Kerberos Lateral Movement

MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)

• https://gist.github.com/ssstonebraker/a1964b2f20acc8edb239409b6c4906ce#ms14-068-microsoft-kerberos-checksum-validation-vulnerability
• Exploit Python: https://www.exploit-db.com/exploits/35474/
• Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
• Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum

git clone https://github.com/bidord/pykek

Constrained Delegation

The practical use of Kerberos Delegation is to enable an application to access resources hosted on a different server. An example of this would be a web server that needs to access a SQL database hosted on the database server for the web application that it is hosting. Without delegation, we would probably use an AD service account and provide it with direct access to the database. When requests are made on the web application, the service account would be used to authenticate to the database and recover information.

However, we can allow this service account to be delegated to the SQL server service. Once a user logs into our web application, the service account will request access to the database on behalf of that user. This means that the user would only be able to access data in the database that they have the relevant permissions for without having to provide any database privileges or permissions to the service account itself.