Delegation enumeration identifies which accounts can impersonate users, which services they can reach, and which target objects already trust another principal through RBCD. We enumerate all three models before choosing an attack path.
Linux variables
export DC=10.10.10.200
export DOMAIN=ootw.local
export BASE='DC=ootw,DC=local'
export USER=student
export PASS='student'
Find all delegation with Impacket
findDelegation.py $DOMAIN/$USER:"$PASS" -dc-ip $DC
findDelegation.py -dc-host dc01.ootw.local $DOMAIN/$USER:"$PASS"
NetExec
nxc ldap $DC -d OOTW -u $USER -p "$PASS" -M findDelegation
nxc ldap $DC -d OOTW -u $USER -p "$PASS" -M rbcd
Unconstrained delegation
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))' sAMAccountName dNSHostName servicePrincipalName userAccountControl
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(userAccountControl:1.2.840.113556.1.4.803:=524288)' sAMAccountName dNSHostName servicePrincipalName userAccountControl
Constrained delegation
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(msDS-AllowedToDelegateTo=*)' sAMAccountName dNSHostName servicePrincipalName msDS-AllowedToDelegateTo userAccountControl
Protocol transition
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(userAccountControl:1.2.840.113556.1.4.803:=16777216)' sAMAccountName userAccountControl msDS-AllowedToDelegateTo
RBCD targets
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(objectCategory=computer)(msDS-AllowedToActOnBehalfOfOtherIdentity=*))' distinguishedName sAMAccountName dNSHostName msDS-AllowedToActOnBehalfOfOtherIdentity
Machine account quota
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(objectClass=domainDNS)' ms-DS-MachineAccountQuota
PowerView
Get-DomainComputer -Unconstrained | Select-Object samaccountname,dnshostname
Get-DomainUser -TrustedToAuth | Select-Object samaccountname,msds-allowedtodelegateto
Get-DomainComputer -TrustedToAuth | Select-Object samaccountname,msds-allowedtodelegateto
Get-DomainObject -LDAPFilter '(msDS-AllowedToDelegateTo=*)' -Properties samaccountname,msds-allowedtodelegateto,useraccountcontrol
Get-DomainObject -LDAPFilter '(msDS-AllowedToActOnBehalfOfOtherIdentity=*)' -Properties samaccountname,msDS-AllowedToActOnBehalfOfOtherIdentity
AD module
Get-ADObject -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=524288)' -Properties ServicePrincipalName,UserAccountControl,dNSHostName
Get-ADObject -LDAPFilter '(msDS-AllowedToDelegateTo=*)' -Properties msDS-AllowedToDelegateTo,ServicePrincipalName,dNSHostName,UserAccountControl
Get-ADObject -LDAPFilter '(msDS-AllowedToActOnBehalfOfOtherIdentity=*)' -Properties msDS-AllowedToActOnBehalfOfOtherIdentity,dNSHostName
Get-ADDomain | Select-Object ms-DS-MachineAccountQuota
RBCD write-right hunting
Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq 'ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity' -and $_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl' } | Select-Object ObjectDN,SecurityIdentifier,ActiveDirectoryRights
Protocol transition flag check
$Uac = 16781312
[System.Convert]::ToBoolean($Uac -band 16777216)