This article provides a step-by-step technical walkthrough of abusing Kerberos Constrained Delegation (KCD) with Protocol Transition (S4U2Self + S4U2Proxy) in Active Directory to impersonate high-privilege users and access a SQL Server. It demonstrates exploiting a misconfigured service account (kavish) using tools like Impacket and outlines detection strategies and mitigations for defenders. #KerberosConstrainedDelegation #Impacket
Keypoints
- Protocol Transition (Use any authentication protocol) plus S4U2Self/S4U2Proxy allows a delegation-enabled account to impersonate any domain user to specific services.
- The msDS-AllowedToDelegateTo attribute and the TRUSTED_TO_AUTH_FOR_DELEGATION flag are key indicators of constrained delegation misconfigurations.
- Attackers can enumerate delegation settings with NetExec and exploit them with Impacket to request service tickets impersonating privileged accounts.
- Loaded Kerberos tickets enable actions like secretsdump and psexec, leading to credential extraction and SYSTEM-level shells on target hosts.
- Mitigations include preferring Kerberos-only delegation, marking sensitive accounts as non-delegable, using Protected Users, adopting RBCD/gMSAs, and regular delegation audits.
Read More: https://www.hackingarticles.in/kerberos-constrained-delegation-exploitation/