“, nor do we need to worry about host - based detections. this is not an exhaustive list of every explicit delegation abuse path possible, otherwise i ’ d be working on this forever! instead, i wanted to focus on each type of delegation configured for both users and machines, and …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.003Kerberoasting
63%
“it. following this, our end goal is to obtain a tgt from an elevated user / machine – usually the domain administrator – to compromise the environment. the high - level steps are : - compromise a user or machine that has unconstrained delegation configured. - force / coerce an el…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
62%
“, and one ticket can be generated per one spn at a time. for added efficiency, if a user wants to obtain tickets for multiple services, instead of performing the entire authentication process each time, they can simply reuse their tgt to obtain access to various other services. b…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558Steal or Forge Kerberos Tickets
62%
“us / openspecs / windows _ protocols / ms - gpsb / 0fce5b92 - bcc1 - 4b96 - 9c2b - 56397c3f144f - https : / / www. thehacker. recipes / ad / movement / kerberos / delegations / constrained - https : / / www. thehacker. recipes / ad / movement / kerberos / delegations / unconstrai…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
56%
“##ate as that user to other resources. - constrained delegation : introduced to mitigate the risks of unconstrained delegation. it restricts delegation to specific services and replaces tgt forwarding with two proxies : s4u2self and s4u2proxy. - resource - based constrained deleg…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558Steal or Forge Kerberos Tickets
53%
“##5a634a447bee65785be5c49b2a4 ' - r pc01. secure. local - a modify - d 10. 0. 1. 201 dc01 - dns - ip 10. 0. 1. 200 conclusion unconstrained delegation is a neat feature that solves a real limitation of kerberos, the double - hop problem. however, given the way impersonation occur…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558Steal or Forge Kerberos Tickets
50%
“abusing delegation with impacket ( part 1 ) : unconstrained delegation abusing delegation with impacket ( part 1 ) : unconstrained delegation hunter recently graduated with his master ’ s degree in cyber defense and has over two years of experience in penetration testing. his fav…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.001Golden Ticket
47%
“##ate as that user to other resources. - constrained delegation : introduced to mitigate the risks of unconstrained delegation. it restricts delegation to specific services and replaces tgt forwarding with two proxies : s4u2self and s4u2proxy. - resource - based constrained deleg…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.003Kerberoasting
42%
“abusing delegation with impacket ( part 1 ) : unconstrained delegation abusing delegation with impacket ( part 1 ) : unconstrained delegation hunter recently graduated with his master ’ s degree in cyber defense and has over two years of experience in penetration testing. his fav…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
41%
“##5a634a447bee65785be5c49b2a4 ' - r pc01. secure. local - a modify - d 10. 0. 1. 201 dc01 - dns - ip 10. 0. 1. 200 conclusion unconstrained delegation is a neat feature that solves a real limitation of kerberos, the double - hop problem. however, given the way impersonation occur…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.001Golden Ticket
41%
“##5a634a447bee65785be5c49b2a4 ' - r pc01. secure. local - a modify - d 10. 0. 1. 201 dc01 - dns - ip 10. 0. 1. 200 conclusion unconstrained delegation is a neat feature that solves a real limitation of kerberos, the double - hop problem. however, given the way impersonation occur…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.003Kerberoasting
39%
“' - t 10. 0. 1. 200 - - unconstrained 4. add a dns entry that resolves kud. secure. local to our attacker ip 10. 0. 1. 13 python3 dnstool. py - u secure. local \ \ kuduser - p ' password1! ' - r kud. secure. local - a add - d 10. 0. 1. 13 10. 0. 1. 200 5. verify proper name resol…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.003Kerberoasting
39%
“kdc then responds with a ticket - granting - ticket ( tgt ), encrypted with the kdc ’ s secret key. - ticket - granting - ticket request : the client presents the tgt back to the kdc requesting access to a destination service. - ticket - granting - ticket response : if the kdc ca…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.003Kerberoasting
34%
“10. 0. 1. 200 kud. secure. local 8. export the ticket into memory export krb5ccname = dc01 \ [ email protected ] [ email protected ] 9. perform a dcsync against dc01 as dc01 $ impacket - secretsdump - k dc01. secure. local 10. ( cleanup ) : remove the added dns entry python3 dnst…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
34%
“' - t 10. 0. 1. 200 - - unconstrained 4. add a dns entry that resolves kud. secure. local to our attacker ip 10. 0. 1. 13 python3 dnstool. py - u secure. local \ \ kuduser - p ' password1! ' - r kud. secure. local - a add - d 10. 0. 1. 13 10. 0. 1. 200 5. verify proper name resol…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
34%
“abusing delegation with impacket ( part 1 ) : unconstrained delegation abusing delegation with impacket ( part 1 ) : unconstrained delegation hunter recently graduated with his master ’ s degree in cyber defense and has over two years of experience in penetration testing. his fav…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
33%
“, nor do we need to worry about host - based detections. this is not an exhaustive list of every explicit delegation abuse path possible, otherwise i ’ d be working on this forever! instead, i wanted to focus on each type of delegation configured for both users and machines, and …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558Steal or Forge Kerberos Tickets
33%
“##ate as that user to other resources. - constrained delegation : introduced to mitigate the risks of unconstrained delegation. it restricts delegation to specific services and replaces tgt forwarding with two proxies : s4u2self and s4u2proxy. - resource - based constrained deleg…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
31%
“us / openspecs / windows _ protocols / ms - gpsb / 0fce5b92 - bcc1 - 4b96 - 9c2b - 56397c3f144f - https : / / www. thehacker. recipes / ad / movement / kerberos / delegations / constrained - https : / / www. thehacker. recipes / ad / movement / kerberos / delegations / unconstrai…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
In Active Directory exploitation, Kerberos delegation is easily among my top favorite vectors of abuse, and in the years I’ve been learning Kerberos exploitation, I’ve noticed that Impacket doesn’t get nearly as much coverage as tools like Rubeus or Mimikatz.
