The mind-blowing Kerberos "Use Any Authentication Protocol" Delegation
Kerberos delegation has been in the spot light for some time now and the risks behind it have been outlined in quite a few blogs and conference presentations - I particularly recommend reading https://adsecurity.org/?p=1667 and https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/.
For some time, it was my incorrect understanding that unconstrained delegation is a massive problem while constrained/resource based is less destructive.
That is however not the case, and the exploitation that is to follow absolutely blew my mind the first time I saw it in "action".
When a service account is set for "Use any authentication protocol" delegation, it means that the service account is allowed to delegate without being required to prove that a user authenticated to it!
In normal words, just saying "I shall pass because I am the administrator, trust me!" opens the door with no questions asked and no one verifying that you are in fact the administrator.
Sounds crazy, right?
Read the full details in the blogpost here