ACE parse

[s0i37]

Hello.
Thanks for it! I've been looking for a tool to access AD ACL so much time...
But may be is it possible to implement dereference rules in ACL with your library https://github.com/skelsec/winacl ?

[skelsec]

hello! can you please define "dereference rules" ?

[s0i37]

I mean replace identifiers by "WRITE_OWNER" or "GENERIC_READ" for example.
It will make more simple ACL audit.

[s0i37]

I implemented canonical view of ACE with SIDs resolving like this:

And also grepable output:

It may be very useful with combining power of GNU:

[s0i37]

#28
skelsec/winacl#8

[s0i37]

Merged and tested. Very good!
Thanks!

Tiny example how to grab the all ACL from CLI (in case Bloodhound is very noisy):

ldapsearch -o ldif-wrap=no -E pr=10000/noprompt -D username@domain -w password -x -H ldap://dc -b DC=company,DC=org '(&(objectClass=user)(!(objectClass=computer)))' sAMAccountName memberOf > dc-users.txt
ldapsearch -o ldif-wrap=no -E pr=10000/noprompt -D username@domain -w password -x -H ldap://dc -b DC=company,DC=org '(objectClass=computer)' dnshostname memberOf > dc-computers.txt
...

mkdir users computers groups gpo containers root
mkfifo stdin
mkfifo stdout
exec 3<> stdin
exec 4<> stdout
msldap "ldap+ntlm-password://company.com\username:s3cr3t@DC" < stdin > stdout &
cat dc-users.txt | grep ^dn: | perl -MMIME::Base64 -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode_base64($1)/eg;print' | while read _ dn
do echo "$dn"
  echo "getsd '$dn' g" >& 3
  timeout 1 cat <& 4 > users/$dn.txt
done
cat dc-computers.txt | ...
echo 'exit' >& 3

And analisys:

grep -r GENERIC_ALL
...