When abusing Kerberos delegations, S4U extensions usually come into play. One of those extensions is S4U2proxy. Constrained and Resource-Based Constrained delegations rely on that extensions. A requirement to be able to use S4U2proxy is to use an additional service ticket as evidence (usually issued by after S4U2self request). That ticket needs to have the
forwardableflag set. There are a few reasons why that flag wouldn't be set on a ticket
- the "impersonated" user was member of the "Protected Users" group or was configured as "sensitive for delegation"
- the service account configured for constrained delegation was configured for Kerberos only/without protocol transition
In 2020, the "bronze bit" (CVE-2020-17049) was released, allowing attackers to edit a ticket and set the
The input credentials are those of the compromised service account configured for constrained delegations.
getST.py -force-forwardable -spn $Target_SPN -impersonate Administrator -dc-ip $Domain_controller -hashes :$Controlled_service_NThash $Domain/$Controlled_service_account
The SPN (ServicePrincipalName) set will have an impact on what services will be reachable. For instance,
host/target.domainwill allow most remote dumping operations (more info on adsecurity.org).