-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[dacledit.py] New example script for DACL manipulation #1291
Conversation
@BlWasp added support for |
This is awesome! Definitely using this 👍 |
Fixed Kerberos authentication error.
Converting this PR to draft since there is an issue on the |
BTW, ACL read/edit is already implemented in |
i need dacledit.py for HTB can anyone help? |
Either merge the PR yourself on a fork of yours, or if you don’t know how and won’t DIY you can also use Exegol (https://github.com/ShutdownRepo/Exegol) or my Impacket fork’s exegol branch (https://github.com/ShutdownRepo/impacket/tree/exegol) |
Love the contribution! I am new to DACLs, ACEs, etc, so bear with me please. I am running My coworker and I are trying to use this tool in an environment where we have compromised
When we use the read parameter to verify a successful write, This is where our knowledge gets a little fuzzy. We believe the reason we cannot change the password OR add a SPN to However, once again, we cannot password change tldr; We think it would be cool for We were able to confirm the ACE/DACL was successfully written using aced (see my PR there for OU DN listing), but BloodHound (only the GUI, not parsing the files) using My resources: |
My coworker and I managed to get the |
Hey all ! @Zamanry thanks for your comment are your explains ! I have added the This Tweeter thread also explains very well the situation : https://twitter.com/M4yFly/status/1603035773628215296 |
This is what I figured would be the simplest approach. My only concern is if there is ever a time in which someone would want some specific inheritance flags (again not my area of expertise), they wouldn't be able to easily set those flags. But definitely think having object vs. container high level parameters is a good start. |
Yup, @BlWasp and I figured the Added guidance to The Hacker Recipe's mindmap: https://www.thehacker.recipes/ad/movement/dacl |
Hello, yes as indicated by @ShutdownRepo this is just a starting point. In an offensive point of view the other ACE flags are not particularly useful, but they could be added later top the parameter 😃 |
I'm confused. Can someone tell me where I can find dacledit.py? |
This PR has not been merged for the moment. You can use the source repo of the PR with the good branch : https://github.com/ShutdownRepo/impacket/tree/dacledit |
Wait, still not merged? How? |
In the mean time you'll find it @ ThePorgs/Impacket, or in Exegol |
any news here? |
@ShutdownRepo I'll be reviewing this PR. This looks like and old one, but also straightforward to integrated. I'll let you know the results of the review. Thanks |
merged now into master branch. Thanks for the amazing work! |
Awesome, thank you @anadrianmanrique for the review |
Equivalent to Add/Get-DomainObjectAcl from PowerSploit's PowerView with additional features.
This script can be used to read, write, remove, backup, restore ACEs (Access Control Entries) in an object DACL (Discretionary Access Control List)
The script also resolved SID and GUID and input principals can be supplied either with their sAMAccountName, DN (Distinguished Name) or SID (Security IDentifier).
Since it's an Impacket script, all major authentication means are supported (ntlm plaintext, kerberos plaintext, pass-the-hash, overpass-the-hash, pass-the-ticket, pass-the-key, etc.)
This script can be used for Access Control abuse when an attacker-controlled object has
WriteDacl
over another for example (more about this on The Hacker Recipes).In the screenshot below is an example of a DCSync "right" (i.e. GetChanges and GetChangesAll ACEs) addition to the domain object DACL.
In the screenshot below is an example of a DACL read without filtering.
Nota bene:
ACCESS_ALLOWED_ACE
andACCESS_ALLOWED_OBJECT_ACE
ACE types are supported for full parsing, they are the most common ones. Contributors could implement parsing of the other types if they wish.FullControl
(maxed out simple permission, combination of ACE access masks),WriteMembers
,ResetPassword
, andDCSync
(DS-Replication-Get-Changes
and DS-Replication-Get-Changes-All
extended rights)Co-authored by @BlWasp