Pentesting and Red Teaming Notes
  • 🖥️Pentesting and Red Teaming Cheatsheet
  • Web Application Pentesting(BlackBox)
    • SQL Injection
    • Blind SQL Injection
    • Path Traversal
    • Attacking Authentication
    • Race Conditions
    • Business Logic Vulnerabilities
    • Command Injections
    • Information disclosure
    • Access Controls
    • File upload Attacks
    • XXE
    • Server Side Request Forgery
    • Api Testing
    • noSQL
    • DOM based vulnerabilities
    • Cross Site scripting
  • Infrastructure Pentesting
    • Windows Privilege Escalation
    • Attacking Active Directory
    • File Transfers and Download
    • Pivoting(Tunneling and Port Forwarding)
    • Linux Privilege Escalation
    • Stealing NTLM hashes
    • Tricks and Tips
  • Active Directory Pentesting
    • powershell theory
    • Methodology
    • domain enumeration
    • File Transfer
    • PowerShell ADModule
    • Local Privilege Escalation
    • PowerView Commands
    • ACLs Descriptions
    • ACLs Abuse
    • ACL
    • Trusts
    • User Hunting
    • group policy
    • Mimikatz
    • BloodHound
    • LateralMovement
    • Kerberoasting
    • defense bypasses
    • Set-SPN
    • ASREProasting
    • Unconstrained Delegation
    • Constrained Delegation
    • Resource Based Constrained Delegation
    • AD CS
    • Persistance
    • Priv Esc Trusts Inside Forest
    • MSSQL Servers
    • Priv Esc Trusts Across Forest
    • Tips And Tricks
    • Service Tickets and Abuses
  • Reconnaissance
    • Web Application Reconnaissance
    • External Reconnaissance
Powered by GitBook
On this page
  • Access Control Lists
  • SID
  • DACL(Discretionary Access Control List)
  • SACL(System Access Control List)
  • Using BloodHound
  • Get ACL for specified object(student1 in this case)
  • Get ACL for a group
  • Get ACL for Computer
  • Get ACL for network share
  • Get ACL for OU
  • Get ACL for a domain
  • Get ACL for file/folder
  • Get ACL for registry key
  • Get ACL for a service
  • Get ACL for a path
  • Get Interesting ACE
  1. Active Directory Pentesting

ACL

Access Control Lists

It is security mechanism which is used to control access to resources such as files, folders, registry keys, printers, network shares and other active directory objects. ACLs define who can perform specific action on these resources and what level of access they have/can perform. ACLs are applied to these resources. ACLs consists of entries called ACE(Access Control Entries) that defines permission granted or denied to specific user, groups or computer objects. Each ACE(Access Control Entry) in the ACL contains SID(Security Identifier), DACL(Discretionary Access Control List ) and SACL(System Access Control List).

SID

A SID is a unique identifier assigned to each user, group or computer objects which uniquely identifies them. When configuring permissions, we typically specify the SIDs of the users, groups or computer objects that should be granted or denied access.

DACL(Discretionary Access Control List)

When a user or group attempts to access an object, the DACL is evaluated to determine whether the access is allowed or denied. It determines the permissions like read, write, modify, Execute, delete, full permission a user, group or computer object has over a resource.

SACL(System Access Control List)

IT is used for auditing purpose. When a user or group accesses a resource, the specified security events are logged, providing an audit trail for monitoring and tracking purposes.

Using BloodHound

Using bloodhound mark any group, user, computer object as owned then check the outbound object control to check ACLS where our marked object has genericwrite, genericall, read, write, execute over other objects wheares check the inbound object control to see ACLs(read,write.execute,genericall,genericwrite) which other objects have over our marked user, group or computer.

Get ACL for specified object(student1 in this case)

Get-DomainObjectAcl -SamAccountName student1 -ResolveGUIDs

Get ACL for a group

Get-DomainObjectAcl -Identity <GroupIdentity> -ResolveGUIDs

Get ACL for Computer

Get-NetComputer -HostName <ComputerName> | Get-DomainObjectAcl -ResolveGUIDs

Get ACL for network share

Get-NetShare -ComputerName <ComputerName> | Get-DomainObjectAcl -ResolveGUIDs

Get ACL for OU

Get-DomainObjectAcl -Identity "OU=<OUName>,DC=<DomainComponent>" -ResolveGUIDs

Get ACL for a domain

Get-DomainObjectAcl -Identity "DC=<DomainComponent>" -ResolveGUIDs

Get ACL for file/folder

Get-NetFileServer | Get-NetShare -Name <ShareName> | Get-FileAcl

Get ACL for registry key

Get-NetComputer -HostName <ComputerName> | Get-RegAcl -KeyPath <RegistryKeyPath>

Get ACL for a service

Get-NetComputer -HostName <ComputerName> | Get-ServiceAcl -Name <ServiceName>

Get ACL for a path

Get-PathAcl -Path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol"

  • Above we read like this: On ObjectDN securityIdentifier has ActiveDirectoryRights.

  • Use BloodhOUnd for identifiying aclS

Get Interesting ACE

Here, keep in mind about groups for example you have compromised user student1 and you see RDPUsers group has ACE as generic all on Support1User that means student1 has generic all privilege on Support1User and can abuse it to compromise Support1User since student1 is member of RDPUsers group. But using bloodhound is a reliable and faster way to find interesting ACEs.

  • Read like IdentityReferenceName has ActiveDirectoryRights over ObjectDN.

Find-InterestingDomainAcl -ResolveGUIDs
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "studentx"}

  • For group

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}
PreviousACLs AbuseNextTrusts

Last updated 10 months ago