The Hacker Recipes
GitHubTwitterExegolTools
Search…
Introduction
Active Directory
Reconnaissance
Movement
Credentials
MITM and coerced auths
NTLM
Kerberos
Pre-auth bruteforce
Pass the key
Overpass the hash
Pass the ticket
Pass the cache
Forged tickets
ASREQroast
ASREProast
Kerberoast
Delegations
(KUD) Unconstrained
(KCD) Constrained
(RBCD) Resource-based constrained
S4U2self abuse
Bronze Bit
Shadow Credentials
UnPAC the hash
Pass the Certificate
sAMAccountName spoofing
SPN-jacking
DACL abuse
Group policies
🛠️ Trusts
Built-ins & settings
Netlogon
Certificate Services (AD-CS)
Exchange services
Print Spooler Service
Persistence
Web services
Reconnaissance
Configuration
Accounts and sessions
User inputs
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
🛠️ Physical
Locks
Networking
Machines
Super secret zones
🛠️ Intelligence gathering
CYBINT
OSINT
GEOINT
🛠️ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
🛠️ mobile apps
Android
iOS
Powered By GitBook
(KCD) Constrained

Theory

If a service account, configured with constrained delegation to another service, is compromised, an attacker can impersonate any user (e.g. domain admin, except users protected against delegation) in the environment to access another service the initial one can delegate to.
Constrained delegation can be configured with or without protocol transition. Abuse methodology differs for each scenario. The paths differ but the result is the same: a Service Ticket to authenticate on a target service on behalf of a user.
Once the final Service Ticket is obtained, it can be used with Pass-the-Ticket to access the target service.
On a side note, a technique called AnySPN or "service class modification" can be used concurrently with pass-the-ticket to change the service class the Service Ticket was destined to (e.g. for the cifs/target.domain.local SPN, the service class is cifs).

Practice

With protocol transition

Domain Controller > Active Directory Users and Computers > delegation properties of a user
If a service is configured with constrained delegation with protocol transition, then it can obtain a service ticket on behalf of a user by combining S4U2self and S4U2proxy requests, as long as the user is not sensitive for delegation, or a member of the "Protected Users" group. The service ticket can then be used with pass-the-ticket. This process is similar to resource-based contrained delegation exploitation.
UNIX-like
Windows
From UNIX-like systems, Impacket's getST (Python) script can be used for that purpose.
getST -spn "cifs/target" -impersonate "administrator" "domain/service:password"
[-] Kerberos SessionError: KDC_ERR_BADOPTION(KDC cannot accommodate requested option)
[-] Probably SPN is not allowed to delegate by user user1 or initial TGT not forwardable
When attempting to exploit that technique, if the error above triggers, it means that either
  • the account was sensitive for delegation, or a member of the "Protected Users" group.
  • or the constrained delegations are configured without protocol transition
From Windows machines, Rubeus (C#) can be used to conduct a full S4U2 attack (S4U2self + S4U2proxy).
Rubeus.exe s4u /nowrap /msdsspn:"cifs/target" /impersonateuser:"administrator" /domain:"domain" /user:"user" /password:"password"

Without protocol transition

Domain Controller > Active Directory Users and Computers > delegation properties of a user
If a service is configured with constrained delegation without protocol transition (i.e. set with "Kerberos only"), then S4U2self requests won't result in forwardable service tickets, hence failing at providing the requirement for S4U2proxy to work.
This means the service cannot, by itself, obtain a forwardable ticket for a user to itself (i.e. what S4U2Self is used for). A service ticket will be obtained, but it won't be forwardable. And S4U2Proxy usually needs an forwardable ST to work.
There are two known ways attackers can use to bypass this and obtain a forwardable ticket, on behalf of a user, to the requesting service (i.e. what S4U2Self would be used for):
  1. 1.
    By operating an RBCD attack on the service.
  2. 2.
    By forcing or waiting for a user to authenticate to the service while a "Kerberos listener" is running.
While the "ticket capture" way would theoretically work, the RBCD approach is preferred since it doesn't require control over the service's SPN's host (needed to start a Kerberos listener). Consequently, only the RBCD approach is described here at the moment.

RBCD approach

The service account (called serviceA) configured for KCD needs to be configured for RBCD (Resource-Based Constrained Delegations). The service's msDS-AllowedToActOnBehalfOfOtherIdentity attribute needs to be appended with an account controlled by the attacker. This second account (called serviceB) needs to have at least one SPN.

1. Full S4U2 (self + proxy)

The attacker can then proceed to a full S4U2 attack (S4U2self + S4U2proxy, a standard RBCD attack or KCD with protocol transition) to obtain a forwardable ST from a user to one of serviceA's SPNs, using serviceB's credentials.
UNIX-like
Windows
From UNIX-like systems, Impacket's getST (Python) script can be used for that purpose.
getST -spn "cifs/serviceA" -impersonate "administrator" "domain/serviceB:password"
From Windows machines, Rubeus (C#) can be used to conduct a full S4U2 attack (S4U2self + S4U2proxy)
Rubeus.exe s4u /nowrap /msdsspn:"cifs/target" /impersonateuser:"administrator" /domain:"domain" /user:"user" /password:"password"

2. Additional S4U2proxy

Once the ticket is obtained, it can be used in a S4U2proxy request, made by serviceA, on behalf of the impersonated user, to obtain access to one of the services serviceA can delegate to.
UNIX-like
Windows
From UNIX-like systems, Impacket's getST (Python) script can be used for that purpose.
getST -spn "cifs/target" -impersonate "administrator" -additional-ticket "administrator.ccache" "domain/serviceA:password"
From Windows machines, Rubeus (C#) can be used to obtain a Service Ticket through an S4U2proxy request, supplying as "additional ticket" the Service Ticket obtained before.
Rubeus.exe s4u /nowrap /msdsspn:"cifs/target" /impersonateuser:"administrator" /tgs:"base64 | file.kirbi" /domain:"domain" /user:"user" /password:"password"
Computer accounts have SPNs set at their creation and can edit their own "rbcd attribute" (i.e. msDS-AllowedToActOnBehalfOfOtherIdentity). If the account configured with KCD without protocol transition is a computer, controlling another account to operate the RBCD approach is not needed. In this case, serviceB = serviceA, the computer account can be configured for a "self-rbcd".

Resources

Constrained Delegation Abuse: Abusing Constrained Delegation to Achieve Elevated Access
Stealthbits Technologies
CVE-2020-17049: Kerberos Bronze Bit Attack - Theory
NetSPI
Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory
Shenanigans Labs
Abusing Kerberos Constrained Delegation without Protocol Transition
[email protected]:~$ _
Previous
(KUD) Unconstrained
Next
(RBCD) Resource-based constrained
Last modified 5mo ago
Copy link
Outline
Theory
Practice
With protocol transition
Without protocol transition
Resources