DACLs Enumeration
To enumerate DACLs we can use a number of tools and methods: here are some
DSACLS
To get all the DACLs for a domain user we can use the following
dsacls.exe "cn=otter,cn=users,dc=domain,dc=com"
but if we need to be more specific about what user has which DACLs on the target user we can filter it with powershell
dsacls.exe "cn=otter,cn=users,dc=domain,dc=com" | Select-String "anotherUser" -Context 5,5
Powershell
To get the DACLs that involve the user otter
we use
$directorySearcher = New-Object System.DirectoryServices.DirectorySearcher('(samaccountname=otter)')
$directorySearcher.SecurityMasks = [System.DirectoryServices.SecurityMasks]::Dacl -bor [System.DirectoryServices.SecurityMasks]::Owner
$binarySecurityDescriptor = $directorySearcher.FindOne().Properties.ntsecuritydescriptor[0]
$parsedSecurityDescriptor = New-Object System.DirectoryServices.ActiveDirectorySecurity
$parsedSecurityDescriptor.SetSecurityDescriptorBinaryForm($binarySecurityDescriptor)
$parsedSecurityDescriptor.Access
and, as always, we can filter for a specific user
$parsedSecurityDescriptor.Access | Where-Object {$_.IdentityReference -like '*anotherUser*'}
Impacket's dacledit
dacledit
Read the DACL of a user
dacledit.py -target otter -dc-ip 10.10.10.10 domain.com/otter:'SomethingSecure123!'
BloodHound
Of course this makes the whole process much easier and allows us to easily visualize the ACLs as well.

Last updated