# Kerberos double hoping

## Overview

Kerberos double hopping can be an issue with PowerShell remoting in Windows domains, especially when using remote sessions to access resources on multiple servers.

When using PowerShell remoting, a user's credentials are passed from their computer to the remote server to authenticate the remote session. However, if the user's computer is not configured to allow delegation of credentials, the Kerberos ticket used to authenticate the remote session will only be valid for the remote server, and not for any other servers that the user may access during the session.

This means that if the user attempts to access a resource on a third server during the remote session, their computer will need to request a new Kerberos ticket for that server, and this can result in a double hopping scenario if the user's computer is not configured for delegation of credentials.

## Examples to bypass

### Set up new PowerShell session configurations

In this example, we will work on server named SRV01 and create a new session configuration on this machine using `Register-PSSessionConfiguration` cmdlet. This command creates a new session configuration on the remote computer, when connected, forces it to always run with the credentials provided.&#x20;

{% code overflow="wrap" %}

```powershell
Invoke-Command -ComputerName SRV1 -ScriptBlock { Register-PSSessionConfiguration -Name KerbHopping -RunAsCredential 'domain\mydomainaccount' -Force }
```

{% endcode %}

We will need to specify the configuration to use when running our commands.

{% code overflow="wrap" %}

```powershell
Invoke-Command -ComputerName 'SRV1' -ScriptBlock { Get-ChildItem -Path \\SRV2\c$ } -ConfigurationName KerbHopping
```

{% endcode %}

#### Automatically invoke the configuration name.

To automatically invoke the configuration name and avoiding for us to retype it everytime we can use the `$PSDefaultParameterValues` env variable.

```powershell
$PSDefaultParameterValues = @{'Invoke-Command:ConfigurationName'='KerbHopping'}
```

### Deleting the session configuration

To clean up you can delete the session configuration.&#x20;

{% code overflow="wrap" %}

```powershell
Invoke-Command -ComputerName <Hop1PC> -ScriptBlock { Unregister-PSSessionConfiguration -Name "KerbHopping" -Force }
```

{% endcode %}

## References

{% embed url="<https://www.techtarget.com/searchwindowsserver/tutorial/How-to-avoid-the-double-hop-problem-with-PowerShell>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rfc1918.gitbook.io/offsec/lateral-movement/windows-lateral-movement/powershell-remoting-ps-remote/kerberos-double-hoping.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.