Access Control Lists

All objects within a domain are subject to the permissions given to them. The permissions can be manually given, inherited, or defined by the groups each object is in.

Red Teamers and Penetration Testers should take care to notice what sorts of permissions each object has, the relationship different objects have with one another, and the privileges the objects themselves have in order to draw out a more clear attack path.

In general, ACL's are lists of Access Control Entries (ACE) which are composed of two types:

DACL - These define the permissions a user or group have on an object
SACL - Success and failure audits when an object is accessed

All of these individual entries are grouped into an ACL for each object. These ACLs are written in the Security Descriptor Definition Language (SDDL) but are easily viewed and changed within the Windows GUI (see the picture below). These ACL's describe what permissions objects have over one another and their access to other resources within the network.

Attackers should look for permissions amongst the relationships that will give them an opportunity to increase their privileges within the network. The following permissions provide excellent opportunities to increase your privileges if the user/object you wish to attack has more privileges than the current position you are in[1]:

Replicating Directory Changes All
Replicating Directory Changes (DS-Replication-Get-Changes)
GenericAll
GenericWrite
WriteDACL
Self
WriteOwner
WriteProperty
CreateChild
DeleteChild
Extended Right

Enumeration Techniques

Getting ACLs for a Specified Object

Get-ObjectAcl -SamAccountName <username> -ResolveGUIDs # PowerView

Using pywerview.py:

python pywerview.py get-objectacl -w bizcorp.local -u <user> -p <pass> -t <target-ip> --resolve-guids --sam-account-name <user> [--dc-ip <dc-ip>]

Get ACLs with a Specified Prefix

Get-ObjectAcl -ADSprefix 'CN=Administrator, CN=Users' -Verbose # PowerView
(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=bizcorp,DC=local').Access # AD Module

Get ACLs for a Specified LDAP Path

Get-ObjectAcl -ADSpath "LDAP://CN=DomainAdmins,CN=Users,DC=bizcorp,DC=local" -ResolveGUIDs -Verbose # PowerView

Using pywerview.py

python pywerview.py get-objectacl -w bizcorp.local -u <user> -p <pass> -t <target-ip> --resolve-guids [--dc-ip <dc-ip>] -a "LDAP://CN=DomainAdmins,CN=Users,DC=bizcorp,DC=local"

Finding Interesting ACE's

Invoke-ACLScanner -ResolveGUIDs # PowerView

To Check Permissions for a User/Group Over Other Objects

Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReference -match "<group>"} # PowerView

References:

[1]: https://adsecurity.org/?p=3658

PreviousBasic Enumeration NextDomain Trusts and Forests Enumeration

Last updated 2 years ago