Aced is a instrument to parse and resolve a single focused Lively Listing principal’s DACL. Aced will establish attention-grabbing inbound entry allowed privileges in opposition to the focused account, resolve the SIDS of the inbound permissions, and current that knowledge to the operator. Moreover, the logging options of pyldapsearch have been built-in with Aced to log the focused principal’s LDAP attributes regionally which may then be parsed by pyldapsearch’s companion instrument BOFHound to ingest the collected knowledge into BloodHound.
I wrote Aced just because I wished a extra focused method to question ACLs. Bloodhound is incredible, nonetheless, this can be very noisy. Bloodhound collects all of the issues whereas Aced collects a single factor offering the operator extra management over how and what knowledge is collected. There is a phrase the Navy Seals use: “sluggish is easy and easy is quick” and that is the method I attempted to take with Aced. The case for detection is decreased by solely querying for what LDAP needs to let you know and by not performing an motion referred to as “costly ldap queries”. Aced has the choice to forego SMB connections for hostname decision. You might have the choice to desire LDAPS over LDAP. With the extra integration with BloodHound, the collected knowledge could be saved in a well-recognized format that may be shared with a workforce. Privilege escalation assault paths could be constructed by strolling backwards from the focused purpose.
Because of the beneath for all of the code I stole:
@_dirkjan
@fortaliceLLC
@eloygpz
@coffeegist
@tw1sm
Utilization
└─# python3 aced.py -h _____
|A . | _____
| /. ||A ^ | _____
|(_._)|| / ||A _ | _____
| | || / || ( ) ||A_ _ |
|____V|| . ||(_'_)||( v )|
|____V|| | || / |
|____V|| . |
|____V|
v1.0
Parse and log a goal principal's DACL.
@garrfoster
utilization: aced.py [-h] [-ldaps] [-dc-ip DC_IP] [-k] [-no-pass] [-hashes LMHASH:NTHASH] [-aes hex key] [-debug] [-no-smb] goal
Software to enumerate a single goal's DACL in Lively Listing
non-compulsory arguments:
-h, --help present this assist message and exit
Authentication:
goal [[domain/username[:password]@]<tackle>
-ldaps Use LDAPS isntead of LDAP
Non-obligatory Flags:
-dc-ip DC_IP IP tackle or FQDN of area controller
-k, --kerberos Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based mostly heading in the right direction parameters. If legitimate
credentials can't be discovered, it's going to use those specified within the command line
-no-pass do not ask for password (helpful for -k)
-hashes LMHASH:NTHASH
LM and NT hashes, format is LMHASH:NTHASH
-aes hex key AES key to make use of for Kerberos Authentication (128 or 256 bits)
-debug Allow verbose logging.
-no-smb Don't resolve DC hostname by SMB. Requires a FQDN with -dc-ip.
Within the beneath demo, we’ve got the credentials for the corp.locallowpriv account. By beginning enumeration at Area Admins, a possible path for privilege escalation is recognized by strolling backwards from the excessive worth goal.
And here is how that knowledge seems when reworked by bofhound and ingested into BloodHound.
