Constrained Delegation (Bloodhound AllowedToDelegate)

Flashcards covering the mechanisms, attributes, requirements, and tools involved in Kerberos constrained delegation attacks.

Constrained delegation

A feature that allows an administrator to restrict a user or computer account to only be able to perform services on behalf of a user for specified services, such as CIFS or MSSQL.

AllowedToDelegate

A Bloodhound label indicating an account has constrained delegation permissions enabled.

Protocol transition

One of the two types of constrained delegation mechanisms, often discussed in the context of attacking Kerberos.

S4U2proxy (Service for User to Proxy)

A Kerberos extension that allows a service to obtain a TGS (Ticket Granting Service) for a second service on behalf of a user.

S4U2self (Service for User to Self)

A Kerberos extension that allows a service to obtain a forwardable TGT (Ticket Granting Ticket) on behalf of a user.

msDS-AllowedToDelegateTo

The Active Directory attribute that lists the specific services allowed for delegation on an account.

Attack Requirements for Constrained Delegation

Requires an account with the 'Trust This user/computer for delegation to specified services only' option enabled and local admin privileges on the delegated compromised host.

asktgt module

A Rubeus module used to request TGT (Ticket Granting Ticket) tickets for accounts such as 'websvc' or 'dcorp-adminsrv'.

altservice

A parameter in Rubeus used to alternate allowed services with others (e.g., using LDAP instead of TIME) to perform attacks like DCSync.

lsadump::dcsync

A Mimikatz command used after injecting a TGS ticket to dump sensitive information like krbtgt and all account hashes from the Domain Controller.

Forwardable TGT

A ticket cached locally by a web service and sent back to the KDC to request service tickets (TGS) for backend services like SQL.