Practical Demo of the Unconstrained Delegation Attack

  1. Gain access to a domain controller (DCB) in ForestB.
  2. Monitor for logon event through LSA API with Rubeus.exe: Rubeus.exe.
  3. Use a MS-RPRN.exe to trigger the “printer bug” against DCA.
  4. Trigger the MS-RPRN “printer bug” against a domain controller (e.g. DCA) in ForestA.
  5. Harvest a Ticket Granting Ticket (TGT) with Rubeus.exe.
  6. Perform DCSYNC attack to retrieve the TGT credentials.
  7. Forge a golden ticket.
  8. Domain controller(DCA) in ForestA gets compromised.
checking the hostname
Error due to GET-ADComputer not being recognised
Modules installed successfully
2 servers found
TrustedForDelegation set to TRUE
2 shells spawned
uploading MS-RPRN AND Rubeus.exe
TGT Harvested
Trigger the MS-RPRN
hash file
Purge User Kerberos Ticket without Logoff
Krbtgt NTLM Hash and SID Extracted
Forging a golden ticket
share directory(\C$)




Ghana’s #1 practical cyber security company

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Mirai Source Code — Overview

DREP DID: the Essence of Web 3.0 Socialization in DeSoc

BTLO: Log Analysis — Compromised WordPress

Flash Stock Firmware on Samsung GALAXY A3 SM-A300M

Flash Stock Rom on Samsung Galaxy

OWASP Juice Shop — SQL Injection

FXTI: Performing Nonstop in Cloud-computing & Cybersecurity

Why is Debian not telling the truth about its security fixes?

How to have good passwords, and why they are good

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Inveteck Global

Inveteck Global

Ghana’s #1 practical cyber security company

More from Medium

Day 7: Cross site scripting (XSS)

What is CTF? A Gamification of Cybersecurity Learning


Pandora — HTB Walkthrough