Home » Tags

Delegation

Delegation Attacks — From Kali

Quick Reference Attack Tool Required Privileges Unconstrained Delegation Abuse impacket, Responder, coercion tools Compromise of delegated host Constrained Delegation (KCD) getST.py Control of account with KCD configured RBCD Setup + Abuse addcomputer.py, rbcd.py, getST.py GenericWrite or WriteDACL on target computer Shadow Credentials pywhisker.py, getnthash.py WriteProperty on msDS-KeyCredentialLink Coerce Authentication (PetitPotam) PetitPotam.py Valid domain credentials Coerce Authentication (PrinterBug) printerbug.py Valid domain credentials Delegation Overview Kerberos delegation allows a service to impersonate users when accessing other services on their behalf. There are three types, each with different risk profiles and abuse paths. ...

11 min · MrAzoth

Delegation Attacks — From Windows

Delegation Attacks — From Windows Kerberos delegation allows services to impersonate users when accessing downstream resources on their behalf. Misconfigured delegation is one of the most reliable paths to domain compromise from a low-privilege Windows foothold. This guide covers all four major delegation attack classes — Unconstrained, Constrained (KCD), Resource-Based Constrained Delegation (RBCD), and Shadow Credentials — with full PowerShell and command-line tradecraft. Quick Reference Table Attack Primary Tool Required Privilege Unconstrained Delegation Rubeus monitor + coercion Local Admin on delegating host Constrained Delegation Rubeus s4u Service account creds or hash RBCD PowerMad + PowerView + Rubeus GenericWrite or WriteDACL on target computer object Shadow Credentials Whisker + Rubeus WriteProperty on msDS-KeyCredentialLink 1. Delegation Concepts 1.1 Why Delegation Exists Kerberos delegation was introduced to solve the “double-hop” problem: when a front-end web service needs to authenticate to a back-end SQL server using the identity of the connecting user, it needs the ability to forward or impersonate that user’s credentials downstream. Three delegation mechanisms exist in Active Directory, each with different security boundaries and abuse surfaces. ...

21 min · MrAzoth