DACLs Enumeration

To enumerate DACLs we can use a number of tools and methods: here are some

DSACLS

To get all the DACLs for a domain user we can use the following

dsacls.exe "cn=otter,cn=users,dc=domain,dc=com"

but if we need to be more specific about what user has which DACLs on the target user we can filter it with powershell

dsacls.exe "cn=otter,cn=users,dc=domain,dc=com" | Select-String "anotherUser" -Context 5,5

Powershell

To get the DACLs that involve the user otter we use

$directorySearcher = New-Object System.DirectoryServices.DirectorySearcher('(samaccountname=otter)')
$directorySearcher.SecurityMasks = [System.DirectoryServices.SecurityMasks]::Dacl -bor [System.DirectoryServices.SecurityMasks]::Owner
$binarySecurityDescriptor = $directorySearcher.FindOne().Properties.ntsecuritydescriptor[0]
$parsedSecurityDescriptor = New-Object System.DirectoryServices.ActiveDirectorySecurity
$parsedSecurityDescriptor.SetSecurityDescriptorBinaryForm($binarySecurityDescriptor)
$parsedSecurityDescriptor.Access

and, as always, we can filter for a specific user

$parsedSecurityDescriptor.Access | Where-Object {$_.IdentityReference -like '*anotherUser*'}

Impacket's dacledit

Read the DACL of a user

dacledit.py -target otter -dc-ip 10.10.10.10 domain.com/otter:'SomethingSecure123!'

BloodHound

Of course this makes the whole process much easier and allows us to easily visualize the ACLs as well.

PreviousDACL OverviewNextAddMembers

Last updated