Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 02. Protocols / LDAP / Enumeration

Delegation

Delegation queries identify accounts and computers that can impersonate users to services. LDAP gives us the attributes for unconstrained delegation, constrained delegation, protocol transition, and resource-based constrained delegation.

export DC=10.10.10.200
export BASE='DC=ootw,DC=local'
export DOMAIN=ootw.local
export USER='student'
export PASS='student'

Find computers trusted for unconstrained delegation.

ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))' sAMAccountName dNSHostName servicePrincipalName userAccountControl

Find all objects with unconstrained delegation, including unusual user/service account cases.

ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(userAccountControl:1.2.840.113556.1.4.803:=524288)' sAMAccountName dNSHostName servicePrincipalName userAccountControl

Find computers with constrained delegation targets.

ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(samAccountType=805306369)(msDS-AllowedToDelegateTo=*))' sAMAccountName dNSHostName servicePrincipalName msDS-AllowedToDelegateTo userAccountControl

Find any account with constrained delegation targets.

ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(msDS-AllowedToDelegateTo=*)' sAMAccountName dNSHostName servicePrincipalName msDS-AllowedToDelegateTo userAccountControl

Find RBCD targets where the target object allows another principal to act on its behalf.

ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(objectCategory=computer)(msDS-AllowedToActOnBehalfOfOtherIdentity=*))' distinguishedName sAMAccountName dNSHostName msDS-AllowedToActOnBehalfOfOtherIdentity

Find accounts configured for protocol transition.

ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(userAccountControl:1.2.840.113556.1.4.803:=16777216)' sAMAccountName userAccountControl msDS-AllowedToDelegateTo

Fast wrapper checks with NetExec, Impacket, and windapsearch.

nxc ldap $DC -d OOTW -u $USER -p "$PASS" -M findDelegation
nxc ldap $DC -d OOTW -u $USER -p "$PASS" -M rbcd
findDelegation.py $DOMAIN/$USER:"$PASS" -dc-ip $DC
python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --delegate

Windows-side equivalent.

Get-ADObject -LDAPFilter '(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))' -Properties ServicePrincipalName,UserAccountControl,dNSHostName
Get-ADObject -LDAPFilter '(msDS-AllowedToDelegateTo=*)' -Properties msDS-AllowedToDelegateTo,ServicePrincipalName,dNSHostName
Get-ADObject -LDAPFilter '(msDS-AllowedToActOnBehalfOfOtherIdentity=*)' -Properties msDS-AllowedToActOnBehalfOfOtherIdentity,dNSHostName