Constrained Delegation

Constrained Delegation is a feature in the Kerberos authentication protocol that allows a service to request a Service Ticket for explicitly specified services on behalf of a user.

The Trust this computer for delegation to specified services only privilege must be enabled in the Delegation tab within the object/computer's properties.

SQL can act on behalf of [Image From CRTO]

When delegation is enabled on a computer, the Key Distribution Center will include a copy of the user's Ticket Granting Ticket inside the Service Ticket. When a user authenticates to the target service using the Service Ticket, their Ticket Granting Ticket will be cached in memory on the computer hosting the service for future delegation use.

The goal is to identify and gain access to machines allowing constrained delegation in order to extract cached Ticket Granting Tickets that can be used to request a Service Ticket for specific services on behalf of the user.

Enumeration

LogoGitHub - tomcarver16/ADSearch: A tool to help query AD via the LDAP protocolGitHub
Windows (Target)
ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json

Exploit

under construction :)

PreviousUnconstrained DelegationNextResource-Based Constrained Delegation

Last updated