Skip to content

cogiceo/DACLSearch

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
daclsearch
daclsearch
 
 
filters
filters
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
daclsearch.py
daclsearch.py
 
 
setup.py
setup.py
 
 

Repository files navigation

DACLSearch

DACLSearch is a tool designed to exhaustively retrieve the Access Control Entries (ACEs) that principals have on any Active Directory objects.

demo.mp4

Installation

Install with pip

git clone "https://github.com/cogiceo/daclsearch"
cd daclsearch
pip install .

Install with pipx

pipx install "git+https://github.com/cogiceo/daclsearch"

Dump

Since the tool is exhaustive, the database size will increase, and query performance will decrease proportionally to the size of the Active Directory.

Quick dump

daclsearch dump "${DOMAIN}_aces.db" -d $DOMAIN --dc-ip $DC_IP -u $USER -p $PASS

Note

The LDAP query leverages the Phantom Root search flag, which instructs the server to enumerate all naming context (NC) replicas (except for application NCs) subordinate to the search base, even when the search base is not instantiated on the server. As a result, the query retrieves domain objects from all domains within the same forest.

Dumping with LDAP data to JSON

daclsearch dump -d $DOMAIN --dc-ip $DC_IP -u $USER -p $PASS --json "${DOMAIN}_ldap.json" "${DOMAIN}_aces.db"

Building the database from JSON

daclsearch dump -i "${DOMAIN}_ldap.json" "${DOMAIN}_aces.db"

CLI

Starting the CLI

daclsearch cli "${DOMAIN}_aces.db"

? Choose an action: 
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│❯ Search ACEs of principals                                                              │
│  Manage filters                                                                         │ 
│  Search ACEs on object                                                                  │
│  Exit                                                                                   │
└─────────────────────────────────────────────────────────────────────────────────────────┘

Search ACEs of principals

This search type retrieves all ACEs that principals have on Active Directory objects. To narrow results, you can apply filters. Two types of filters are supported:

  • Search filters: Run independently and return separate result sets. If you select multiple search filters, results from each are returned separately and are merged if you choose multiple results.
  • Merge filters: Combined with each search filter before querying. If you select multiple merge filters, each one is applied to every search filter.

Manage Filters

This menu allows you to:

  • Build your own filters based on inclusion or exclusion of:
    • Principal names
    • Principal object classes
    • Target object DNs
    • Target object classes
    • ACE types
    • ACE access masks
    • ACE object types
    • ACE inherited object types
    • ACE flags
    • Owners
    • Special filters
  • Save custom filters in YAML format for reuse.
  • Load groups of filters from folder or file.
  • Use built-in filters based common ACEs abuse, which are loaded automatically when the CLI starts.

Search ACEs on object

This search type directly returns the ACEs that principals have on a specific Active Directory object. You can target the object using the following identifiers:

  • SID
  • SAM Account Name
  • Distinguished Name

Improvements

  • Filtering out default ACEs based on the defaultSecurityDescriptor attribut
  • LDAP dump using ADWS

About

Exhaustive search and flexible filtering of Active Directory ACEs.

www.cogiceo.com/en/whitepaper_daclsearch/

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

71 stars

Watchers

1 watching

Forks

11 forks
Report repository

Languages