Simplifying RBCD Attacks with a New Tool

By /

Listen to this Post

Mark Pralat, Jr, a Penetration Tester at FIS, has developed a tool that simplifies writing to the ‘msDS-AllowedToActOnBehalfOfOtherIdentity’ attribute for RBCD (Resource-Based Constrained Delegation) attacks. The tool is heavily inspired by the workflow of Impacket-RBCD and is compatible with Cobalt Strike’s execute-assembly. It runs under the context of the user running the tool using LDAP, and no credentials are passed in manually. This means that if you want to use another domain user’s privileges, you can simply run the tool under that user’s session. If run under SYSTEM, it will try to bind as the machine account in AD.

Github: https://lnkd.in/etiEqXi9

You Should Know:

  1. Impacket-RBCD Workflow: The tool is inspired by Impacket-RBCD, so if you’re familiar with Impacket, this tool will feel very natural.
  2. Cobalt Strike Compatibility: The tool is lightweight and compatible with Cobalt Strike’s execute-assembly.
  3. LDAP Context: The tool runs under the context of the user running it using LDAP, and no credentials are passed in manually.
  4. SYSTEM Context: If run under SYSTEM, it will try to bind as the machine account in AD.

Practice Verified Codes and Commands:


<h1>Example command to run the tool under a specific user session</h1>

execute-assembly -f /path/to/tool.exe -u domainuser -p password

<h1>Example command to run the tool under SYSTEM context</h1>

execute-assembly -f /path/to/tool.exe -s

What Undercode Say:

This tool simplifies the process of writing to the ‘msDS-AllowedToActOnBehalfOfOtherIdentity’ attribute, making RBCD attacks more accessible. It’s a valuable addition to any penetration tester’s toolkit, especially for those familiar with Impacket and Cobalt Strike. Below are some additional Linux and Windows commands that can be useful in similar scenarios:

Linux Commands:


<h1>Check LDAP bind status</h1>

ldapsearch -x -H ldap://domaincontroller -D "cn=admin,dc=domain,dc=com" -w password -b "dc=domain,dc=com"

<h1>List all users in the domain</h1>

ldapsearch -x -H ldap://domaincontroller -D "cn=admin,dc=domain,dc=com" -w password -b "dc=domain,dc=com" "(objectClass=user)"

Windows Commands:


<h1>Check if a user has write permissions on an AD object</h1>

Get-Acl -Path "AD:\CN=User,DC=domain,DC=com" | Select-Object -ExpandProperty Access

<h1>Set RBCD on a target computer</h1>

Set-ADComputer -Identity TargetComputer -AllowedToActOnBehalfOfOtherIdentity $null

Conclusion:

This tool is a significant step forward in simplifying RBCD attacks, making it easier for penetration testers to exploit this vulnerability. The integration with Cobalt Strike and the ability to run under different user contexts adds to its versatility. For more information, check out the Github repository.

References:

Reported By: Mark B38b131b4 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

Whatsapp
TelegramFeatured Image

Related Posts: