DACLs Enumeration

To enumerate DACLs we can use a number of tools and methods: here are some

DSACLS

To get all the DACLs for a domain user we can use the following

dsacls.exe "cn=otter,cn=users,dc=domain,dc=com"

but if we need to be more specific about what user has which DACLs on the target user we can filter it with powershell

dsacls.exe "cn=otter,cn=users,dc=domain,dc=com" | Select-String "anotherUser" -Context 5,5

Powershell

To get the DACLs that involve the user otter we use

$directorySearcher = New-Object System.DirectoryServices.DirectorySearcher('(samaccountname=otter)')
$directorySearcher.SecurityMasks = [System.DirectoryServices.SecurityMasks]::Dacl -bor [System.DirectoryServices.SecurityMasks]::Owner
$binarySecurityDescriptor = $directorySearcher.FindOne().Properties.ntsecuritydescriptor[0]
$parsedSecurityDescriptor = New-Object System.DirectoryServices.ActiveDirectorySecurity
$parsedSecurityDescriptor.SetSecurityDescriptorBinaryForm($binarySecurityDescriptor)
$parsedSecurityDescriptor.Access

and, as always, we can filter for a specific user

$parsedSecurityDescriptor.Access | Where-Object {$_.IdentityReference -like '*anotherUser*'}

Impacket's `dacledit`

Read the DACL of a user

dacledit.py -target otter -dc-ip 10.10.10.10 domain.com/otter:'SomethingSecure123!'

BloodHound

Of course this makes the whole process much easier and allows us to easily visualize the ACLs as well.

PreviousDACL Overview NextAddMembers

Last updated 10 months ago

DSACLS

Powershell

Impacket's dacledit

BloodHound

Impacket's `dacledit`