1. fox-it.com
Dirk-jan Mollema
@_dirkjan
Aclpwn.py – Active Directory ACL
exploitation with BloodHound

2. fox-it.com
- Lives in The Netherlands
- Hacker / Red Teamer / Researcher @ Fox-IT since 2016
- Previously freelance webdeveloper
- Author of several Active Directory tools:
- mitm6
- ldapdomaindump
- BloodHound.py
- Co-author of ntlmrelayx
- Blogs on dirkjanm.io
- Tweets stuff on @_dirkjan
Whoami

3. fox-it.com
• What are ACLs
• Common ACL abuse paths
• aclpwn.py concepts
• Using aclpwn.py
Contents

4. fox-it.com
• https://github.com/ANSSI-FR/AD-control-paths
(Emmanuel Gras and Lucas Bouillot from ANSSI – 2014)
• “An ACE up the Sleeve” – BH USA 2017
(by @_wald0 and @harmj0y)
• BloodHound
(@_wald0, @harmj0y and @CptJesus)
Abusing ACLs – prior work

5. fox-it.com
What are ACLs – the short version

6. fox-it.com
• In Active Directory, an ACL defines who can do what on an object
• Objects:
• Users
• Groups
• Computers
• Domain(s)
What are ACLs – the short version

7. fox-it.com
• Access Control List
• SACL – used for auditing access
• DACL – used for defining who has what access on an object
• DACL exists of ACEs
• Access Control Entries
What are ACLs - Terminology

8. fox-it.com
ACLs are hard
???

9. fox-it.com
ACLs are hard (2)
??? ?????

10. fox-it.com
ACLs are hard (3)
???
!!!

11. fox-it.com
• Even some default ACLs are too complex for the UI to display
• We can’t realistically expect sysadmins to keep track of ACLs or to
fully understand their impact
• Especially not if they are inherited or nested
• Tooling is needed!
ACLs are hard!

12. fox-it.com
• BloodHound 1.3 introduced the ACL update
• Makes it easy to identify ACLs
• Identify them with SharpHound.exe -c ACL
• Not yet supported in BloodHound.py (but work in progress)
Mapping ACLs with BloodHound
Source: https://wald0.com/?p=112

13. fox-it.com
ACL abuse – case studies

14. fox-it.com
• By default “Exchange Windows Permissions” has wide-reaching
privileges in the domain
• Including WriteDacl on the Domain object
• Allows any Exchange Server to grant DCSync privileges
• Effectively: local admin on Exchange Server = Domain Admin
Bad ACLs – Case study 1: Exchange
Sources:
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
- https://github.com/gdedrouas/Exchange-AD-Privesc
- https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/

15. fox-it.com
Bad ACLs – Case study 1: Exchange

16. fox-it.com
• No need to run anything on the Exchange server
• Just dump hashes of machine account and feed them to aclpwn.py
• Aclpwn.py will pass-the-hash and gain privileges
• DCSync with secretsdump.py (impacket)
Bad ACLs – Case study 1: Exchange

17. fox-it.com
• ADPREP in Server 2016 introduces an “Enterprise Key Admins”
group
• This group has full control over the Domain object (before v1709)
• Allows Account Operators to obtain DCSync privileges
Bad ACLs – Case study 2: Enterprise key admins
Sources:
- https://secureidentity.se/adprep-bug-in-windows-server-2016/
- My lab ☺

18. fox-it.com
Bad ACLs – Case study 2: Enterprise key admins

19. fox-it.com
WriteDacl on Domain object => DCSync privileges

20. fox-it.com
Exploiting ACLs

21. fox-it.com
• PowerSploit (https://github.com/PowerShellMafia/PowerSploit)
• Manual exploitation only
• Can be confusing if there are multiple steps in the chain
• Complex to use with machine accounts or pass-the-hash
• Invoke-AclPwn (https://github.com/fox-it/Invoke-ACLPwn)
• Automated pathfinding
• Parses SharpHound output on host (slow)
• Limited scenario’s
• Complex to use with machine accounts or pass-the-hash
Existing ACL exploitation tools and their limitations

22. fox-it.com
• Direct integration with BloodHound and the Neo4j graph database
• Supports any reversible ACL based attack chain
• Advanced pathfinding to find the most efficient paths
• Support for exploitation with NTLM hashes (pass-the-hash)
• Saves restore state, easy rollback of changes
• Can be run via a SOCKS tunnel
• Written in Python (2.7 and 3.5+), so OS independent
aclpwn.py

23. fox-it.com
• Find an exploitation path
• Start at a user/computer
• End at a group or domain
• aclpwn.py finds the most efficient path
• Objects are modified to obtain the required access
• After action on objectives is achieved, path is walked in reverse
and privileges are restored
aclpwn.py - the concept

24. fox-it.com
Pathfinding difficulties

25. fox-it.com
• Shortest path is not always the most efficient path
• Neo4j counts path length based on number of nodes
• If we have the following scenario:
• User “test” is member of group A
• Group A is member of group B
• Group B is member of group C
• Group C is member of Domain Admins
• AND user “test” has AddMember on Domain Admins
• Neo4j will see the path (Test)-[AddMember]->(Domain Admins) as shortest.
• Even if user A is effectively already a domain admin
Pathfinding with Neo4j

26. fox-it.com
Solution: weighed paths
Weight: 0
Weight: 1

27. fox-it.com
• Either calculated manually (faster but less accurate, may miss
paths)
• Or discovered using the Dijkstra algorithm (slower, but more
accurate)
• Different weights for different modification parameters
Weighed paths

28. fox-it.com
• Shortest only:
• Dijkstra:
Pathfinding methods

29. fox-it.com
Path is found and validated

30. fox-it.com
Example: escalating from account operators

31. fox-it.com
Example: escalating from account operators

32. fox-it.com
• ForceChangePassword:
• We have the right to change the user’s password
• Not easily possible to restore afterwards (only with dcshadow or
setntlm)
• Not supported for now
• Solution: split the path, perform password reset manually
• WriteOwner:
• Seems to be limited to set the owner to your own user
• Not possible to restore right now
• Needs more investigation
Non-supported edges and limitations

33. fox-it.com
• Aclpwn will remember state during exploitation
• Possible to restore all operations using --restore option
• Different restore strategies
Restore operation

34. fox-it.com
Restore example

35. fox-it.com
Defenses

36. fox-it.com
• Audit your ACLs!
• Use BloodHound
• Remove dangerous ACLs (for example Exchange)
• Restrict permission delegation
• Admin on Exchange Server => Domain Admin
• Admin on Azure AD connect host => Domain Admin
• Resetting password of high privilege users => Domain Admin
• Managing groups with high privileges => Domain Admin
Defending against ACL attacks

37. fox-it.com
• Monitor for ACL changes
• Use SACLs to generate events for important object modifications
• Use event logging to monitor DACL changes
• See: https://blog.fox-it.com/2018/04/26/escalating-privileges-with-
acls-in-active-directory/
Defending against ACL attacks

38. fox-it.com
Conclusions

39. fox-it.com
• ACL attacks are still relatively unknown
• But present in almost every Active Directory
• You don’t need a Domain Admin session to pwn the domain
• More tooling will (hopefully) raise awareness for this issue
Conclusions

40. fox-it.com
• Online at https://github.com/fox-it/aclpwn.py
• Follow me on Twitter to keep up-to-date with my work (@_dirkjan)
• I’ll be demo-ing aclpwn.py this afternoon tomorrow morning
• Feel free to drop by for any questions! ☺
Get the tools

41. fox-it.com
Dirk-jan Mollema
Aclpwn.py – Active Directory ACL
exploitation with BloodHound