Acltoolkit - ACL Abuse Swiss-Knife
acltoolkit
is an ACL abuse swiss-army knife. It implements multiple ACL abuses.
Installation
pip install acltoolkit-ad
or
git clone https://github.com/zblurx/acltoolkit.gitcd acltoolkitmake
Usage
usage: acltoolkit [-h] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-dc-ip ip address] [-scheme ldap scheme] target {get-objectacl,set-objectowner,give-genericall,give-dcsync,add-groupmember,set-logonscript} ...ACL abuse swiss-army knifepositional arguments: target [[domain/]username[:password]@]<target name or address> {get-objectacl,set-objectowner,give-genericall,give-dcsync,add-groupmember,set-logonscript} Action get-objectacl Get Object ACL set-objectowner Modify Object Owner give-genericall Grant an object GENERIC ALL on a targeted object give-dcsync Grant an object DCSync capabilities on the domain add-groupmember Add Member to Group set-logonscript Change Logon Sript of Useroptions : -h, --help show this help message and exit -debug Turn DEBUG output ON -no-pass don't ask for password (useful for -k) -k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line -dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter -scheme ldap schemeauthentication: -hashes LMHASH:NTHASH NTLM hashes, format is LMHASH:NTHAS H
Commands
get-objectacl
$ acltoolkit get-objectacl -husage: acltoolkit target get-objectacl [-h] [-object object] [-all]options: -h, --help show this help message and exit -object object Dump ACL for <object>. Parameter can be a sAMAccountName, a name, a DN or an objectSid -all List every ACE of the object, even the less-interesting ones
The get-objectacl
will take a sAMAccountName, a name, a DN or an objectSid as input with -object
and will list Sid, Name, DN, Class, adminCount, LogonScript configured, Primary Group, Owner and DACL of it. If no parameter supplied, will list informations about the account used to authenticate.
$ acltoolkit waza.local/jsmith:Password#[email protected] get-objectaclSid : S-1-5-21-267175082-2660600898-836655089-1103Name : waza\John SmithDN : CN=John Smith,CN=Users,DC=waza,DC=localClass : top, person, organizationalPerson, useradminCount : FalseLogon Script scriptPath : \\WAZZAAAAAA\OCD\test.bat msTSInitialProgram: \\WAZZAAAAAA\OCD\test.batPrimaryGroup Sid : S-1-5-21-267175082-2660600898-836655089-513 Name : waza\Domain Users DN : CN=Domain Users,OU=Builtin Groups,DC=waza,DC=local[...]OwnerGroup Sid : S-1-5-21-267175082-2660600898-836655089-512 Name : waza\Domain AdminsDacl ObjectSid : S-1-1-0 Name : Everyone AceType : ACCESS_ALLOWED_OBJECT_ACE Ac cessMask : 256 ADRights : EXTENDED_RIGHTS IsInherited : False ObjectAceType : User-Change-Password[...] ObjectSid : S-1-5-32-544 Name : BUILTIN\Administrator AceType : ACCESS_ALLOWED_ACE AccessMask : 983485 ADRights : WRITE_OWNER, WRITE_DACL, GENERIC_READ, DELETE, EXTENDED_RIGHTS, WRITE_PROPERTY, SELF, CREATE_CHILD IsInherited : True
set-objectowner
$ acltoolkit set-objectowner -husage: acltoolkit target set-objectowner [-h] -target-sid target_sid [-owner-sid owner_sid]options: -h, --help show this help message and exit -target-sid target_sid Object Sid targeted -owner-sid owner_sid New Owner Sid
The set-objectowner
will take as input a target sid and an owner sid, and will change the owner of the target object.
give-genericall
$ acltoolkit give-genericall -husage: acltoolkit target give-genericall [-h] -target-sid target_sid [-granted-sid owner_sid]options: -h, --help show this help message and exit -target-sid target_sid Object Sid targeted -granted-sid owner_sid Object Sid granted GENERIC_ALL
The give-genericall
will take as input a target sid and a granted sid, and will change give GENERIC_ALL DACL to the granted SID to the target object.
give-dcsync
$ acltoolkit give-dcsync -husage: acltoolkit target give-dcsync [-h] [-granted-sid owner_sid]options: -h, --help show this help message and exit -granted-sid owner_sid Object Sid granted DCSync capabilities
The give-dcsync
will take as input a granted sid, and will change give DCSync capabilities to the granted SID.
add-groupmember
$ acltoolkit add-groupmember -husage: acltoolkit target add-groupmember [-h] [-user user] -group groupoptions: -h, --help show this help message and exit -user user User added to a group -group group Group where the user will be added
The add-groupmember
will take as input a user sAMAccountName and a group sAMAccountName, and will add the user to the group
set-logonscript
$ acltoolkit set-logonscript -husage: acltoolkit target set-logonscript [-h] -target-sid target_sid -script-path script_path [-logonscript-type logonscript_type]options: -h, --help show this help message and exit -target-sid target_sid Object Sid of targeted user -script-path script_path Script path to set for the targeted user -logonscript-type logonscript_type Logon Script variable to change (default is scriptPath)
The set-logonscript
will take as input a target sid and a script path, and will the the Logon Script path of the targeted user to the script path specified.
Source: www.kitploit.com