Practical Demo of the Unconstrained Delegation Attack

  1. Gain access to a domain controller (DCB) in ForestB.
  2. Monitor for logon event through LSA API with Rubeus.exe: Rubeus.exe.
  3. Use a MS-RPRN.exe to trigger the “printer bug” against DCA.
  4. Trigger the MS-RPRN “printer bug” against a domain controller (e.g. DCA) in ForestA.
  5. Harvest a Ticket Granting Ticket (TGT) with Rubeus.exe.
  6. Perform DCSYNC attack to retrieve the TGT credentials.
  7. Forge a golden ticket.
  8. Domain controller(DCA) in ForestA gets compromised.
checking the hostname
Error due to GET-ADComputer not being recognised
Modules installed successfully
2 servers found
TrustedForDelegation set to TRUE
2 shells spawned
uploading MS-RPRN AND Rubeus.exe
TGT Harvested
Trigger the MS-RPRN
hash file
Purge User Kerberos Ticket without Logoff
Krbtgt NTLM Hash and SID Extracted
Forging a golden ticket
share directory(\C$)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store