Delegation

Unconstrained delegation

tip

The goal is to compromise a server trusted for unconstrained delegation in order to reuse the TGT of any user that connects to the compromised machine.

We are looking for property TRUSTED_FOR_DELEGATION.

PowerView

Get-DomainComputer -Unconstrained
Get-DomainUser -ldapfilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)"

AD PowerShell Module

Get-adcomputer -ldapfilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)"
Get-aduser -ldapfilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)"

LdapDomainDump

https://github.com/dirkjanm/ldapdomaindump

grep TRUSTED_FOR_DELEGATION domain_computers.txt
grep TRUSTED_FOR_DELEGATION domain_users.txt

LDAP

ldapsearch -H ldap://<DC.EVIL.DOM> -b DC=<evil>,DC=<dom> -D <VICTIM>\\<user> -w <password> '(&(objectClass=computer) (userAccountControl:1.2.840.113556.1.4.803:=524288))' sAMAccountName

Constrained delegation

Users

Get-DomainUser -TrustedToAuth -Properties distinguishedname,msds-allowedtodelegateto,useraccountcontrol

Computers

Get-DomainComputer -TrustedToAuth -Properties distinguishedname,msds-allowedtodelegateto,useraccountcontrol

Resource-Based Constrained delegation

http://www.harmj0y.net/blog/activedirectory/a-case-study-in-wagging-the-dog-computer-takeover/

Unconstrained delegation​

Constrained delegation​

Resource-Based Constrained delegation​

Unconstrained delegation

Constrained delegation

Resource-Based Constrained delegation