From Print Server to Domain Admin: Kerberos Delegation Abuse
A deep dive into unconstrained Kerberos delegation abuse — how we leveraged a misconfigured print server to capture a Domain Controller TGT and achieve full domain compromise in under 4 hours.
Overview
Active Directory delegation is one of the most powerful — and most misunderstood — features in Windows environments. In this post, we walk through how unconstrained delegation on a single print server led to complete domain compromise.
What Is Kerberos Delegation?
Kerberos delegation allows a service to impersonate users when accessing other services on their behalf. Unconstrained delegation is the most dangerous variant: it allows a server to impersonate any user to any service.
The Attack Path
- **Initial Access** — Compromised a workstation via phishing
- **Enumeration** — Identified a print server with unconstrained delegation enabled
- **Coercion** — Used the PrinterBug (MS-RPRN) to force the Domain Controller to authenticate to our compromised print server
- **Capture** — Extracted the DC's TGT from memory using Rubeus
- **DCSync** — Used the captured TGT to perform a DCSync attack, extracting all domain password hashes
Remediation
- Remove unconstrained delegation from all servers
- Migrate to constrained delegation or Resource-Based Constrained Delegation (RBCD)
- Add Domain Controllers to the "Protected Users" group
- Monitor for suspicious TGT requests and DCSync activity
Conclusion
A single misconfigured attribute on one server object led to total domain compromise. Active Directory security requires ongoing auditing of delegation settings, SPNs, and trust relationships.
— Closing
Want us to test
your defenses?
Our research feeds directly into our offensive engagements. Let's find your vulnerabilities before attackers do.