acl-enum

PowerView - tool

Get targeted user ACL list (access rights list)

Google the objectAceType

Import-module .\PowerView.ps1

$sid = Convert-NameToSid <username>

Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}

Reverse search & matching to GUID value

$guid = '00299570-246d-11d0-a768-00aa006e0529'

Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * |Select Name,DisplayName,DistinguishedName,rightsGuid| ?{$_.rightsGuid -eq $guid} | fl

Get targeted user ACL list (human-readable format)

Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}

Show all ACLs

Find-InterestingDomainAcl

Using Built-in tools

Create a list of domain users

Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt

Get ACL list

foreach($line in [System.IO.File]::ReadLines("C:\Users\htb-student\Desktop\ad_users.txt")) {get-acl  "AD:\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'INLANEFREIGHT\\wley'}}

Further rights enumerations

Get a user ACL list (check group member rights)

$sid2 = Convert-NameToSid damundsen

Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid2} -Verbose

Check nested group information (investigate a group)

Get-DomainGroup -Identity "Help Desk Level 1" | select memberof

Investigating a group (look for interesting access)

$itgroupsid = Convert-NameToSid "Information Technology" (group name)

Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $itgroupsid} -Verbose

Check access rights of a user (objectAceType)

$adunnsid = Convert-NameToSid adunn

Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $adunnsid} -Verbose

---

---

Powerview - tool

Find-InterestingDomainAcl

---

---

AD powershell module (Extra)

List out available modules

Get-module

Load ActiveDirectory module

Import-module ActiveDirectory

Get domain info

Get-ADDomain

User list with ServicePrincipleName property populated

This gives us a listening of accounts that may be susceptible to a kerberoasting attack.

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

ACLs users & groups

Get-ObjectAcl Object-Name –ResolveGUIDs
Get-ObjectAcl -SAMAccountName Object-Name –ResolveGUIDs

ACLs - filter out specific permission

Get-ObjectAcl student223 |{$_.ActiveDirectoryRights -eq "GenericAll"}

Scan domain for all interesting abusable permissions

Invoke-ACLScanner -ResolveGUIDs

Check for domain trust relationships

Get-ADTrust -Filter *

Get group info

Get-ADGroup -Filter * | select name

Get specific group info

Get-ADGroup -Identity "back operators"

Get group member info

Get-ADGroupMember -Identity "backup operators"

Check which domain user is member of local administrator group

Get-localgroupmember -group 'administrators'

Get full information of user (AD)

Get-ADUser -identity user -properties *

---

User search

dsquery user

Computer search

dsquery computer

View all objects in OU

dsquery * "CN-Users,DC=INLANEFREIGHT,DC=LOCAL"

Users with specific attribute set (passwd_notreqd)

#passwordnotreq #passwdnotreq

dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -attr distinguishedName userAccountControl

Searching for Domain Controller

dsquery * -filter "(userAccountControl:1.2.840.113556.1.4.803:=8192)" -limit 5 -attr sAMAccountName

-attr can be used for filter purpose

Search disabled accounts in AD

Get-ADUser -Properties * -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=2)"

UAC values - 1.2.840.113556.1.4.803, useful when searching for information in AD