Tuesday, May 31, 2022
HomeInformation SecurityEnumerating Entry Controls in Energetic Listing | by Nairuz Abulhul | R3d...

Enumerating Entry Controls in Energetic Listing | by Nairuz Abulhul | R3d Buck3T


Understanding Energetic Listing Controls — ACLs, ACEs, DACLs, and SACLs

https://unsplash.com/pictures/Mwkd5QQ9b3kason Hafso

Entry Controls are a set of permissions given to an object. In an lively listing surroundings, an object is an entity that represents an accessible useful resource inside the group’s community, equivalent to area controllers, customers, teams, computer systems, shares, and many others. There are 12 sorts of AD objects:

  • Person object
  • Contact object
  • Printer object
  • Laptop object
  • Shared folder
  • Group
  • Organizational Unit
  • Area
  • Area controller
  • Web site objects
  • Bulletin
  • International safety principals

Typically, sustaining Energetic Listing permissions is sophisticated and arduous to handle, particularly in complicated environments with a number of domains and forests. Weak permissions are one of many go-to vectors for privilege escalation throughout an inner safety evaluation. That’s as a result of their enumeration course of doesn’t require particular area degree privileges, and they are often accomplished on the person degree.

In the present day’s put up discusses the lively listing entry controls, their construction, and easy methods to enumerate them in a post-exploitation state of affairs utilizing the PowerView script. The demonstration steps will likely be on the Pentester Academy Energetic Listing Lab by Nikhil Mittal related to the CRTP course.

The Entry Management mannequin is designed to verify requests from customers, providers, or processes to entry an accessible object. The requests get granted or rejected relying on the requested object’s permissions.

The ACL checking course of includes 2 steps when evaluating a request:

  • Entry token consists of the requester’s identification and privileges.
  • Object’s Safety Descriptors are the permissions checklist, generally known as DACL and SACL. The DACL validates the requester Entry Token in opposition to the item’s permissions checklist to determine to grant or reject that request, and the SACL logs the successes or failures of those requests.

📍 DACL is Discretionary Entry Management Record and SACL is System Entry Record.

DACLs List — Active Directory Enumeration
Determine 1 — reveals the DACL checklist of Area Admins group in an Energetic Listing

To raised perceive the mannequin, let’s take an instance of a person within the Gross sales division who desires entry to a monetary share known as Budgeting 2022.

The person would provoke a request to the Budgeting 2022 object presenting their Entry Token that reveals their identification and privileges, i.e., John from the Gross sales Division.

Then, the focused object — Budgeting 2020 validates the person entry token in opposition to the item checklist of permissions (DACL). If the checklist permits the gross sales division members to entry the Budgeting 2022 object, the person will grant the entry, and if not, the request would get rejected, and in each circumstances, the granting or rejecting of the request can be logged by the SACL.

◼ ️DACL Construction

The entry management checklist consists of a number of particular person permissions generally known as ACEs Entry Management Entries. Every entry has a permission sort (enable or deny), a principal account (who is that this permission for — person, group, laptop), what objects the principal account can entry, and the entry rights [read, write, Full Control].

Access Control Entries (ACE) in a DACL list — Active Directory Enumeration
Determine 2 — reveals the Entry Management Entries (ACE) in a DACL checklist

Step one is to obtain the PowerView script and import it with the Import-Module cmdlet.

Import-Module .powerview.ps1
Import PowerView Script — Active Directory Enumeration
Determine 3 — Import PowerView Script

If the AMSI (Antimalware Scan Interface) blocks the script, you possibly can bypass it by working the beneath PowerShell command.

S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ([TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE (('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(("{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'males'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

📌 Verify this GitHub Gist for different PowerShell bypasses — reigningshells/powershell-bypasses.ps1

◼Get ACLs of Customers and Teams Objects

To enumerate an objects’ entry management permissions, run the Get-ObjectAcl cmdlet and go it an object title (a person, group, or laptop). The command would return a listing of entry entries associated to the requested object. The GUID resolver parameter will get the group ID of the requested object.

If the item title is totally different than the SAM account title, use the SAMAccountName property with the item title.

Get-ObjectAcl Object-Identify –ResolveGUIDsGet-ObjectAcl -SAMAccountName Object-Identify –ResolveGUIDs
ACEs — Active Directory Enumeration
Determine 4 — ACEs of the item Student223
ACEs properties — Active Diretory Enumeraiton
Determine 5 — reveals the ACEs properties of the coed 223 object

As we see within the above screenshots, the command returns all of the entry management entries(ACEs) of the requested object student223”.

There are 4 fascinating properties to verify within the outcomes:

  • ObjectDN (Object Distinguished Identify) is the item title — Student223
  • IdentityReference is who has entry to the item. As seen above, the built-in directors’ group has entry to the Student223 object.
  • ActiveDirectoryRights are the sorts of permissions given to the item. In our instance, the built-in directors’ group has WriteDacl and WriteOwner on the student223 object.
  • AccessControlType is an Permit entry.

The WriteOwner permission signifies the object’s possession which signifies that the built-in directors have full management on the Student223 object. The WriteDACl is true to change the objects DACL’s checklist.

There are different fascinating permissions to search for when enumerating Energetic Listing rights like within the beneath checklist:

Interesting Active Directory Rights —Active Directory Enumeration
Determine 6- reveals Attention-grabbing Energetic Listing Rights — iRed Workforce checklist

To filter by way of a particular sort of permission, use the equal (-eq) operator and go it the permission sort such as “GenericAll.”

Get-ObjectAcl student223 |{$_.ActiveDirectoryRights -eq "GenericAll"}
Determine 7 — reveals all ACEs with GenericAll permissions
Determine 8 — reveals the teams who’ve the GenericAll (full management) permissions on the Student223 object

◼️Get ACLs Related to Particular Prefix

Run the Get-ObjectACL command with the ADSPrefix parameter to seek for particular controls utilizing frequent names [CN], organizational models[OU], or area controllers [DC]. Within the instance beneath, I looked for the entry entries related to the scholar machines Organizational Unit.

Get-ObjectAcl -ADSprefix 'OU=Studentmachines' - Verbose
Determine 9 — reveals entry entries related to the coed machines Organizational Unit

◼️ Get ACLs Related to Particular LDAP path

With PowerView, we are able to seek for entry entries of an object utilizing its LDAP path.

Run the Get-ObjectAcl cmdlet with the ADSpath parameter.

Get-ObjectAcl -ADSpath “LDAP:// ” -ResolveGUIDs -verbose
Get ACLs Associated with Specific LDAP path — Active Directory Enumeration
Determine 10 — reveals the permissions of the Student230 object utilizing its LDAP path

📍 You will get the AdPaths of objects by working these instructions:

Get-Netcomputers -FullData | choose cn, adspath Get-NetGroups -FullData | choose cn, adspath

◼️ Get ACLS with Invoke Scanner

PowerView has a scanner module that scans the area for all fascinating abusable permissions, i.e., write, modify or genericall, and many others.

To run the scanner, use Invoke-ACLScanner.

Invoke-ACLScanner -ResolveGUIDs

As seen within the beneath screenshot, the scanner discovered a number of entry management entries with GenericAll rights. An instance is the RDPUsers group with GenericAll rights on the Control127User object.

Determine 11 — reveals the outcomes of the Invoke-ACLScanner

◼️ Get ACLs Related to UNC path

We will seek for entry controls of community shares like SYSVOL share for enumerating group coverage objects and scripts utilizing its UNC path.

To take action, run the Get-Path cmdlet with the Path parameter.

Get-PathAcl -Path "dcorp-dc.dollarcorp.moneycorp.localsysvol"
Determine 12 — reveals get ACLs Related to UNC path
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments