Rbcd-Attack - Kerberos Resource-Based Constrained Delegation Attack From Outside Using Impacket


This repo is about a practical attack against Kerberos Resource-Based Constrained Delegation in a Windows Active Directory Domain. The difference from other common implementations is that we are launching the attack from outside of the Windows Domain, not from a domain joined (usually Windows) computer. The attack is implemented using only Python3 Impacket (and its dependencies). Tested on Arch with up-to-date Impacket (0.9.21 as of writing). The Attack In summary, without any deep details, the attack targets a domain computer, exactly service principals related to the target domain computer. What we need here as prerequisites: a domain account with write access to the target computer (exactly write access to the msDS-AllowedToActOnBehalfOfOtherIdentity property of the target computer domain object) permission to create new computer accounts (this is usually default, see MachineAccountQuota) LDAP (389/tcp) and SAMR (445/tcp) (or LDAPS (636/tcp)) access to the DC. Kerberos (88/tcp) access to the DC The attack path in very high level: Create a fake computer....

September 17, 2020
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023
What certifications or qualifications do you hold?
Max. file size: 150 MB.

What level of experience should the ideal candidate have?
What certifications or qualifications are preferred?

Download Free eBook

Step 1 of 4


We’re committed to your privacy. Hakin9 uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.