Skip to content

Commit 8f264b5

Browse files
FatRodziankoFatRodzianko
authored
Update README.md
1 parent 0bb42f9 commit 8f264b5

File tree

1 file changed

+6
-0
lines changed

1 file changed

+6
-0
lines changed

README.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,8 @@ Compile in Visual Studio. This uses Parallel.ForEach to spead up searching throu
2020

2121
-s|-searchforest, Discover domains and forests through trust relationships. Enumerate all domains and forests
2222

23+
-pwdlastset=, Filter computers based on pwdLastSet to remove stale computer objects. If you set this to 90, it will filter out computer objects whose pwdLastSet date is more than 90 days ago
24+
2325
-i|-insecure, Force insecure LDAP connect if LDAPS is causing connection issues.
2426

2527
-o|-outputfile=, Output to a CSV file. Provided full path to file and file name.
@@ -30,6 +32,10 @@ You can now specify the username, password, and domain to authenticate to. If u/
3032

3133
-o will output to a CSV file. Provide the full file path and file name to save the output to.
3234

35+
The default search specifies that port 636 be used to force LDAPS. This may cause issues. If you get an error saying something about the server not being available or similar, try the "-i" flag to remove the 636 port from the connect string.
36+
37+
"pwdLastSet" has been added as a filtering option. In larger environments you can get a lot of stale computer objects that no longer exist as the "destination" object int he ACL, and can't really be used for the RBCD attack (at least not that I am aware of). Set pwdLastSet to a number of days. Example: "-pwdlastset=90" will filter out any computer objects from your results where the pwdLastSet date is greater or equal to 90 days ago from the current date and time.
38+
3339
Tested in an environment with 20k+ uses, groups, and computers (over 60k total objects). Get-RBCD-Thread took ~60 seconds to complete. By comparison, my hacked together [PowerView](https://github.com/PowerShellMafia/PowerSploit/tree/dev) commands in this [gist](https://gist.github.com/FatRodzianko/e4cf3efc68a700dca7cedbfd5c05c99f) to perform a similar search ran for several hours and never completed.
3440

3541
This tool will not perform the delegation attack for you. You'll need to read Elad Shamir's and harmj0y's blogs to figure out how to do that. This will only help you find possible targets for the RBCD attack.

0 commit comments

Comments
 (0)