¶ Get-RBCD-Threaded
https://github.com/FatRodzianko/Get-RBCD-Threaded
¶ About
Get-RBCD-Thread will query all Active Directory users, groups (minus privileged groups like "Domain Admins" and "BUILTIN\Administrators"), and computer objects in your current domain and compile a list of their SIDs. Get-RBCD-Threaded will then query AD for all DACLs on the computer objects in the domain. Each ACE in the DACLs will be checked to see if one of the user/group/computer SIDS has either "GenericAll", "GenericWrite", "WriteOwner", or "WriteDacl" privileges on the computer object, or if the SIDS have "WriteProp" permissions on the ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity attribute (GUID:3f78c3e5-f79a-46bd-a0b8-9d18116ddc79). If it does, then, well, you my friend are on your way to a Resource-Based Constrained Delegation attack!
¶ Usage
Compile in Visual Studio. This uses Parallel.ForEach to spead up searching through the DACL object, so .NET v4 is minimum required.
¶ Options
-u|-username=, Username to authenticate as
-p|-password=, Password for the user
-d|-domain=, Fully qualified domain name to authenticate to
-s|-searchforest, Discover domains and forests through trust relationships. Enumerate all domains and forests
-pwdlastset=, Filter computers based on pwdLastSet to remove stale computer objects. If you set this to 90, it will filter out computer objects whose pwdLastSet date is more than 90 days ago
-i|-insecure, Force insecure LDAP connect if LDAPS is causing connection issues.
-o|-outputfile=, Output to a CSV file. Provided full path to file and file name.
-h|-?|-help, Show the help options
You can now specify the username, password, and domain to authenticate to. If u/p/d options are blank, Get-RBCD-Threaded will atempt to authenticate to the domain in your current user context.
-o will output to a CSV file. Provide the full file path and file name to save the output to.
The default search specifies that port 636 be used to force LDAPS. This may cause issues. If you get an error saying something about the server not being available or similar, try the "-i" flag to remove the 636 port from the connect string.
"pwdLastSet" has been added as a filtering option. In larger environments you can get a lot of stale computer objects that no longer exist as the "destination" object int he ACL, and can't really be used for the RBCD attack (at least not that I am aware of). Set pwdLastSet to a number of days. Example: "-pwdlastset=90" will filter out any computer objects from your results where the pwdLastSet date is greater or equal to 90 days ago from the current date and time.
Tested in an environment with 20k+ uses, groups, and computers (over 60k total objects). Get-RBCD-Thread took ~60 seconds to complete. By comparison, my hacked together PowerView commands in this gist to perform a similar search ran for several hours and never completed.
This tool will not perform the delegation attack for you. You'll need to read Elad Shamir's and harmj0y's blogs to figure out how to do that. This will only help you find possible targets for the RBCD attack.
