# Unconstrained Delegation

As we mentioned before what is the risk to having Unconstrained Delegation, is that anytime an account connects to the compromised computer for any reason, their ticket (TGT) is stored in memory so it can be used later by the computer for impersonation.

How does this look like, well let's setup an account for this.

Right-Click on the proper Computer Name and move to the Delgation Tab. And click apply to finish the setup.

![](/files/-M-wirCC79juLEOMoVfo)

From the Domain Controller we can query for the Unconstrained Computers.

![Active Directory Module](/files/-M-wk6dS5IGzsLL6Kcg6)

{% hint style="info" %}
From here a Administrator user on the Compromised machine is needed
{% endhint %}

But when we compromise a Domain user we can use PowerView to find the Unconstrained computer with a syntax

```
Get-NetComputer -Unconstrained
```

![](/files/-M-wkR0A1Ts7o4xZp_5j)

```
Get-NetComputer -Unconstrained -FullData |ConvertFrom-UACValue
```

![](/files/-M-wnCV0WnXvs5tHikpC)

The next step in our attack to listen for a connection on a Domain User (in this case the Domain Admin). All the Domain Admin needs to do here is authenticate to our compromised workstation. Even just listing the directory is enough for us to capture a ticket. And we can use mimikatz to extract the ticket from our session with the compromised Admin.

![](/files/-M0uQFzjsxVgNS1HWgxk)

With mimikatz we can see the tickets saved. In the current session. Currently as another Domain User (Kevin)

![](/files/-M0uQz15w-lVro6pgpg5)

And with kevin I can dump the tickets once gaining higher access and finally we can use this ticket until it expires by using mimikatz "Pass the Ticket" method.

![](/files/-M0uRTtgHaNoOWyB8M68)

![](/files/-M0uTPv0AznaWfVa_5ZS)

And just to verify I will list the C directory of the Domain Controller. Currently as the user Kevin but the Domain Admins Ticket

![](/files/-M0uU0EhcPI6RJgoVkyp)

We can enumerate the DC directories, as we can see this gives us no limits on who we want to impersonate as this attack is just a waiting game because we need a user to authenticate to our compromised machine, just a matter of time for automated scripts, there are numerous way's to approach this situation, such as Covenant just a few syntax, Rubeus and SpoolCheck that is able to "force" an authentication to our machine using the "Printer Bug", and also using the impacket tool set.

{% embed url="<https://www.riccardoancarani.it/exploiting-unconstrained-delegation/>" %}

{% embed url="<https://adsecurity.org/?p=1667>" %}

{% embed url="<https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dmcxblue.gitbook.io/red-team-notes/active-directory/untitled/untitled-3.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.