Unconstrained Delegation

Unconstrained delegation the key distribution center (KDC) places a copy of the users TGT inside the service ticket (TGS). When the TGS is provided to the server for service access, the server opens the TGS and places the user’s TGT into memory for further use. This means that the server can now impersonate the user without any restrictions.

Enumerating Unconstrained Delegation

# Locate Unconstrained Delegation in BloodHound
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c

Compromising the Domain

After compromising a server with unconstrained delegation enabled, an attacker can extract any and all TGTs from memory to impersonate them against services in the domain. This means that if we identify a Domain Administrators TGT in memory,

Notes

Domain Controllers always have unconstrained delegation enabled by default.
Using Rubeus monitor command is a good way to identify any new TGTs on a compromised server.

References

Kerberos Unconstrained DelegationRed Teaming Experiments

https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1posts.specterops.io

PreviousConstrained Delegation NextDomain Enumeration

Last updated 1 year ago