Update to Get-RBCD-Threaded: Including WriteDacl and WriteProp

In my previous post on resource-based constrained delegation (RBCD), I created a tool called Get-RBCD-Threaded to enumerate AD environments for possible RBCD attack paths. Get-RBCD-Threaded worked by finding AD users, groups, and computer objects that had either GenericAll, GenericWrite, or WriteOwner privileges on another computer object. These permissions would allows you to modify the ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity…

Resource Based Constrained Delegation

Earlier this year on a internal penetration test for my employer, I was stuck on Active Directory (AD) escalation. I had gotten a foothold in the environment by cracking a user’s hashed credentials that I had captured through DHCPv6 spoofing. However, the user didn’t belong to any privileged groups and didn’t have local admin privileges…

Unconstrained Delegation

One of the weaknesses that I configured in my lab environment was “Unconstrained Delegation.” Systems in an Active Directory (AD) environment can be configured for unconstrained delegation. This means that a system can “delegate”, or impersonate users that authenticate to it. Normally, when a user authenticates to a service running on a system, the user…