DirectAccess and Kerberos Resource-based Constrained Delegation

This report describes a penetration test case study where a low-privileged domain user with GenericAll rights over a target computer exploited resource-based constrained delegation (RBCD) by creating a machine account, modifying msDS-AllowedToActOnBehalfOfOtherIdentity, and using Rubeus to obtain impersonation Kerberos tickets; the attack was impeded by IPv6/DirectAccess environment issues until IPv6 support was added to Rubeus, and though full exploitation was not achieved the write-up highlights the high-impact risk of AD ACL misconfigurations and provides mitigation steps.