Enum delegation module

[pavvka]

Description

This pull request introduces a new LDAP module enum_delegation that enumerates Active Directory delegation configurations, including:

• Unconstrained Delegation
• Constrained Delegation (with and without protocol transition)
• Resource-Based Constrained Delegation (RBCD)

The module performs LDAP-based enumeration and reports:

• Accounts trusted for unconstrained or constrained delegation via userAccountControl
• Constrained delegation targets via msDS-AllowedToDelegateTo
• RBCD relationships by parsing the msDS-AllowedToActOnBehalfOfOtherIdentity security descriptor

The module is based on findDelegation.py from Impacket and it introduces some opportunities for the future development such as ACLs enumeration for RBCD and options to choose a Delegation type.
In general, this would be a good addition for Netexec to have all Delegation enumeration in one place.

Note:
The current RBCD implementation only enumerates principals explicitly present in the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
It does not enumerate ACLs that could allow configuring RBCD indirectly (e.g., via WriteDacl, GenericWrite, etc.).

A BloodHound query is included in the module documentation to help identify principals that could enable RBCD via ACL abuse.

No new external dependencies are introduced.

Type of change

Insert an "x" inside the brackets for relevant items (do not delete options)

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Deprecation of feature or functionality
• This change requires a documentation update
• This requires a third party update (such as Impacket, Dploot, lsassy, etc)

Setup guide for the review

Environment used for testing:

• Attacker OS: Kali Linux 2025.2
• Python version: Python 3.13.5
• NetExec: 1.4.0 - SmoothOperator
• LDAP library: Impacket (bundled with NetExec)

Target environment:

• Windows Server 2019 Domain Controller
• Active Directory domain with:
  • Computer accounts configured for unconstrained and constrained delegation
  • RBCD configured via msDS-AllowedToActOnBehalfOfOtherIdentity
• Verified results against:
  • Impacket findDelegation.py

Screenshots (if appropriate):

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

• I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
• I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
• New and existing e2e tests pass locally with my changes
• If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

[termanix]

Thank you for PR! But there is a flag for that which is --find-delegation

[pavvka]

Thank you! My bad: I was initially working with 1.2.0 where this feature was not implemented.

Woud it make sense to add ACL enumeration searching for WriteAccountRestrictions|GenericAll|GenericWrite|Owns|WriteDacl on a Computer as a part of RBCD enumeration? I have tried to implement it, but it was hard to work with ACLs enumeration, but I could dig more into it.

Also another question: would it be useful to add a module to enumerate AD Recycle Bin searching for deleted accounts which can be restored (https://netwrix.com/en/resources/blog/active-directory-object-recovery-recycle-bin/)?

[termanix]

No problem, but this is why we recommend and need to use up-to-date version 😄
For your question, I think you talk about the Tombstone module but that module is still on open PR #736

[NeffIsBack]

Hi and thanks for the PR from my side as well! However, as @termanix said this is duplicate.

I also think ACL enumeration would be a ton of work which is usually covered by BloodHound so I don't really see the reason to also add it to NetExec, at least for now.

Gonna close the PR for now.