Description
Performs S4U constrained/unconstrained delegation attacks to impersonate users.
Overview
Performs S4U (Service for User) delegation attacks including S4U2Self and S4U2Proxy. This enables impersonation of arbitrary users to services when constrained delegation is configured. Supports the BronzeBit (CVE-2020-17049) bypass.
Arguments
| Parameter | Type | Description |
|---|---|---|
| User | string | The account with delegation privileges. |
| Domain | string | The target domain. |
| RC4 | string | The RC4/NTLM hash for authentication. |
| AES256 | string | The AES256 key for authentication. |
| Ticket | string | A base64-encoded TGT for the delegating account. |
| ImpersonateUser | string | The user to impersonate. |
| MsdsSPN | string | The msds-allowedtodelegateto SPN. |
| AltService | string | An alternate service name for the ticket. |
| DC | string | The domain controller to target. |
| Ptt | switch | Pass the ticket into the current session. |
| Self | switch | Perform S4U2Self only. |
| BronzeBit | switch | Use the BronzeBit (CVE-2020-17049) bypass. |
Additional Parameters
- TargetDomain: Target domain for the SPN.
- TargetDC: Target DC for the SPN domain.
- Opsec: Use opsec-safe request format.
- NoPAC: Request without PAC.
Dependencies
- AD
Operating Systems
- Windows