A service or machine account with unconstrained delegation can authenticate into all other services on behalf of a client, even those that the service does not need to access. This is implemented by caching the client’s TGT so that it could later be used to authenticate against other domain services.
Danger!
Unconstrained delegation is not recommended: use constrained delegation whenever possible. Once an account permitted for unconstrained delegation is compromised, TGTs that were cached for unconstrained delegation could be dumped and used to impersonate the associated principals.
Exploit
To find machine accounts permitted for unconstrained delegation using ADSearch (userAccountControl
stores many flags related to the user; the 1.2.840...
string is a OID for bitwise matching; 524288 = 2^19
is a mask for unconstrained delegation):
NOTE
Domain controller machine accounts may always perform unconstrained delegation.
To attack, simply use Rubeus to triage
and dump
any cached TGT.