Delegations
Last updated
Was this helpful?
Last updated
Was this helpful?
Kerberos delegations allow services to access other services on behalf of domain users.
The "Kerberos" authentication protocol features delegation capabilities described as follows. There are three types of Kerberos delegations
Unconstrained delegations (KUD): a service can impersonate users on any other service.
Constrained delegations (KCD): a service can impersonate users on a set of services
Resource based constrained delegations (RBCD) : a set of services can impersonate users on a service
Kerberos delegations can be abused by attackers to obtain access to valuable assets and sometimes even escalate to domain admin privileges. Regarding constrained delegations and rbcd, those types of delegation rely on Kerberos extensions called (S4U).
Want to know more about S4U2self and S4U2proxy (required to understand some delegation abuses) : .
Simply put, Service for User to Self (S4U2self) allows a service to obtain a Service Ticket, on behalf of another user (called "principal"), to itself. Service for User to Proxy (S4U2proxy) allows a service to obtain a Service Ticket, on behalf of a user to a different service.
Some of the following parts allow to obtain modified or crafted Kerberos tickets. Once obtained, these tickets can be used with .
From UNIX-like systems, 's (Python) script can be used to find unconstrained, constrained (with or without protocol transition) and rbcd.
At the time of writing (13th October 2021), is pending to feature a -user filter to list delegations for a specific account.
From Windows systems, can be used to identify unconstrained and constrained delegation.
