Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 03. Kerberos / Delegation

Enumeration

Delegation enumeration identifies which accounts can impersonate users, which services they can reach, and which target objects already trust another principal through RBCD. We enumerate all three models before choosing an attack path.

Linux variables

export DC=10.10.10.200
export DOMAIN=ootw.local
export BASE='DC=ootw,DC=local'
export USER=student
export PASS='student'

Find all delegation with Impacket

findDelegation.py $DOMAIN/$USER:"$PASS" -dc-ip $DC
findDelegation.py -dc-host dc01.ootw.local $DOMAIN/$USER:"$PASS"

NetExec

nxc ldap $DC -d OOTW -u $USER -p "$PASS" -M findDelegation
nxc ldap $DC -d OOTW -u $USER -p "$PASS" -M rbcd

Unconstrained delegation

ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))' sAMAccountName dNSHostName servicePrincipalName userAccountControl
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(userAccountControl:1.2.840.113556.1.4.803:=524288)' sAMAccountName dNSHostName servicePrincipalName userAccountControl

Constrained delegation

ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(msDS-AllowedToDelegateTo=*)' sAMAccountName dNSHostName servicePrincipalName msDS-AllowedToDelegateTo userAccountControl

Protocol transition

ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(userAccountControl:1.2.840.113556.1.4.803:=16777216)' sAMAccountName userAccountControl msDS-AllowedToDelegateTo

RBCD targets

ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(objectCategory=computer)(msDS-AllowedToActOnBehalfOfOtherIdentity=*))' distinguishedName sAMAccountName dNSHostName msDS-AllowedToActOnBehalfOfOtherIdentity

Machine account quota

ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(objectClass=domainDNS)' ms-DS-MachineAccountQuota

PowerView

Get-DomainComputer -Unconstrained | Select-Object samaccountname,dnshostname
Get-DomainUser -TrustedToAuth | Select-Object samaccountname,msds-allowedtodelegateto
Get-DomainComputer -TrustedToAuth | Select-Object samaccountname,msds-allowedtodelegateto
Get-DomainObject -LDAPFilter '(msDS-AllowedToDelegateTo=*)' -Properties samaccountname,msds-allowedtodelegateto,useraccountcontrol
Get-DomainObject -LDAPFilter '(msDS-AllowedToActOnBehalfOfOtherIdentity=*)' -Properties samaccountname,msDS-AllowedToActOnBehalfOfOtherIdentity

AD module

Get-ADObject -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=524288)' -Properties ServicePrincipalName,UserAccountControl,dNSHostName
Get-ADObject -LDAPFilter '(msDS-AllowedToDelegateTo=*)' -Properties msDS-AllowedToDelegateTo,ServicePrincipalName,dNSHostName,UserAccountControl
Get-ADObject -LDAPFilter '(msDS-AllowedToActOnBehalfOfOtherIdentity=*)' -Properties msDS-AllowedToActOnBehalfOfOtherIdentity,dNSHostName
Get-ADDomain | Select-Object ms-DS-MachineAccountQuota

RBCD write-right hunting

Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq 'ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity' -and $_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl' } | Select-Object ObjectDN,SecurityIdentifier,ActiveDirectoryRights

Protocol transition flag check

$Uac = 16781312
[System.Convert]::ToBoolean($Uac -band 16777216)