Exploiting “Kerberos Delegation” Vulnerability in Active Directory Networks: A New Attack Method

A newly discovered attack method exploits vulnerabilities in Kerberos delegation within Active Directory (AD) networks. This method poses a serious threat to corporate security, allowing attackers to impersonate users and potentially compromise an entire domain.

Kerberos delegation is a mechanism in Active Directory that enables applications to access resources on behalf of users. There are three types of delegation:

• Unconstrained Delegation: Introduced in Windows Server 2000, this type allows services to fully impersonate users, making it an attractive target for attackers.
• Constrained Delegation: Limits access to only specific resources.
• Resource-Based Constrained Delegation (RBCD): Enables resources to control access themselves.

The new attack method specifically exploits Unconstrained Delegation, which is still present in legacy systems, making them vulnerable to exploitation.

Security researchers have discovered a method where attackers create a “Ghost Server”, an AD object that mimics a legitimate server but does not physically exist. The main stages of the attack are as follows:

1. Creating a Ghost Server: The attacker registers a fake AD object with Unconstrained Delegation enabled and redirects its DNS records to a compromised machine.
2. SPN Manipulation: Using tools like setSPN.exe, the attacker binds the Ghost Server’s domain name to their own controlled machine.
3. Executing the Attack: When legitimate users or systems communicate with the Ghost Server, their authentication tokens (Kerberos tickets) are redirected to the attacker’s machine. This enables the attacker to impersonate high-privileged accounts, such as Domain Admins.

This attack method allows privilege escalation and lateral movement across the AD network. Tools like BloodHound and Impacket can help attackers identify and exploit these weaknesses more effectively.

To reduce the risk of such attacks, organizations should implement the following security measures:

• Upgrade Legacy Systems: Replace Unconstrained Delegation with Constrained Delegation or Resource-Based Constrained Delegation (RBCD).
• Protect High-Privilege Accounts: Add privileged accounts to the “Protected Users” group and enable “Account is sensitive and cannot be delegated” settings.
• Monitor SPN Configurations: Regularly audit Service Principal Names (SPN) using setSPN.exe or third-party security solutions.
• Use Deception Techniques: Implement strict Access Control Lists (ACLs) and continuous monitoring for ghost objects within AD.

While Kerberos delegation provides convenience, it also introduces critical security vulnerabilities. The newly discovered attack method highlights the risks posed by outdated configurations. Organizations must adopt modern security practices and implement strict monitoring to mitigate these threats.

As the cybersecurity landscape evolves, companies must stay informed about emerging attack techniques and implement proactive security measures. The best defense against cyber threats is a proactive approach combined with advanced security technologies.