Home Kerberos Constrained Delegation Lab Creation
Post
Cancel

Kerberos Constrained Delegation Lab Creation

Creating a lab for practicing Constrained Kerberos Delegation is very easy.

Creating User

Open > Active Directory User and components

First you have to create a new user in your Domain , you can use the existing one . for now im using my existing user

  • Click on UserAccount (Frank Castle) > Properties

Image title

Adding SPN

  • Go on Attribute Editor Tab and Select servicePrincpleName and then > Click on Edit

Image title

To allow the user to do kerberos delegation, it has to have an SPN first. We are going to add a dummy one: constrained/testing

  • Add Value > constrained/testing

Image title

  • CLick on Apply and then Ok

Image title

Enabling Delegation for CIFs and LDAP on our DC for our User

  • Now Go on Delegation Tab > Select Trust user for delegation to specified services only and under that > Select Use any authentication protocol

  • Click on Add

Image title

  • Click Users or Computers

Image title

  • Then you have to add the Computer name which provide cifs ldap types services that is Domain Controller > Click on OK

Image title

Image title

  • Now Select Services cifs and ldap

Image title

Image title

  • Click On Add > Apply > Ok

Your delegation tab should be look like this now

Image title

Don’t forget to set Trust this user for delegation to specified services only and then Use any authentication protocol also make sure the services are as following, you can now go try the attack!

⇒ Now Your lab is ready for Kerberos Constrained Delegation Abuse.

This post is licensed under CC BY 4.0 by the author.