Attacking Kerberos by Nairuz Abulhul


Trust this user/computer for delegation to any service.

Delegation is the act of giving someone authority or responsibility to do something on behalf of someone else. A similar concept is applied in the Active Directory environment; delegation allows an account with the delegate property to impersonate another account to access resources within the network.

There are three (3) known types of delegations allowed with Kerberos: Unconstrained, Constrained, and Resource-based constrained delegations. For this post, we will focus on abusing the first type — Unconstrained delegation. We will learn to abuse it during a pentest engagement to perform a privilege escalation to a higher level user, such as the domain admin????.

The attack demonstration steps will be on the Pentester Academy Active Directory Lab by Nikhil Mittal associated with the CRTP course.


  • Unconstrained Delegation Overview
  • Analysis Flow
  • Attack Requirements
  • Escalation Vectors
  • Used Tools
  • Demonstration Steps
  • Mitigation
  • References


Unconstrained delegation allows a user or computer with the option “Trust This user/computer for delegation to any service” enabled to impersonate ANY user authenticated to it and request access to ANY service.

The user can access the service, whether hosted on the authenticated server or hosted on another server on the same or a different domain.

Figure 1 — shows the configuration of Unconstrained Delegation for a computer

Figure 2 — shows the configuration of Unconstrained Delegation for a user

To understand it better, let’s take an example of a user authenticating to a webserver who wants to request data from other servers like, SQL, Application, or Mail that are not hosted on that webserver; they are hosted on different servers, as in the case below.

Without delegation, the webserver can’t provide the requested information from other services as it doesn’t have permission to talk to these services directly.

Figure 3— shows the delegation option is disabled on the webserver

However, if the delegation is enabled, the webserver can impersonate the authenticated user (regular user or service account) and fetch the requested information on behalf of the user as if it was the user themselves accessing the service directly.

Figure 4 — shows the delegation option is enabled on the webserver


Suppose we compromise a service account with administrator privileges through an attack like Kerberoasting, and that account is associated with a computer with the “Unconstrained Delegation” feature enabled. In this case, we can dump the TGT tickets of all accounts authenticated to the webserver, impersonate any user we want, and ask the Kerberos domain controller (KDC) for any service tickets we wish to access.

The huge and risky part of that type of delegation is that if the domain admin were one of the users authenticated to the server, we would be able to impersonate the DA with their TGT ticket and access any resource on the network with domain admin privileges ????


Let’s jump into the delegation flow with the Kerberos Authentication:

1- A user authenticates to the KDC (Kerberos Domain Controller) by sending an encrypted request with their credentials. The KDC verifies their identity and sends the user a TGT ticket.

2- The user receives the TGT ticket and sends it back to the KDC, requesting a service ticket for a specific service, let’s say a web service. The KDC checks the TGT validity and sends back the service ticket (TGS) for the requested service.

3- At this point, the user can use the service ticket (TGS) to access the requested web service. However, if the requested service, like the webservice in our example, needs to access another service like SQL, the user must obtain a Forwardable TGT ticket to pass it to the web service along with the TGS ticket.

Figure 5 — shows the user sending the forwardable TGT and TGS to the webserver

4 - The webserver caches the user’s Forwardable TGT locally and uses it to request a TGS ticket from the KDC to access the SQL service on behalf of the user.

Figure 6 — shows the webserver impersonating the user with the forwardable TGT and asking for a SQL TGS

5 - The KDC verifies the presented TGT and provides the webserver with the SQL TGS to access the SQL server as the user.

Figure 7— shows the webserver accessing the SQL server with the SQL TGS


  • A domain computer with the delegation option “Trust This computer for delegation to any service” enabled.
  • Local admin privileges on the delegated computer to dump the TGT tickets. If you compromised the server as a regular user, you would need to escalate to abuse this delegation feature.

???? _$_Escalation_Vectors

  • Vertically, escalate privileges to a higher privileged user like Domain Admin.
  • Horizontally, obtain privileges to another user who has access to different resources within the network not accessible to the original compromised account.

????_$_Used _Tools

  • Invoke-Mimikatz
  • PowerView
  • Active Directory Module


◼️ Identify The Delegated Host

We can use the PowerView script from PowerSploit or the AD module to determine if the delegation option is enabled by examining the Trusted delegation property value set as True.

For the PowerView, use the Get-NetComputer -UnConstrained command.

Figure 8 — shows the PowerView command for returning unconstrained delegation accounts

And for the AD Module, use the Get-ADComputer cmdlet and filter for the TrustedForDelegation property.

As we see in the below example, the command returned 2 (two) computers, the domain controller (DCORP-DC) and the app server (DCORP-APPSRV).

Figure 9 — shows that the AD module returned the computers that have TrustedForDelegation property set as True

◼️ Access The Identified Server

This step assumes that you have access to the delegated machine as an admin. In my access, I compromised the machine by using the appadmin hash obtained while dumping the hashes on another machine. I then used overpass the hash to access the dcorp-appsrv server as the appadmin user.

Figure 10 — shows overpass the hash with the appadmin account

Figure 11 — shows we have PS remoting session on the dcorp-appsrv machine as appadmin

◼️ Export All TGT Tickets

Since we are the local admin on the delegated machine, I uploaded the Invoke-Mimkatz script with PS Remoting (the machine has WinRM Service open), and dumped all of the cached TGT tickets.

▪️ Create PS session

Copy the Invoke-Mimikatz file to the remote machine. You will need to bypass AMSI to use it.

Figure 12– shows copying the Mimikatz script to the remote dcorp-appsrv machine

▪️ Import the script and export all the cached tickets.

Figure 13 —shows exporting all of the cached TGT tickets

As we see below, we were able to get the domain admin TGT because the DA logged into the dcorp-appsrv machine, and since the delegated machine caches all the TGTs, we could dump the ticket.

Figure 14 — shows the Administrator TGT ticket

◼️ Impersonate High Privileged User

Now that we have the TGT ticket for the domain admin, we can use Invoke-Mimikatz or Rubeus to request service tickets from the KDC to any service with DA privileges.

For our case, I used Mimikatz to impersonate the administrator.

Figure 15 - shows impersonating the administrator with Mimikatz

As seen below, the KDC accepted the TGT ticket from us and was able to request an HTTP service ticket to run PowerShell remotely with the Invoke-Command cmdlet.

???? PS Remoting uses HTTP as the protocol for transmitting commands and outputs.

Figure 16 — shows the KDC returning a TGS for HTTP service

We can use Invoke-command and verify that we are indeed logged into the domain controller ????

Figure 17— shows that we are logged into the domain controller as domain admin


  • Configuring the privileged accounts, to Account is sensitive and cannot be delegated within the Active Directory.
  • Assign privileged accounts like domain administrator or enterprise administrator, to the Protected Users security group.
  • Configure the delegation to be restricted to specific services accessed from particular hosts.

That’s all for today; we learned about unconstrained delegation and how to abuse it in an Active Directory environment to gain domain admin privileges. In the following article, we will go over constrained delegations.

Thanks for reading !!

???? All of the used commands can be found at R3d-Buck3T — (Active Directory — Privilege Escalation — Kerberos Delegations)



I have 5 years of professional experience in Information Security. I started as an Incident Responder, where I developed a deep interest in investigating attacks and hunting for IOCs in large global networks. I learned to identify and respond to threats in real-time through network monitoring and threat intelligence analysis. Two years ago, I shifted to the offensive security side as a pentester and started the R3d Buck3t Publication on Medium to document my learning journey and share knowledge with the InfoSec community.

Anyone interested in collaboration or assistance can reach me on Twitter (@NairuzAbulhul).
R3d Buck3T -

Original post:

March 12, 2022


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Oldest Most Voted
Inline Feedbacks
View all comments
Phillip Trimble
Phillip Trimble
1 year ago

I would like to recommend a page editor. I found several mis-spelled words in this document. I would be willing to provide my services. Or just take this as a common courtesy to remind you to re-proof your work.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023