Delegations

command module
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 2, 2025 License: GPL-3.0 Imports: 10 Imported by: 0

README

Delegations is a tool that allows you to work with all types of Kerberos delegations (unconstrained, constrained, and resource-based constrained delegations) in Active Directory.
Build and Release GitHub release (latest by date) Go Report Card YouTube Channel Subscribers

Features

  • Audit mode:
    • Audit existing unconstrained delegations
    • Audit existing constrained delegations with or without protocol transition
    • Audit existing resource-based constrained delegations
  • Add mode:
    • Add new unconstrained delegations
    • Add new constrained delegations with or without protocol transition
    • Add new resource-based constrained delegations
  • Find mode:
    • Find unconstrained delegations
    • Find constrained delegations with or without protocol transition
    • Find resource-based constrained delegations
  • Clear mode:
    • Clear existing unconstrained delegations
    • Clear existing constrained delegations with or without protocol transition
    • Clear existing resource-based constrained delegations
  • Remove mode:
    • Remove existing unconstrained delegations
    • Remove existing constrained delegations with or without protocol transition
    • Remove existing resource-based constrained delegations
  • Monitor mode:
    • Monitor modifications of all types of delegations in real-time
  • Protocol transition mode:
    • Add protocol transition on a constrained delegation
    • Remove protocol transition on a constrained delegation

Installation

To get this tool you can either download the latest release from the GitHub release page or install it with the following go command:

go install github.com/TheManticoreProject/Delegations@latest

Demonstration

Audit Mode

The audit mode allows you to scan your Active Directory environment for all types of delegations:

./Delegations audit --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p "Admin123!"
Demonstration of Audit Mode
Add Mode

The add mode allows you to add a constrained, unconstrained, or resource-based constrained delegation on an object:

./Delegations add constrained --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!' --allowed-to-delegate-to "HOST/PC02.MANTICORE.local"
Demonstration of Add Mode 
./Delegations add constrained --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!' --allowed-to-delegate-to "HOST/PC02.MANTICORE.local" --with-protocol-transition
Demonstration of Add Mode 
./Delegations add unconstrained --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!'
Demonstration of Add Mode 
./Delegations add rbcd --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!'
Demonstration of Add Mode
Clear Mode

The clear mode allows you to clear a constrained, unconstrained, or resource-based constrained delegation on an object:

./Delegations clear constrained --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!'
Demonstration of Clear Mode 
./Delegations clear constrained --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!' --with-protocol-transition
Demonstration of Clear Mode 
./Delegations clear unconstrained --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!'
Demonstration of Clear Mode 
./Delegations clear rbcd --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!'
Demonstration of Clear Mode
Find Mode

The find mode allows you to find a constrained, unconstrained, or resource-based constrained delegation on an object:

./Delegations find constrained --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!'
Demonstration of Find Mode 
./Delegations find constrained --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!' --with-protocol-transition
Demonstration of Find Mode 
./Delegations find unconstrained --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!'
Demonstration of Find Mode 
./Delegations find rbcd --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!'
Demonstration of Find Mode
Remove Mode

The remove mode allows you to remove a constrained, unconstrained, or resource-based constrained delegation from an object:

./Delegations remove constrained --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!' --allowed-to-delegate-to "HOST/PC02.MANTICORE.local"
Demonstration of Remove Mode 
./Delegations remove constrained --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!' --allowed-to-delegate-to "HOST/PC02.MANTICORE.local" --with-protocol-transition
Demonstration of Remove Mode 
./Delegations remove unconstrained --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!'
Demonstration of Remove Mode 
./Delegations remove rbcd --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!'
Demonstration of Remove Mode
Protocol Transition Mode

The protocol transition mode allows you to add or remove protocol transition for a constrained delegation on an object:

./Delegations add protocoltransition --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!'
Demonstration of Protocol Transition Mode 
./Delegations remove protocoltransition --distinguished-name "CN=PC01,CN=Computers,DC=MANTICORE,DC=local" --dc-ip "192.168.56.101" -d "MANTICORE.local" -u "Administrator" -p 'Admin123!'
Demonstration of Protocol Transition Mode

Usage

The first positional argument of the program is the mode:

./Delegations 
Delegations - by Remi GASCOU (Podalirius) @ TheManticoreProject - v1.0.0

Usage: Delegations <add|audit|clear|find|monitor|remove>

   add      Add a constrained, unconstrained, or resource-based constrained delegation to a user or group.
   audit    Audit constrained, unconstrained, and resource-based constrained delegations in Active Directory.
   clear    Clear a constrained, unconstrained, or resource-based constrained delegation from a user or group.
   find     Find a constrained, unconstrained, or resource-based constrained delegation from a user or group.
   monitor  Monitor constrained, unconstrained, and resource-based constrained delegations in Active Directory.
   remove   Remove a constrained, unconstrained, or resource-based constrained delegation from a user or group.

Then for modes add, remove and find, the second positional argument is the delegation type:

./Delegations add 
Delegations - by Remi GASCOU (Podalirius) @ TheManticoreProject - v1.0.0

Usage: Delegations add <constrained|rbcd|unconstrained>

   constrained    Add a constrained delegation to a user or group.
   unconstrained  Add a unconstrained delegation to a user or group.
   rbcd           Add a ressource-based delegation to a user or group.

For mode audit all delegation types are audited at once, no more positional arguments are needed, only options:

./Delegations audit
Delegations - by Remi GASCOU (Podalirius) @ TheManticoreProject - v1.0.0

Usage: Delegations audit --domain <string> --username <string> [--password <string>] [--hashes <string>] [--debug] --dc-ip <string> [--ldap-port <tcp port>] [--use-ldaps] [--use-kerberos]


  Authentication:
    -d, --domain <string>   Active Directory domain to authenticate to.
    -u, --username <string> User to authenticate as.
    -p, --password <string> Password to authenticate with. (default: "")
    -H, --hashes <string>   NT/LM hashes, format is LMhash:NThash. (default: "")

  Configuration:
    -d, --debug     Debug mode. (default: false)

  LDAP Connection Settings:
    -dc, --dc-ip <string>       IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted, it will use the domain part (FQDN) specified in the identity parameter.
    -lp, --ldap-port <tcp port> Port number to connect to LDAP server. (default: 389)
    -L, --use-ldaps             Use LDAPS instead of LDAP. (default: false)
    -k, --use-kerberos          Use Kerberos instead of NTLM. (default: false)

Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.

Credits

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
core
mode_add
mode_audit
mode_clear
mode_find
mode_monitor
mode_remove
utils

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.