deleg
net::deleg checks for the following types of Kerberos delegations​
  • Unconstrained Delegation (TRUSTED_FOR_DELEGATION)
  • Constrained Delegation (TRUSTED_TO_AUTH_FOR_DELEGATION, set with the msDS-Allowed-To-Delegate-Toattribute)
  • Resource Based Constrained Delegation (set with the msDS-Allowed-To-Act-On-Behalf-Of-Another-Identity attribute)
It has the following command line arguments:
  • /dns: the active directory domain to query
  • /server: The domain controller to query. If not specified it will query the DC of the current domain
1
mimikatz # net::deleg
2
​
3
CN=Win2019,OU=Servers,DC=hacklab,DC=local
4
objectGUID: {06a4a894-6e0b-41be-952e-f3c3108a1928}
5
userAccountControl: 0x00091000 - WORKSTATION_TRUST_ACCOUNT ; DONT_EXPIRE_PASSWD ; TRUSTED_FOR_DELEGATION ;
6
objectSid: S-1-5-21-1874506631-3219952063-538504511-1128
7
sAMAccountName: Win2019$
8
servicePrincipalName:
9
TERMSRV/Win2019
10
TERMSRV/Win2019.hacklab.local
11
WSMAN/Win2019
12
WSMAN/Win2019.hacklab.local
13
RestrictedKrbHost/Win2019
14
HOST/Win2019
15
RestrictedKrbHost/Win2019.hacklab.local
16
HOST/Win2019.hacklab.local
Copied!
Last modified 6mo ago
Copy link