search
Personal BlogTwitterGitHubContact

Unconstrained Delegation

Unconstrained delegation the key distribution center (KDC) places a copy of the users TGT inside the service ticket (TGS). When the TGS is provided to the server for service access, the server opens the TGS and places the user’s TGT into memory for further use. This means that the server can now impersonate the user without any restrictions.

hashtag
Enumerating Unconstrained Delegation

# Locate Unconstrained Delegation in BloodHound
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c

hashtag
Compromising the Domain

After compromising a server with unconstrained delegation enabled, an attacker can extract any and all TGTs from memory to impersonate them against services in the domain. This means that if we identify a Domain Administrators TGT in memory,

hashtag
Notes

  • Domain Controllers always have unconstrained delegation enabled by default.

  • Using Rubeus monitor command is a good way to identify any new TGTs on a compromised server.

hashtag
References

Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)Active Directory & Azure AD/Entra ID Securitychevron-right
LogoKerberos Unconstrained Delegation | Red Team Noteswww.ired.teamchevron-right
LogoBlog - SpecterOpsSpecterOpschevron-right
PreviousConstrained DelegationNextDomain Enumeration

Last updated