDC special TGT (forwardable copy of Alice-এর TGT) include করে service ticket-এ।
4. Alice ticket present করেন, webapp Alice-এর TGT extract করে own memory-তে store করে (LSASS-এ)।
5. webapp Alice-এর behalf-এ অন্য server (db.contoso.com)-এ TGT present করে নিজের service ticket request করে।
6. KDC TGT verify করে service ticket issue করে। webapp Alice-এর identity-তে db access পায়।

এই legitimate design valid scenario-এ যেমন web server backend database-এ access করা। কিন্তু attacker view থেকে — যদি webapp-এর local admin compromise হয়, attacker LSASS-এ stored সমস্ত cached TGT extract করতে পারেন।

Step 1 — Enumeration

PowerView, ADSearch, BloodHound — সবগুলো tool-এই Unconstrained Delegation-enabled account enumerate করার capability।

PowerView: Get-DomainComputer -UnConstrained এবং Get-DomainUser -TrustedToAuth।

BloodHound: pre-built query "Find AS-REP Roastable Users" এবং "Find Computers with Unconstrained Delegation"।

LDAP filter: (userAccountControl:1.2.840.113556.1.4.803:=524288)।

Domain Controller সর্বদা Unconstrained Delegation-এ থাকে (by design), তাই focus হবে non-DC machine — old file server, print server, legacy application server, custom-configured workstation।

Step 2 — Local Admin Acquisition

Attacker target Unconstrained Delegation server-এ local admin বা SYSTEM access অর্জন করেন। Common paths-

• SMB relay attack।
• vulnerable service exploitation (RCE)।
• credential reuse (stolen password)।
• post-exploitation lateral movement।

Step 3 — Triggering Authentication

এটাই attack-এর critical step। Attacker-এর প্রয়োজন একটি privileged account (যেমন domain admin) সেই server-এ authenticate করুক। এই triggering-এর জন্য কয়েকটি technique-

Printer Bug (SpoolSample)

Will Schroeder, Lee Christensen এবং Matt Nelson-এর published "Printer Bug" — Print Spooler service-এর RpcRemoteFindFirstPrinterChangeNotificationEx RPC method। Attacker remote machine-এ printer change notification register করতে পারেন, এবং target machine attacker-এর machine-এ authenticate করে। যদি target machine একটি domain controller হয়, DC-এর computer account credential capture করা যায়।

Tool: SpoolSample, Coercer, PetitPotam।

PetitPotam

Lionel Gilles-এর published EFSRPC abuse। EfsRpcOpenFileRaw এবং related method unauthenticated হিসেবে force authentication trigger করে।

PrinterBug Variants

SpoolSample-এর সাথে DFSCoerce (DFS service), MS-FSRVP (Shadow Copy), MS-WSP (Windows Search) — সবগুলোই forced authentication coercion technique।

Step 4 — TGT Capture

Triggered authentication-এর সময় target server-এ মিরোম memory (LSASS)-এ TGT cache হয়। Mimikatz দিয়ে dump-

sekurlsa::tickets /export

বা Rubeus দিয়ে-

Rubeus.exe monitor /interval:1

— continuous monitoring, যা real-time-এ incoming TGT capture করে export করে।

Step 5 — TGT Reuse

Captured TGT অন্য environment-এ inject।

Rubeus.exe ptt /ticket:<base64>

বা Mimikatz:

kerberos::ptt ticket.kirbi

এখন attacker সেই privileged identity-তে operate করতে পারেন। যদি domain admin TGT capture হয়, full domain compromise।

Domain Controller সর্বদা Unconstrained Delegation-এ থাকে — by design। কিন্তু DC-তে local admin access ছাড়া এই privilege কাজে আসে না। তাহলে DC কীভাবে Unconstrained Delegation context-এ Vulnerable?

Real abuse — যদি DC কে অন্য DC-এর সাথে coerce করা যায় (DCSync-এর মাধ্যমে), তাহলে domain-wide hash dump এবং Golden Ticket forgery সম্ভব। তবে এটি actually আলাদা attack class।

Unconstrained Delegation-এর প্রকৃত target — third-party server যেখানে domain admin commonly login করেন। File server, terminal server, jump box — এসব ক্ষেত্রে।

Rubeus

Will Schroeder-এর developed C# Kerberos toolkit। Key command-

• monitor /interval:1 — continuous TGT capture।
• harvest — bulk TGT collection।
• ptt /ticket:<> — pass-the-ticket।
• s4u /user:<> /rc4:<> /impersonateuser:<> /msdsspn:<> /altservice:<> — Constrained Delegation abuse।

Mimikatz

• sekurlsa::tickets /export — LSASS-এ stored ticket।
• kerberos::list /export — current session ticket।
• kerberos::ptt — pass the ticket।

SpoolSample / Coercer / PetitPotam

Authentication coercion।

Impacket Suite

Python-based — ntlmrelayx.py, dfscoerce.py, petitpotam.py, printerbug.py, getST.py।

BloodHound

Domain attack path visualization। "Shortest Path to High-Value Target" query-এ Unconstrained Delegation hop highlighted।

Specific application-এ Unconstrained Delegation common-

SCCM (System Center Configuration Manager)

Old SCCM deployment-এ Management Point এবং Distribution Point সাধারণত Unconstrained Delegation-এ configured ছিল। SCCM exploitation-এ এটি critical path।

Exchange Servers

Pre-2019 Exchange-এ default high-privilege। যদি Exchange Unconstrained Delegation-এ থাকে, ExchangeWindowsPermissions group-এর সাথে combined attack path।

IIS Application Pool

Old IIS deployment-এ application pool identity Unconstrained Delegation-এ থাকতে পারে।

Legacy File Server

Cross-domain file access-এর প্রয়োজনে এমন configuration কখনো করা হয়েছিল।

Event Log

• Event ID 4769: Kerberos service ticket request। Unconstrained Delegation-এ ticket-এ Forwardable এবং Forwarded flag।
• Event ID 4742: computer account changed (delegation modification)।
• Event ID 4624: logon, type 3 (network)।

Sigma Rule

SigmaHQ-তে available rule-

• "Unconstrained Delegation Modification"
• "Suspicious Kerberos Forwarded Ticket"
• "Authentication Coercion via Printer Bug"

EDR Signal

LSASS access pattern (Mimikatz-style), Rubeus execution, unusual incoming Kerberos authentication।

Network Detection

Sudden incoming Kerberos authentication to non-DC server, especially from DC accounts। PetitPotam EFSRPC traffic, SpoolSample RPC pattern — network IDS signature।

LDAP Monitoring

LDAP modification-এ userAccountControl change with TRUSTED_FOR_DELEGATION — alert।

Inventory এবং Remediation

BloodHound বা PowerView দিয়ে সব Unconstrained Delegation-enabled account enumerate। প্রতিটি account-এর জন্য —

• Is delegation still needed?
• Can migrate to Constrained Delegation বা RBCD?
• If still needed, additional safeguard?

Migration to Constrained Delegation

Constrained Delegation specific service-এ limited। msDS-AllowedToDelegateTo attribute-এ explicit list।

Resource-Based Constrained Delegation

RBCD owner-centric model — target resource owner control। Even more granular।

Protected Users Group

Sensitive account (domain admin) Protected Users group-এ add। এই group-এর member-এর-

• NTLM authentication denied।
• Kerberos AES enforced (RC4 denied)।
• TGT non-forwardable, non-delegable।
• TGT lifetime 4 hours (default 10)।

এই restriction Unconstrained Delegation-এ TGT capture-কে neutralize করে।

Account Is Sensitive and Cannot Be Delegated

Account properties-এ এই checkbox enable। User-এর TGT কোনো service-এর কাছে delegate হবে না।

Authentication Policy এবং Silos

Authentication Policy-এ admin account-এর জন্য specific authentication restriction। Authentication Policy Silo-এ admin-only environment।

Tier Model Enforcement

Microsoft-এর Enhanced Security Administrative Environment (ESAE) এবং Tier 0/1/2 model। Tier 0 admin কেবল Tier 0 resource-এ login করেন।

Printer Service Hardening

Print Spooler service domain controller এবং sensitive server-এ disable। CVE-2021-34527 (PrintNightmare)-এর সাথে combined risk।

EFSRPC Hardening

NTLM authentication restriction। EFSRPC patch (CVE-2021-36942 — PetitPotam mitigation)।

Audit Logging

Robust Active Directory audit policy। SIEM ingestion এবং SOC monitoring।

Regular BloodHound Review

Quarterly attack path assessment। New Unconstrained Delegation creation alert।

Enterprise Active Directory-এর জন্য structured recommendation-

Discovery এবং Inventory:

• BloodHound-এ full enumeration।
• legitimate business justification-এর সাথে registry maintain।

Migration Strategy:

• Constrained Delegation-এ migrate (medium effort)।
• RBCD-এ migrate (higher effort, higher security)।

Privileged Account Protection:

• Protected Users group enforce।
• "Sensitive and cannot be delegated" checkbox।
• Authentication Policy/Silo deployment।

Service Hardening:

• Print Spooler disable DC এবং sensitive server-এ।
• EFSRPC patch latest।
• Web Distributed Authoring and Versioning (WebDAV) review।

Tier Model:

• Tier 0/1/2 separation।
• Privileged Access Workstation।
• Just-in-time admin access (Microsoft PIM)।

Monitoring:

• Event 4769 forwarded ticket alert।
• Event 4742 delegation change alert।
• coercion technique-এর Sigma rule।

Network Segmentation:

• DC-only network segment।
• admin VLAN।

Periodic Red Team:

• BloodHound-based path discovery exercise।
• coercion technique simulation।

Patching:

• regular Windows update — multiple coercion technique CVE-fixed।

Detection Engineering:

• internal Sigma rule development।
• EDR custom rule।

Training:

• AD administrator security training।
• developer awareness — legacy delegation pattern avoid।