Unconstrained Delegation
Last updated
Last updated
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
This a feature that a Domain Administrator can set to any Computer inside the domain. Then, anytime a user logins onto the Computer, a copy of the TGT of that user is going to be sent inside the TGS provided by the DC and saved in memory in LSASS. So, if you have Administrator privileges on the machine, you will be able to dump the tickets and impersonate the users on any machine.
So if a domain admin logins inside a Computer with "Unconstrained Delegation" feature activated, and you have local admin privileges inside that machine, you will be able to dump the ticket and impersonate the Domain Admin anywhere (domain privesc).
You can find Computer objects with this attribute checking if the attribute contains . You can do this with an LDAP filter of ‘(userAccountControl:1.2.840.113556.1.4.803:=524288)’, which is what powerview does:
If an attacker is able to compromise a computer allowed for "Unconstrained Delegation", he could trick a Print server to automatically login against it saving a TGT in the memory of the server. Then, the attacker could perform a Pass the Ticket attack to impersonate the user Print server computer account.
Here are other ways to try to force an authentication:
Limit DA/Admin logins to specific services
Set "Account is sensitive and cannot be delegated" for privileged accounts.
Load the ticket of Administrator (or victim user) in memory with Mimikatz or Rubeus for a . More info:
To make a print server login against any machine you can use :
If the TGT if from a domain controller, you could perform a and obtain all the hashes from the DC.
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.