ACL/ACE Abuse
ACL/ACE Abuse
Generic All
This is also known as full control. This permission allows the trustee to manipulate the target object however they wish.
The GenericAll permission grants <user/attacker> the ability to change the password of the user target without knowing their current password. This is equivalent to the "ForceChangePassword" edge in BloodHound.
Force Change Password
Generic Write
Generic Write access grants you the ability to write to any non-protected attribute on the target object, including "members" for a group, and "serviceprincipalnames" for a user.
The tool will automatically attempt a targetedKerberoast attack, either on all users or against a specific one if specified in the command line, and then obtain a crackable hash. The cleanup is done automatically as well.
The recovered hash can be cracked offline using the tool of your choice.
WriteOwner
Object owners retain the ability to modify object security descriptors, regardless of permissions on the object's DACL.
To change the ownership of the object, you may use Impacket's owneredit example script (cf. "grant ownership" reference for the exact link).
To abuse ownership of a user object, you may grant yourself the GenericAll permission.
Impacket's dacledit can be used for that purpose (cf. "grant rights" reference for the link).
Cleanup of the added ACL can be performed later on with the same tool:
Targeted Kerberoast
https://github.com/ShutdownRepo/targetedKerberoast
Force Change Password
Use samba's net tool to change the user's password. The credentials can be supplied in cleartext or prompted interactively if omitted from the command line. The new password will be prompted if omitted from the command line.
It can also be done with pass-the-hash using pth-toolkit's net tool. If the LM hash is not known, use 'ffffffffffffffffffffffffffffffff'.
Shadow Credentials
Resources
https://github.com/mantvydasb/RedTeaming-Tactics-and-Techniques/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces.md
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces
https://m8sec.medium.com/active-directory-acl-abuse-with-kali-linux-7434a27dd938
https://www.thehacker.recipes/ad/movement/dacl/
Last updated