Constrained Delegation
Theory:
Service for the user to itself (S4U2self): If a service account has a "UserAccountControl" value containing
TRUSTED_TO_AUTH_FOR_DELEGATION
(T2A4D), then it can obtain a TGS for itself (the service) on behalf of any other user.Service for user to proxy (S4U2proxy): A service account can obtain a TGS on behalf of any user for the service defined in "
msDS-AllowedToDelegateTo
". To do this, it first needs a TGS from that user for itself, but it can use S4U2self to obtain this TGS before requesting the other.
Note: If a user is marked as "Sensitive account and cannot be delegated", you won't be able to impersonate them.
To summarize without going into too much detail: when a user requests the use of a service that will itself use a resource, the service must authenticate itself to resource B as the user. It will then ask the KDC for a TGS (Ticket Granted Service) in the user's name, encrypted with the service's hash. This TGS will then be sent to the service for validation.
This means that if you compromise the service hash, you can impersonate users and gain access on their behalf to the services configured in the msDS-AllowedToDelegateTo
attribute.
Machine account can edite their own msDS-AllowedToDelegateTo
own and so perform S4U2Self to impersonate anyone on the machine.
Practice:
Find delegation:
Exploit by requesting a TGS:
Last updated
Was this helpful?