A new attack vector exploiting vulnerabilities in Kerberos delegation within Active Directory (AD) networks has been uncovered, posing significant risks to enterprise security.
This technique leverages the inherent weaknesses of Unconstrained Kerberos Delegation, a legacy feature that allows services to impersonate users across the network.
While designed for resource access convenience, attackers can exploit this feature to escalate privileges and compromise entire domains.
Background on Kerberos Delegation
Kerberos delegation is a mechanism in AD that enables applications to act on behalf of users to access resources.
There are three types of delegation: Unconstrained Delegation, Constrained Delegation, and Resource-Based Constrained Delegation (RBCD). Unconstrained Delegation, introduced in Windows Server 2000, allows a service to impersonate any user authenticated to it, making it a prime target for attackers.
While Microsoft has introduced safer alternatives like Constrained Delegation, legacy systems still rely on the older model, leaving them vulnerable.
According to Thinkst, the newly disclosed attack involves creating a “Ghost Server” object in AD with Unconstrained Delegation enabled. This Ghost Server appears as a legitimate machine but lacks an actual backing system. Here’s how the attack proceeds:
Setup of the Ghost Server: The attacker creates an AD object with Unconstrained Delegation enabled and configures its DNS records to point to another machine, such as a honeypot or compromised system.
Service Principal Name (SPN) Manipulation: SPNs are modified using tools like setSPN.exe to associate the Ghost Server’s domain name with an attacker-controlled machine.
Exploitation: When legitimate users or systems interact with the Ghost Server, their credentials are forwarded to the attacker-controlled machine. This allows attackers to impersonate high-privilege accounts like Domain Admins.
This attack method provides attackers with a stealthy path to privilege escalation and lateral movement within AD networks.
By exploiting Unconstrained Delegation, they can impersonate any user interacting with the Ghost Server, potentially gaining access to sensitive resources or even compromising the Domain Controller (DC).
Tools like BloodHound and Impacket make identifying and exploiting such vulnerabilities easier for attackers.
Moreover, if attackers gain access to machine passwords or manipulate AD object attributes, they can induce DCs to authenticate against their systems, further escalating privileges.
Mitigation Strategies
Organizations can adopt several measures to mitigate this risk:
- Transition legacy systems to Constrained or Resource-Based Constrained Delegation wherever possible.
- Place high-privilege accounts in the Protected Users group and enable settings like “Account is sensitive and cannot be delegated.”
- Regularly review SPN configurations using tools like setSPN.exe or third-party solutions.
- If using deception techniques like Ghost Servers, ensure strict access control lists (ACLs) and monitor changes rigorously.
This newly uncovered technique highlights the persistent risks associated with legacy configurations in AD environments.
While features like Kerberos delegation enhance usability, they also introduce exploitable vulnerabilities if not properly managed.
Organizations must prioritize transitioning away from Unconstrained Delegation and adopt robust monitoring practices to safeguard against such sophisticated attacks.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar