Closed clementsbr closed 2 years ago
Hi @clementsbr,
I can only guess from your message that you would like to see the Invoke-ACLScanner
functionality implemented. If that's so, rejoice! I'm currently working on implementing the different PowerView ACL functionalities. You can see some of them in the get_objectacl branch.
If you use this branch for your tests and see any problems, wed' be grateful for your issues (hoping that they'll be more detailed than this one).
Cheers,
Y
Essentially, using the ACL scanner to identify GPOs which have overly permissive write rules. However since get-netgpo does not return a SID and we cannot query on the GPO name/GUID I cannot validate the permissions on GPOs effectively via your python script.
Hi @clementsbr,
Sorry I took so long to answer. You can check the ACL on a GPO using its name
attribute. Here's an example where I'm looking at the Default Domain Policy:
$ python3 pywerview.py get-objectacl -t srv-ad.contoso.com -u skywalker -p $PASSWORD --name '{31B2F340-016D-11D2-945F-00C04FB984F9}' --resolve-guids --resolve-sids
objectdn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=contoso,DC=com
objectsid:
acetype: ACCESS_ALLOWED_ACE
binarysize: 36
aceflags:
accessmask: 917693
activedirectoryrights: generic_read, create_child, list_children, self, read_property, write_property, list_object,
read_control, write_dacl, write_owner
isinherited: False
securityidentifier: CN=Admins du domaine,CN=Users,DC=contoso,DC=com
iscallbak: False
objectdn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=contoso,DC=com
objectsid:
acetype: ACCESS_ALLOWED_ACE
binarysize: 36
aceflags: container_inherit, inherit_only
accessmask: 983295
activedirectoryrights: generic_read, create_child, delete_child, list_children, self, read_property, write_property,
delete_tree, list_object, delete, read_control, write_dacl, write_owner
isinherited: False
securityidentifier: CN=Admins du domaine,CN=Users,DC=contoso,DC=com
iscallbak: False
[...]
Feel free to re-open the issue if this didn't answer your question.
Cheers,
Y
Conversion of the function Invoke-ACLScanner