Links
Comment on page

deleg

net::deleg checks for the following types of Kerberos delegations
  • Unconstrained Delegation (TRUSTED_FOR_DELEGATION)
  • Constrained Delegation (TRUSTED_TO_AUTH_FOR_DELEGATION, set with the msDS-Allowed-To-Delegate-Toattribute)
  • Resource Based Constrained Delegation (set with the msDS-Allowed-To-Act-On-Behalf-Of-Another-Identity attribute)
It has the following command line arguments:
  • /dns: the active directory domain to query
  • /server: The domain controller to query. If not specified it will query the DC of the current domain
mimikatz # net::deleg
CN=Win2019,OU=Servers,DC=hacklab,DC=local
objectGUID: {06a4a894-6e0b-41be-952e-f3c3108a1928}
userAccountControl: 0x00091000 - WORKSTATION_TRUST_ACCOUNT ; DONT_EXPIRE_PASSWD ; TRUSTED_FOR_DELEGATION ;
objectSid: S-1-5-21-1874506631-3219952063-538504511-1128
sAMAccountName: Win2019$
servicePrincipalName:
TERMSRV/Win2019
TERMSRV/Win2019.hacklab.local
WSMAN/Win2019
WSMAN/Win2019.hacklab.local
RestrictedKrbHost/Win2019
HOST/Win2019
RestrictedKrbHost/Win2019.hacklab.local
HOST/Win2019.hacklab.local
Last modified 1yr ago