Active Directory
Resource-Based Constrained Delegation (RBCD)
Active Directory Privilege Escalation
Resource-Based Constrained Delegation Attack Path Using Impacket
1. Adding a Fake Computer Account
The first step in this attack is to add a fake computer account to the domain. This is done using Impacket's addcomputer.py script. We will create a fake computer named fakehost and set a password for it.
Explanation:
-dc-ip 10.0.0.1: IP address of the Domain Controller (DC).-computer-pass fakepass123: Set the password for the fake computer account.-computer-name fakehost: The name of the fake computer.dc.local/username:password123: Credentials for a valid domain user.
Output:
2. Set RBCD Permissions on the Fake Computer
Next, we use Impacket's rbcd.py to grant delegation rights to fakehost$, allowing it to impersonate users on the DC (dc$).
Explanation:
-delegate-to "dc$": Grant rights to impersonate users on the DC.-delegate-from "fakehost$": The fake computer that gets impersonation rights.-dc-ip 10.0.0.1: IP of the Domain Controller.
3. Requesting a Service Ticket with S4U2Self
Now we impersonate administrator using S4U2Self and request a service ticket for a service on the DC.
Explanation:
dc.local/fakehost$:fakepass123: Fake computer credentials.-spn www/dc.dc.local: Target SPN.-impersonate administrator: The user to impersonate.
4. Export and Verify the Ticket
Expected Output:
5. Use the Ticket with Impacket’s PSExec
Explanation:
-k: Use Kerberos ticket.-no-pass: No password needed.dc.local/administrator@dc.dc.local: Use impersonated user and SPN.
Output:
Conclusion
This path demonstrates privilege escalation via Resource-Based Constrained Delegation (RBCD) using:
addcomputer.pyto add a fake computer.rbcd.pyto give it impersonation rights.getST.pyto impersonateadministrator.psexec.pywith Kerberos to getSYSTEMaccess.