☠️
Pentesting Articles and Notes
  • Welcome!
  • Windows
    • Active Directory
      • Kerberos Authentication
      • Enumeration
        • Basic Enumeration
        • Access Control Lists
        • Domain Trusts and Forests Enumeration
        • User Hunting
        • Domain Enumeration With BloodHound
      • Credential Dumping
        • DCSync Attack
      • Privilege Escalation
        • AS-REP Roasting
        • Kerberoasting
        • DNS Administrators
        • Setting Object SPN's
        • Unconstrained Delegation
        • Constrained Delegation
      • Persistence
        • Abusing ACLs
        • AdminSDHolder
        • Custom Security Service Providers (SSP's)
        • Directory Services Restore Mode (DSRM)
        • Modifying Remote Protocol Security Descriptors
        • Golden Tickets
        • Silver Tickets
        • Skeleton Keys
      • Powershell Remoting
      • Lateral Movement
        • Child to Parent Movement Across Trusts
        • Trust Abuse Between Forests
        • MSSQL Server Trust Abuse
        • Overpass the Hash
  • Coding
    • Pentesting With Python
      • Basic Threading
  • Network Attacks
    • Man-In-The-Middle Attacks
      • ARP Spoofing
      • DNS Spoofing Attacks
Powered by GitBook
On this page
  • Enumeration Techniques
  • Getting ACLs for a Specified Object
  • Get ACLs with a Specified Prefix
  • Get ACLs for a Specified LDAP Path
  • Finding Interesting ACE's
  • To Check Permissions for a User/Group Over Other Objects
  • References:
  1. Windows
  2. Active Directory
  3. Enumeration

Access Control Lists

PreviousBasic EnumerationNextDomain Trusts and Forests Enumeration

Last updated 3 years ago

All objects within a domain are subject to the permissions given to them. The permissions can be manually given, inherited, or defined by the groups each object is in.

Red Teamers and Penetration Testers should take care to notice what sorts of permissions each object has, the relationship different objects have with one another, and the privileges the objects themselves have in order to draw out a more clear attack path.

In general, ACL's are lists of Access Control Entries (ACE) which are composed of two types:

  • DACL - These define the permissions a user or group have on an object

  • SACL - Success and failure audits when an object is accessed

All of these individual entries are grouped into an ACL for each object. These ACLs are written in the Security Descriptor Definition Language (SDDL) but are easily viewed and changed within the Windows GUI (see the picture below). These ACL's describe what permissions objects have over one another and their access to other resources within the network.

Attackers should look for permissions amongst the relationships that will give them an opportunity to increase their privileges within the network. The following permissions provide excellent opportunities to increase your privileges if the user/object you wish to attack has more privileges than the current position you are in[1]:

  • Replicating Directory Changes All

  • Replicating Directory Changes (DS-Replication-Get-Changes)

  • GenericAll

  • GenericWrite

  • WriteDACL

  • Self

  • WriteOwner

  • WriteProperty

  • CreateChild

  • DeleteChild

  • Extended Right

Enumeration Techniques

Getting ACLs for a Specified Object

Get-ObjectAcl -SamAccountName <username> -ResolveGUIDs # PowerView

Using pywerview.py:

python pywerview.py get-objectacl -w bizcorp.local -u <user> -p <pass> -t <target-ip> --resolve-guids --sam-account-name <user> [--dc-ip <dc-ip>]

Get ACLs with a Specified Prefix

Get-ObjectAcl -ADSprefix 'CN=Administrator, CN=Users' -Verbose # PowerView
(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=bizcorp,DC=local').Access # AD Module

Get ACLs for a Specified LDAP Path

Get-ObjectAcl -ADSpath "LDAP://CN=DomainAdmins,CN=Users,DC=bizcorp,DC=local" -ResolveGUIDs -Verbose # PowerView

Using pywerview.py

python pywerview.py get-objectacl -w bizcorp.local -u <user> -p <pass> -t <target-ip> --resolve-guids [--dc-ip <dc-ip>] -a "LDAP://CN=DomainAdmins,CN=Users,DC=bizcorp,DC=local"

Finding Interesting ACE's

Invoke-ACLScanner -ResolveGUIDs # PowerView

To Check Permissions for a User/Group Over Other Objects

Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReference -match "<group>"} # PowerView

References:

[1]: https://adsecurity.org/?p=3658