Attacking Kerberos by Nairuz Abulhul

March 12, 2022

Trust this user/computer for delegation to any service.

Delegation is the act of giving someone authority or responsibility to do something on behalf of someone else. A similar concept is applied in the Active Directory environment; delegation allows an account with the delegate property to impersonate another account to access resources within the network.

There are three (3) known types of delegations allowed with Kerberos: Unconstrained, Constrained, and Resource-based constrained delegations. For this post, we will focus on abusing the first type — Unconstrained delegation. We will learn to abuse it during a pentest engagement to perform a privilege escalation to a higher level user, such as the domain admin????.

The attack demonstration steps will be on the

Read the rest of this story with a free account.

Already have an account? Sign in

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Oldest Most Voted
Inline Feedbacks
View all comments
Phillip Trimble
Phillip Trimble
2 years ago

I would like to recommend a page editor. I found several mis-spelled words in this document. I would be willing to provide my services. Or just take this as a common courtesy to remind you to re-proof your work.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023
What certifications or qualifications do you hold?
Max. file size: 150 MB.

What level of experience should the ideal candidate have?
What certifications or qualifications are preferred?

Download Free eBook

Step 1 of 4


We’re committed to your privacy. Hakin9 uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.