Access Control List (ACL) Abuse Primer
Introduction
ACL can be think as permission and access settings in Windows environment. ACL defines who can access a resources and the level of access a security principal (user, group or process) has on the resource. ACL have settings named Access Control Entities (ACE).
Security principal: A user, group or process that has access to an secure object
ACE are made of 4 components
A security identifier (SID) telling what user/group/process has access to the secured object.
The type of access that the security principal has over an secure AD object.
Access Denied - to explicitly specified that a security princial is denying the access to the secured object
Access Allowed - to explicitly state that that security principal has right over a secured object.
System audit - to log access attempts to a secure object.
Inheritance
The rights (read, write, full access) that a security principals has on the object.
The image below shows graphically the ACE for the user forend
.
From the image below we can conclude the following. The security principal Angela Dunn is Allowed Access to the forend users and all its descendants objects. Inheritence is thus enabled. Angela Dunn can Read, Write all properties and List contents over the forend users and its descendants.
By default if no DACL (Denial Access Control List) is set everyone is granted Full Access over that object. However, if an object is provided an DACL but no ACE is specified, the access to that object will be restricted. Attempts to access to a secured object can be logged using the System Access Control Lists (SACL).
ACE can be abused by attackers in many way to gain persistence, escalate privilege or to move laterally in a network environment. ACE abuses can be powerful enough to compromise a full domain. ACEs and possible attack paths can be enumerated using the tool BloodHound and PowerView.
ACL Enumeration
ACL enumeration can be cumbersome without a proper methodology. Indeed, secured objects in AD are numerous. The first step is to enumerate ACL for the users, groups or process we have control over. Then, with a recursive approach, we can dig further and check to extend our our access to the objects by abusing a chain of ACEs tied to security principals.
Often time the process requires many steps as the abuse of one ACE can lead to having control over multiple secured objects.
Here is the ACL attack path proposed by HTB that demonstrates how the compromise of the full domain can arrives by controlling a single low privileged user.
We have control of a user, says Wley. Wley has
GenericWrite
permission over a group A.Adding itself to the group A, Wley is grants with all permissions the the group A is nested into, says group B.
After enumeration, we observed that the group B has GenericAll access to a user named Angela Dunn (
adunn
). The useradunn
has theDS-Replication-Get-Changes
rights over the domain. We can then change the password of theadunn
user and perform a DCSync attack to compromise the full domain.
Here is listed the most common permission that an attacker can abuse of
Permissions | Description |
---|---|
ForceChangePassword | Gives right to a user to reset password without knowing its password |
Add Members | Gives rights to add members to a group |
GenericAll | Gives full control over an object |
GenericWrite | Gives write permission over an object. Having generic write over a computer object can lead to a Resources Based Constraint Delegation attack. |
WriteDACL | |
WriteOwner | Gives right to change the owner of an object |
AllExtendedRights | |
Addself | The security principal can add themselves in the listed security groups |
Tools to enumerate ACLs
Powerview & AD Cmdlets
Using Powerview, we can enumerate ACL for a specific security principal with the following command:
Below the Get-DomainObjectACL command is used to search all ACL for the user wley. The search filter used to search ACL for a specific user is the SecurityIdentifier
. It is thus necessary to find the corresponding SID associated with the user we want to look ACL for. The Convert-NameToSid
Powershell function can be used to convert a security principal (user, group, process) in a Security Principal Identifier (SID).
The image below shows that the wley
user has ExtendedRight
over the damundsen
user. The ObjectAceType
guid value needs to be human readable to better know what permission wley has over damundsen
.
To convert the ObjectAceType
value we can use AD GetADObject
cmdlet or the -ResolveGUIDs
flags over Powerview:
As shown below, the guid for the ObjectAceType
is mapped to the User-Force-Change-Password
right.
We can also make a list of all domain users and use a for loop to list the ACL for a specific user.
Create a list of all domain users using AD-Cmdlet
Looping to list ACL for a specific user. In the context, we want all ACLs for the user
wley
.
BloodHound
BloodHound can facilitate a lot the identification of the possible ACL attack paths with a graphical representation of how security principals are related to one and each others over ACLs. The Outbound Control Rights section form the Node info tabs gives information about what secured object a security principals has direct rights over. The Transitive Object Control object can help identify all objects we could have controls over via an ACL attack path.
ACL Abuse Tactics
In this section, HTB guides us in conducting a simple ACL attack path. From having control over the wley user, we will be able to abuse ACL trusts to gain full control of the domain.
Change the password for the
damundsen
usingwley
credentials since thewley
user has the User-Force-Change-Password overdamundsen
.
PowerShell credentials
The two commands below creates a PSCredential Object. This will be used to run command as the wley
user.
In the command below we create the new damundsen password object using Powershell.
Using PowerView, it is possible to use the Set-DomainUserPassword function to force a password change for the user damundsen
.
The -Credential
flag is to run this command in the context of the wley
user.
Adds
damundsen
as member of theHelp Desk 1
group.
As enumerated earlier, the damundsen user has GenericWrite
permission over the Help Desk 1
group.
We firstly created PSCredential object for damundsen
.
Add the user damundsen
to the Help Desk 1
group using Powerview, using the damundsen's credential.
Perform a Kerberoast attack against the
adunn
user.
The damundsen
user is granted with the Help Desk Level 1 groups and all rights the group Help Desk Level 1
is nested into. The group Help Desk Level 1 is nested into the Information Technology group which has a GenericALL
rights over the user adunn
.
The objective ot the step 3 is to add a Service Principal name to the user adunn
, perform a Kerberoast attack to recover the TGS and then crack it offline to retrieve the clear text password of that user.
The Powerview Set-DomainObject
commands allows us to set a SPN to the adunn
user.
The tool Rubeus ca be used to conduct the Kerberoast attack. The command below aims to recover the TGS hash for the 'notahacker/LEGIT' SPN.
Once we obtained the Kerberoast hash, we should clean up our traces and revert all changes made to the AD objects.
Detection & mitigation
AD defenders should monitor any modification made to AD objects especially those members from privileged groups. Defenders should use the Advanced Security Audit Policy - Event ID 5136: A directory service object was modified.
Information from the Attribute Value can be convert to human readable format using the ConvertFrom-SddlString
cmdlet.
DCSync attack
The DCSync attack can be performed if an attacker has control over a user that has replication rights over a domain. The replication rights allows a user to mimic a domain controller and ask another domain controller to replicate its information. In Active Directory, a domain controller can replication of data is allowed in order for all the domain controllers to get the latest data update via the Directory Replication Service Remote Protocol. By asking another domain controller to replicate its data, an adversary can retrieved the entire content of the NTDS.dit database and compromise the full domain.
Domain admin and default admin administrators have, by default, replication rights.
Replicating Directory Changes
Replicating Directory Changes All
However, it might arrives that some others users have these rights over the domain.
It is possible to verify whether a security principal have the proper rights to perform DCSync with the following command:
An adversary can use many tools to perform a DCSync attack from both a Windows and a Linux system.
secredump.py or secretdump.exe
For example, the script secredump.py
can be used with the flag -just-dc
to perform a DCSync attack remotely from a Linux machine.
Others useful flags can be used when dumping the NTDS.dit
database.
-just-dc-ntlm
: Only dump NTLM hash;
-just-dc-user <username>
: Only dump NTLM hash for a specific user;
-history
: Will dump the password history;
-user-status
: Filter out for disable account
Secret Dump is also available for Windows
Note on Reversible Encryption
When dumping the NTDS.dit
database, we might encounter clear text passwords. These clear text passwords are in fact stored in RC4 encryption. When the secretdump.py dump the content of the NTDS.dit
database, the script automatically decrypt these passwords hashes using the key that can be found in the registry key.
We can enumerate accounts with the RC4 encryption set using theses commands:
Mimikatz.exe
Mimikatz can be used to perform DCSync attack and retrieve the hash for a specific account.
Last updated