Acltoolkit - ACL Abuse Swiss-Knife

acltoolkit is an ACL abuse swiss-army knife. It implements multiple ACL abuses.

Installation

pip install acltoolkit-ad

git clone https://github.com/zblurx/acltoolkit.gitcd acltoolkitmake

Usage

usage: acltoolkit [-h] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-dc-ip ip address] [-scheme ldap scheme]                  target {get-objectacl,set-objectowner,give-genericall,give-dcsync,add-groupmember,set-logonscript} ...ACL abuse swiss-army knifepositional arguments:  target                [[domain/]username[:password]@]<target name or address>  {get-objectacl,set-objectowner,give-genericall,give-dcsync,add-groupmember,set-logonscript}                        Action    get-objectacl       Get Object ACL    set-objectowner     Modify Object Owner    give-genericall     Grant an object GENERIC ALL on a targeted object    give-dcsync         Grant an object DCSync capabilities on the domain    add-groupmember     Add Member to Group    set-logonscript     Change Logon Sript of Useroptions   :  -h, --help            show this help message and exit  -debug                Turn DEBUG output ON  -no-pass              don't ask for password (useful for -k)  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the                        command line  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter  -scheme ldap schemeauthentication:  -hashes LMHASH:NTHASH                        NTLM hashes, format is LMHASH:NTHAS   H

Commands

get-objectacl

$ acltoolkit get-objectacl -husage: acltoolkit target get-objectacl [-h] [-object object] [-all]options:  -h, --help      show this help message and exit  -object object  Dump ACL for <object>. Parameter can be a sAMAccountName, a name, a DN or an objectSid  -all            List every ACE of the object, even the less-interesting ones

The get-objectacl will take a sAMAccountName, a name, a DN or an objectSid as input with -object and will list Sid, Name, DN, Class, adminCount, LogonScript configured, Primary Group, Owner and DACL of it. If no parameter supplied, will list informations about the account used to authenticate.

$ acltoolkit waza.local/jsmith:Password#[email protected] get-objectaclSid                 : S-1-5-21-267175082-2660600898-836655089-1103Name                : waza\John SmithDN                  : CN=John Smith,CN=Users,DC=waza,DC=localClass               : top, person, organizationalPerson, useradminCount          : FalseLogon Script  scriptPath        : \\WAZZAAAAAA\OCD\test.bat  msTSInitialProgram: \\WAZZAAAAAA\OCD\test.batPrimaryGroup  Sid               : S-1-5-21-267175082-2660600898-836655089-513  Name              : waza\Domain Users  DN                : CN=Domain Users,OU=Builtin Groups,DC=waza,DC=local[...]OwnerGroup  Sid               : S-1-5-21-267175082-2660600898-836655089-512  Name              : waza\Domain AdminsDacl  ObjectSid         : S-1-1-0  Name              : Everyone  AceType           : ACCESS_ALLOWED_OBJECT_ACE  Ac   cessMask        : 256  ADRights          : EXTENDED_RIGHTS  IsInherited       : False  ObjectAceType     : User-Change-Password[...]  ObjectSid         : S-1-5-32-544  Name              : BUILTIN\Administrator  AceType           : ACCESS_ALLOWED_ACE  AccessMask        : 983485  ADRights          : WRITE_OWNER, WRITE_DACL, GENERIC_READ, DELETE, EXTENDED_RIGHTS, WRITE_PROPERTY, SELF, CREATE_CHILD  IsInherited       : True

set-objectowner

$ acltoolkit set-objectowner -husage: acltoolkit target set-objectowner [-h] -target-sid target_sid [-owner-sid owner_sid]options:  -h, --help            show this help message and exit  -target-sid target_sid                        Object Sid targeted  -owner-sid owner_sid  New Owner Sid

The set-objectowner will take as input a target sid and an owner sid, and will change the owner of the target object.

give-genericall

$ acltoolkit give-genericall -husage: acltoolkit target give-genericall [-h] -target-sid target_sid [-granted-sid owner_sid]options:  -h, --help            show this help message and exit  -target-sid target_sid                        Object Sid targeted  -granted-sid owner_sid                        Object Sid granted GENERIC_ALL

The give-genericall will take as input a target sid and a granted sid, and will change give GENERIC_ALL DACL to the granted SID to the target object.

give-dcsync

$ acltoolkit give-dcsync -husage: acltoolkit target give-dcsync [-h] [-granted-sid owner_sid]options:  -h, --help            show this help message and exit  -granted-sid owner_sid                        Object Sid granted DCSync capabilities

The give-dcsync will take as input a granted sid, and will change give DCSync capabilities to the granted SID.

add-groupmember

$ acltoolkit add-groupmember -husage: acltoolkit target add-groupmember [-h] [-user user] -group groupoptions:  -h, --help    show this help message and exit  -user user    User added to a group  -group group  Group where the user will be added

The add-groupmember will take as input a user sAMAccountName and a group sAMAccountName, and will add the user to the group

set-logonscript

$ acltoolkit set-logonscript -husage: acltoolkit target set-logonscript [-h] -target-sid target_sid -script-path script_path [-logonscript-type logonscript_type]options:  -h, --help            show this help message and exit  -target-sid target_sid                        Object Sid of targeted user  -script-path script_path                        Script path to set for the targeted user  -logonscript-type logonscript_type                        Logon Script variable to change (default is scriptPath)

The set-logonscript will take as input a target sid and a script path, and will the the Logon Script path of the targeted user to the script path specified.

Download Acltoolkit

Source: www.kitploit.com