Description

This pull request introduces a new LDAP module enum_delegation that enumerates Active Directory delegation configurations, including:

• Unconstrained Delegation
• Constrained Delegation (with and without protocol transition)
• Resource-Based Constrained Delegation (RBCD)

The module performs LDAP-based enumeration and reports:

• Accounts trusted for unconstrained or constrained delegation via userAccountControl
• Constrained delegation targets via msDS-AllowedToDelegateTo
• RBCD relationships by parsing the msDS-AllowedToActOnBehalfOfOtherIdentity security descriptor

The module is based on findDelegation.py from Impacket and it introduces some opportunities for the future development such as ACLs enumeration for RBCD and options to choose a Delegation type.
In general, this would be a good addition for Netexec to have all Delegation enumeration in one place.

Note:
The current RBCD implementation only enumerates principals explicitly present in the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
It does not enumerate ACLs that could allow configuring RBCD indirectly (e.g., via WriteDacl, GenericWrite, etc.).

A BloodHound query is included in the module documentation to help identify principals that could enable RBCD via ACL abuse.

No new external dependencies are introduced.

Type of change

Insert an "x" inside the brackets for relevant items (do not delete options)

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Deprecation of feature or functionality
• This change requires a documentation update
• This requires a third party update (such as Impacket, Dploot, lsassy, etc)

Setup guide for the review

Environment used for testing:

• Attacker OS: Kali Linux 2025.2
• Python version: Python 3.13.5
• NetExec: 1.4.0 - SmoothOperator
• LDAP library: Impacket (bundled with NetExec)

Target environment:

• Windows Server 2019 Domain Controller
• Active Directory domain with:
  • Computer accounts configured for unconstrained and constrained delegation
  • RBCD configured via msDS-AllowedToActOnBehalfOfOtherIdentity
• Verified results against:
  • Impacket findDelegation.py

Screenshots (if appropriate):

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

• I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
• I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
• New and existing e2e tests pass locally with my changes
• If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)