Abuse Info
Abusing this privilege can utilize Benjamin Delpy’s Kekeo project, proxying in traffic generated from the Impacket library, or using the Rubeus project’s s4u abuse. In the following example, victim is the attacker-controlled account (i.e. the hash is known) that is configured for constrained delegation. That is, victim has the “HTTP/PRIMARY.testlab.local” service principal name (SPN) set in its msds-AllowedToDelegateTo property. The command first requests a TGT for the victim user and executes the S4U2self/S4U2proxy process to impersonate the “admin” user to the “HTTP/PRIMARY.testlab.local” SPN. The alternative sname “cifs” is substituted in to the final service ticket and the ticket is submitted to the current logon session. This grants the attacker the ability to access the file system of PRIMARY.testlab.local as the “admin” user.Opsec Considerations
As mentioned in the abuse info, in order to currently abuse this primitive the Rubeus C# assembly needs to be executed on some system with the ability to send/receive traffic in the domain. See the References for more information.References
- https://github.com/GhostPack/Rubeus#s4u
- https://labs.withsecure.com/publications/trust-years-to-earn-seconds-to-break
- https://blog.harmj0y.net/activedirectory/s4u2pwnage/
- https://twitter.com/gentilkiwi/status/806643377278173185
- https://www.coresecurity.com/blog/kerberos-delegation-spns-and-more
- https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus/
- https://blog.harmj0y.net/redteaming/another-word-on-delegation/