Unconstrained Delegation
Unconstrained delegation the key distribution center (KDC) places a copy of the users TGT inside the service ticket (TGS). When the TGS is provided to the server for service access, the server opens the TGS and places the user’s TGT into memory for further use. This means that the server can now impersonate the user without any restrictions.
Enumerating Unconstrained Delegation
Compromising the Domain
After compromising a server with unconstrained delegation enabled, an attacker can extract any and all TGTs from memory to impersonate them against services in the domain. This means that if we identify a Domain Administrators TGT in memory,
Notes
Domain Controllers always have unconstrained delegation enabled by default.
Using
Rubeus
monitor command is a good way to identify any new TGTs on a compromised server.
References
Last updated