This repo is about a practical attack against Kerberos Resource-Based Constrained Delegation in a Windows Active Directory Domain. The difference from other common implementations is that we are launching the attack from outside of the Windows Domain, not from a domain joined (usually Windows) computer. The attack is implemented using only Python3 Impacket (and its dependencies). Tested on Arch with up-to-date Impacket (0.9.21 as of writing). The Attack In summary, without any deep details, the attack targets a domain computer, exactly service principals related to the target domain computer. What we need here as prerequisites: a domain account with write access to the target computer (exactly write access to the msDS-AllowedToActOnBehalfOfOtherIdentity property of the target computer domain object) permission to create new computer accounts (this is usually default, see MachineAccountQuota) LDAP (389/tcp) and SAMR (445/tcp) (or LDAPS (636/tcp)) access to the DC. Kerberos (88/tcp) access to the DC The attack path in very high level: Create a fake computer....