Delegation queries identify accounts and computers that can impersonate users to services. LDAP gives us the attributes for unconstrained delegation, constrained delegation, protocol transition, and resource-based constrained delegation.
export DC=10.10.10.200
export BASE='DC=ootw,DC=local'
export DOMAIN=ootw.local
export USER='student'
export PASS='student'
Find computers trusted for unconstrained delegation.
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))' sAMAccountName dNSHostName servicePrincipalName userAccountControl
Find all objects with unconstrained delegation, including unusual user/service account cases.
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(userAccountControl:1.2.840.113556.1.4.803:=524288)' sAMAccountName dNSHostName servicePrincipalName userAccountControl
Find computers with constrained delegation targets.
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(samAccountType=805306369)(msDS-AllowedToDelegateTo=*))' sAMAccountName dNSHostName servicePrincipalName msDS-AllowedToDelegateTo userAccountControl
Find any account with constrained delegation targets.
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(msDS-AllowedToDelegateTo=*)' sAMAccountName dNSHostName servicePrincipalName msDS-AllowedToDelegateTo userAccountControl
Find RBCD targets where the target object allows another principal to act on its behalf.
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(objectCategory=computer)(msDS-AllowedToActOnBehalfOfOtherIdentity=*))' distinguishedName sAMAccountName dNSHostName msDS-AllowedToActOnBehalfOfOtherIdentity
Find accounts configured for protocol transition.
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(userAccountControl:1.2.840.113556.1.4.803:=16777216)' sAMAccountName userAccountControl msDS-AllowedToDelegateTo
Fast wrapper checks with NetExec, Impacket, and windapsearch.
nxc ldap $DC -d OOTW -u $USER -p "$PASS" -M findDelegation
nxc ldap $DC -d OOTW -u $USER -p "$PASS" -M rbcd
findDelegation.py $DOMAIN/$USER:"$PASS" -dc-ip $DC
python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --delegate
Windows-side equivalent.
Get-ADObject -LDAPFilter '(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))' -Properties ServicePrincipalName,UserAccountControl,dNSHostName
Get-ADObject -LDAPFilter '(msDS-AllowedToDelegateTo=*)' -Properties msDS-AllowedToDelegateTo,ServicePrincipalName,dNSHostName
Get-ADObject -LDAPFilter '(msDS-AllowedToActOnBehalfOfOtherIdentity=*)' -Properties msDS-AllowedToActOnBehalfOfOtherIdentity,dNSHostName