Exploring cross-domain & cross-forest RBCD#2050
Open
carlospolop wants to merge 1 commit intomasterfrom
Open
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://www.synacktiv.com/en/publications/exploring-cross-domain-cross-forest-rbcd.html Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Active Directory Methodology -> Constrained Delegation / Resource-Based Constrained Delegation (RBCD) (add subsection: Cross-domain & cross-forest RBCD; include SID-based RBCD configuration via ntlmrelayx and the cross-realm S4U referral sequence)". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Title: Exploring cross-domain & cross-forest RBCD (Synacktiv, 23/03/2026)
High-level goal and why it matters
The post explains how to execute Resource-Based Constrained Delegation (RBCD) when the attacker-controlled delegating principal (typically a computer account) is located in a different domain (child domain) or even a different forest than the target computer. It shows why “stock” tooling (notably Impacket
getST.py) fails in ...🔧 Technical Details
Cross-domain RBCD (foreign delegator principal): If you can add an attacker-controlled principal from a different domain to a target computer’s
msDS-AllowedToActOnBehalfOfOtherIdentity, you can still obtain service tickets in the target domain by chaining cross-realm Kerberos referrals and S4U. Practically: obtain a TGT in the attacker domain; request a referral TGT for the target realm (krbtgt/target); perform cross-realm S4U2Self to get a referral ST for the victim user; then perform the required sequence of S4U2Self/S4U2Proxy (including independent S4U2Proxy calls) to finally mint an ST for a target SPN (e.g.,cifs/host.target) as the impersonated user.RBCD setup via NTLM relay to LDAP using a SID: When the delegating principal is not present in the target domain’s LDAP (cross-domain/forest), name-based resolution fails. Relaying NTLM to LDAP and setting delegation must therefore reference the delegator by SID (e.g., using <cod...
🤖 Agent Actions
I’m mapping the blog’s techniques to the existing AD/RBCD documentation first, then I’ll verify whether the cross-domain and cross-forest details are already covered before editing a single file.
I’ve located the likely AD/Kerberos pages. Next I’m reading the existing RBCD, constrained delegation, Kerberos, LDAP signing, and trust-related content to find the narrowest non-duplicative insertion point.
The core RBCD page already covers same-domain abuse and basic Linux tooling, but it doesn’t document the cross-realm ticket sequence, SID-based foreign principal setup, or the practical cross-forest limitation. I’m checking for partial duplicates before I patch only that page.
I’ve confirmed the relevant material belongs in the existing RBCD page, not the trust pages: the missing content is still an RBCD exploitation nuance, not a separate trust methodology. I’m pulling one official Kerberos delegation reference and the Synacktiv source so the new subsection is tight and properly referenced.
I have the insertion point and the missing points are clear: foreign-SID setup, the exact cross-realm S4U flow, the tool limitations, and the cross-forest constraints. I’m editing the existing RBCD page now and then I’ll re-read the result to catch any formatting or duplication issues.
The content is in the right file and the diff is tight. I caught one shell-escaping artifact in the example command, so I’m correcting that and then I’ll do a final sanity pass on the edited section and references.
Updated resource-based-constrained-delegation.md with a new
Cross-domain & cross-forest RBCDsection.The addition covers the missing technical pieces from the Synacktiv post without creating a new page: SID-based foreign principal setup via
ntlmrelayx --sid, the 6-step cross-domain cross-realm S4U flow, why stock Impacket fails, Linux usage with Synacktiv’s modifiedgetST.py, the cross-forest same-forest-user limitation, and thebranch-aware/ RC4 quirks. I also updated the file’s## Referencessection with the Synacktiv post, their Impacket branch, and Microsoft docs.Verification: re-read the edited section and confirmed the repo only has this one intended modification.
markdownlint-cli2was not installed, so I could not run it.This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.