Delegations is a tool that allows you to work with all types of Kerberos delegations (unconstrained, constrained, and resource-based constrained delegations) in Active Directory.
- Audit mode:
- Audit existing unconstrained delegations
- Audit existing constrained delegations with or without protocol transition
- Audit existing resource-based constrained delegations
- Add mode:
- Add new unconstrained delegations
- Add new constrained delegations with or without protocol transition
- Add new resource-based constrained delegations
- Find mode:
- Find unconstrained delegations
- Find constrained delegations with or without protocol transition
- Find resource-based constrained delegations
- Clear mode:
- Clear existing unconstrained delegations
- Clear existing constrained delegations with or without protocol transition
- Clear existing resource-based constrained delegations
- Remove mode:
- Remove existing unconstrained delegations
- Remove existing constrained delegations with or without protocol transition
- Remove existing resource-based constrained delegations
- Monitor mode:
- Monitor modifications of all types of delegations in real-time
- Protocol transition mode:
- Add protocol transition on a constrained delegation
- Remove protocol transition on a constrained delegation
To get this tool you can either download the latest release from the GitHub release page or install it with the following go command:
go install github.com/TheManticoreProject/Delegations@latestAudit Mode
The audit mode allows you to scan your Active Directory environment for all types of delegations:
./Delegations audit --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p "Admin123!"Add Mode
The add mode allows you to add a constrained, unconstrained, or resource-based constrained delegation on an object:
./Delegations add constrained --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!' --allowed-to-delegate-to "HOST/PC02.MANTICORE.local"./Delegations add constrained --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!' --allowed-to-delegate-to "HOST/PC02.MANTICORE.local" --with-protocol-transition./Delegations add unconstrained --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!'./Delegations add rbcd --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!'Clear Mode
The clear mode allows you to clear a constrained, unconstrained, or resource-based constrained delegation on an object:
./Delegations clear constrained --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!'./Delegations clear constrained --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!' --with-protocol-transition./Delegations clear unconstrained --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!'./Delegations clear rbcd --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!'Find Mode
The find mode allows you to find a constrained, unconstrained, or resource-based constrained delegation on an object:
./Delegations find constrained --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!'./Delegations find constrained --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!' --with-protocol-transition./Delegations find unconstrained --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!'./Delegations find rbcd --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!'Remove Mode
The remove mode allows you to remove a constrained, unconstrained, or resource-based constrained delegation from an object:
./Delegations remove constrained --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!' --allowed-to-delegate-to "HOST/PC02.MANTICORE.local"./Delegations remove constrained --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!' --allowed-to-delegate-to "HOST/PC02.MANTICORE.local" --with-protocol-transition./Delegations remove unconstrained --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!'./Delegations remove rbcd --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!'Protocol Transition Mode
The protocol transition mode allows you to add or remove protocol transition for a constrained delegation on an object:
./Delegations add protocoltransition --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!'./Delegations remove protocoltransition --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!'The first positional argument of the program is the mode:
./Delegations
Delegations - by Remi GASCOU (Podalirius) @ TheManticoreProject - v1.0.0
Usage: Delegations <add|audit|clear|find|monitor|remove>
add Add a constrained, unconstrained, or resource-based constrained delegation to a user or group.
audit Audit constrained, unconstrained, and resource-based constrained delegations in Active Directory.
clear Clear a constrained, unconstrained, or resource-based constrained delegation from a user or group.
find Find a constrained, unconstrained, or resource-based constrained delegation from a user or group.
monitor Monitor constrained, unconstrained, and resource-based constrained delegations in Active Directory.
remove Remove a constrained, unconstrained, or resource-based constrained delegation from a user or group.
Then for modes add, remove and find, the second positional argument is the delegation type:
./Delegations add
Delegations - by Remi GASCOU (Podalirius) @ TheManticoreProject - v1.0.0
Usage: Delegations add <constrained|rbcd|unconstrained>
constrained Add a constrained delegation to a user or group.
unconstrained Add a unconstrained delegation to a user or group.
rbcd Add a ressource-based delegation to a user or group.
For mode audit all delegation types are audited at once, no more positional arguments are needed, only options:
./Delegations audit
Delegations - by Remi GASCOU (Podalirius) @ TheManticoreProject - v1.0.0
Usage: Delegations audit --domain <string> --username <string> [--password <string>] [--hashes <string>] [--debug] --dc-ip <string> [--ldap-port <tcp port>] [--use-ldaps] [--use-kerberos]
Authentication:
-d, --domain <string> Active Directory domain to authenticate to.
-u, --username <string> User to authenticate as.
-p, --password <string> Password to authenticate with. (default: "")
-H, --hashes <string> NT/LM hashes, format is LMhash:NThash. (default: "")
Configuration:
-d, --debug Debug mode. (default: false)
LDAP Connection Settings:
-dc, --dc-ip <string> IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted, it will use the domain part (FQDN) specified in the identity parameter.
-lp, --ldap-port <tcp port> Port number to connect to LDAP server. (default: 389)
-L, --use-ldaps Use LDAPS instead of LDAP. (default: false)
-k, --use-kerberos Use Kerberos instead of NTLM. (default: false)
Pull requests are welcome. Feel free to open an issue if you want to add other features.
- Remi GASCOU (Podalirius) for the creation of the Delegations project before transferring it to TheManticoreProject.