ldapsearch nTSecurityDescriptor attribute can only be read by domain admins, need to add LDAP server control for low-priv users

trustedsec / CS-Situational-Awareness-BOF

Situational Awareness commands implemented using Beacon Object Files

GNU General Public License v2.0

1.26k stars 218 forks source link

ldapsearch nTSecurityDescriptor attribute can only be read by domain admins, need to add LDAP server control for low-priv users #86

Closed Firat-NVISO closed 1 year ago

Firat-NVISO commented 1 year ago

I made a pull request not too long ago to include the nTSecurityDescriptor attribute in base64 to include ACL resolving via bofhound. Now it turns out I didn't test it thoroughly enough, as low-privileged domain users can't read this attribute unless specified via security descriptor control (see https://github.com/the-useless-one/pywerview/blob/master/pywerview/functions/net.py - search for 0x07). I'll see if I can get it working.

freefirex commented 1 year ago

If you find a workaround please open a pull request. I don't consider this a standing issue since windows appears to be respecting its own controls and specifying the value as a non-privileged user simply doesn't return it. There isn't any crashing condition present.

The linked control could break paging from how it reads so I would be cautious on including it in a general search utility such as this, it may be better to break off into its own BOF where those restrictions can be noted if they are present in any workaround.

Firat-NVISO commented 1 year ago

Alright, thanks for acknowledging. The code to include the descriptor is there, but am facing some issues. Hopefully it will be working soon!