Read DACL rights

LDAP module that permits to read and export the DACLs of one or mulitple objects !

Read all the ACEs of the Administrator

crackmapexec ldap lab-dc.lab.local -k --kdcHost lab-dc.lab.local -M daclread -o TARGET=Administrator ACTION=read

poetry run crackmapexec ldap lab-dc.lab.local -k --kdcHost lab-dc.lab.local -M daclread -o TARGET=Administrator ACTION=read
SMB         lab-dc.lab.local 445    LAB-DC           [*] Windows 10.0 Build 17763 x64 (name:LAB-DC) (domain:lab.local) (signing:False) (SMBv1:False)
LDAP        lab-dc.lab.local 389    LAB-DC           [+] lab.local\
DACLREAD    lab-dc.lab.local 389    LAB-DC           Target principal found in LDAP (CN=Administrator,CN=Users,DC=lab,DC=local)
[*]  ACE[0] info                
[*]    ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
[*]    ACE flags                 : None
[*]    Access mask               : ReadProperty
[*]    Flags                     : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
[*]    Object type (GUID)        : User-Account-Restrictions (4c164200-20c0-11d0-a768-00aa006e0529)
[*]    Inherited type (GUID)     : inetOrgPerson (4828cc14-1437-45bc-9b07-ad6f015e5f28)
[*]    Trustee (SID)             : BUILTIN\Pre-Windows 2000 Compatible Access (S-1-5-32-554)
[*]  ACE[1] info                
[*]    ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
[*]    ACE flags                 : None
[*]    Access mask               : ReadProperty
[*]    Flags                     : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
[*]    Object type (GUID)        : User-Account-Restrictions (4c164200-20c0-11d0-a768-00aa006e0529)
[*]    Inherited type (GUID)     : User (bf967aba-0de6-11d0-a285-00aa003049e2)
[*]    Trustee (SID)             : BUILTIN\Pre-Windows 2000 Compatible Access (S-1-5-32-554)
[*]  ACE[2] info                
[*]    ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
[*]    ACE flags                 : None
[*]    Access mask               : ReadProperty
[*]    Flags                     : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
[*]    Object type (GUID)        : User-Logon (5f202010-79a5-11d0-9020-00c04fc2d4cf)
[*]    Inherited type (GUID)     : inetOrgPerson (4828cc14-1437-45bc-9b07-ad6f015e5f28)
[*]    Trustee (SID)             : BUILTIN\Pre-Windows 2000 Compatible Access (S-1-5-32-554)
[SNIP]

Read all the rights the BlWasp user has on the Administrator

crackmapexec ldap lab-dc.lab.local -k --kdcHost lab-dc.lab.local -M daclread -o TARGET=Administrator ACTION=read PRINCIPAL=BlWasp

poetry run crackmapexec ldap lab-dc.lab.local -k --kdcHost lab-dc.lab.local -M daclread -o TARGET=Administrator ACTION=read PRINCIPAL=BlWasp
SMB         lab-dc.lab.local 445    LAB-DC           [*] Windows 10.0 Build 17763 x64 (name:LAB-DC) (domain:lab.local) (signing:False) (SMBv1:False)
LDAP        lab-dc.lab.local 389    LAB-DC           [+] lab.local\
DACLREAD    lab-dc.lab.local 389    LAB-DC           Found principal SID to filter on: S-1-5-21-2570265163-3918697770-3667495639-1103
DACLREAD    lab-dc.lab.local 389    LAB-DC           Target principal found in LDAP (CN=Administrator,CN=Users,DC=lab,DC=local)
[*]  ACE[10] info                
[*]    ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
[*]    ACE flags                 : None
[*]    Access mask               : ControlAccess
[*]    Flags                     : ACE_OBJECT_TYPE_PRESENT
[*]    Object type (GUID)        : User-Force-Change-Password (00299570-246d-11d0-a768-00aa006e0529)
[*]    Trustee (SID)             : blwasp (S-1-5-21-2570265163-3918697770-3667495639-1103)

Read all the principals that have DCSync rights on the domain

crackmapexec ldap lab-dc.lab.local -k --kdcHost lab-dc.lab.local -M daclread -o TARGET_DN="DC=lab,DC=LOCAL" ACTION=read RIGHTS=DCSync

poetry run crackmapexec ldap lab-dc.lab.local -k --kdcHost lab-dc.lab.local -M daclread -o TARGET_DN="DC=lab,DC=LOCAL" ACTION=read RIGHTS=DCSync
SMB         lab-dc.lab.local 445    LAB-DC           [*] Windows 10.0 Build 17763 x64 (name:LAB-DC) (domain:lab.local) (signing:False) (SMBv1:False)
LDAP        lab-dc.lab.local 389    LAB-DC           [+] lab.local\
DACLREAD    lab-dc.lab.local 389    LAB-DC           Target principal found in LDAP (DC=lab,DC=local)
[*]  ACE[13] info                
[*]    ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
[*]    ACE flags                 : None
[*]    Access mask               : ControlAccess
[*]    Flags                     : ACE_OBJECT_TYPE_PRESENT
[*]    Object type (GUID)        : DS-Replication-Get-Changes-All (1131f6ad-9c07-11d1-f79f-00c04fc2dcd2)
[*]    Trustee (SID)             : Domain Controllers (S-1-5-21-2570265163-3918697770-3667495639-516)
[*]  ACE[14] info                
[*]    ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
[*]    ACE flags                 : None
[*]    Access mask               : ControlAccess
[*]    Flags                     : ACE_OBJECT_TYPE_PRESENT
[*]    Object type (GUID)        : DS-Replication-Get-Changes-All (1131f6ad-9c07-11d1-f79f-00c04fc2dcd2)
[*]    Trustee (SID)             : blwasp (S-1-5-21-2570265163-3918697770-3667495639-1103)
[*]  ACE[27] info                
[*]    ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
[*]    ACE flags                 : None
[*]    Access mask               : ControlAccess
[*]    Flags                     : ACE_OBJECT_TYPE_PRESENT
[*]    Object type (GUID)        : DS-Replication-Get-Changes-All (1131f6ad-9c07-11d1-f79f-00c04fc2dcd2)
[*]    Trustee (SID)             : Administrators (S-1-5-32-544)

Maybe a Denied ACE is present ?

crackmapexec ldap lab-dc.lab.local -k --kdcHost lab-dc.lab.local -M daclread -o TARGET=Administrator ACTION=read ACE_TYPE=denied

poetry run crackmapexec ldap lab-dc.lab.local -k --kdcHost lab-dc.lab.local -M daclread -o TARGET=Administrator ACTION=read ACE_TYPE=denied
SMB         lab-dc.lab.local 445    LAB-DC           [*] Windows 10.0 Build 17763 x64 (name:LAB-DC) (domain:lab.local) (signing:False) (SMBv1:False)
LDAP        lab-dc.lab.local 389    LAB-DC           [+] lab.local\
DACLREAD    lab-dc.lab.local 389    LAB-DC           Target principal found in LDAP (CN=Administrator,CN=Users,DC=lab,DC=local)
[*]  ACE[25] info                
[*]    ACE Type                  : ACCESS_DENIED_ACE
[*]    ACE flags                 : None
[*]    Access mask               : FullControl (0xf01ff)
[*]    Trustee (SID)             : blwasp (S-1-5-21-2570265163-3918697770-3667495639-1103)

Backup the DACLs of multiple targets

crackmapexec ldap lab-dc.lab.local -k --kdcHost lab-dc.lab.local -M daclread -o TARGET=../../targets.txt ACTION=backup

poetry run crackmapexec ldap lab-dc.lab.local -k --kdcHost lab-dc.lab.local -M daclread -o TARGET=../../targets.txt ACTION=backup
SMB         lab-dc.lab.local 445    LAB-DC           [*] Windows 10.0 Build 17763 x64 (name:LAB-DC) (domain:lab.local) (signing:False) (SMBv1:False)
LDAP        lab-dc.lab.local 389    LAB-DC           [+] lab.local\
DACLREAD    lab-dc.lab.local 389    LAB-DC           Target principal found in LDAP (blwasp)
DACLREAD    lab-dc.lab.local 389    LAB-DC           DACL backed up to dacledit-20220730-131655-blwasp.bak
DACLREAD    lab-dc.lab.local 389    LAB-DC           Target principal found in LDAP (Administrator)
DACLREAD    lab-dc.lab.local 389    LAB-DC           DACL backed up to dacledit-20220730-131655-Administrator.bak
DACLREAD    lab-dc.lab.local 389    LAB-DC           [-] Target SID not found in LDAP (blabla)
DACLREAD    lab-dc.lab.local 389    LAB-DC           Target principal found in LDAP (Domain Admins)
DACLREAD    lab-dc.lab.local 389    LAB-DC           DACL backed up to dacledit-20220730-131655-Domain Admins.bak

All the Security Descriptors have been exported, but it looks like a target doesn't exist, she will be ignored.

PreviousLDAP Signing NextFTP

Last updated 3 years ago