StandIn
StandIn copied to clipboard
Published
20 hours ago •
FuzzySecurity
FuzzySecurity
Added Path parameter to specify search container
I added a path parameter to specify the search container. This is useful when looking up object properties or permissions, such as when checking Certificate Template access permissions.
Can you add some output please, see https://github.com/FuzzySecurity/StandIn#contributing
Sure:
StandIn.exe --object (&(objectCategory=*)(objectClass=pKICertificateTemplate)(cn=User)) --path LDAP://CN=Configuration,DC=test,DC=domain,DC=com --access
[?] Using DC : ca.test.domain.com
[?] Object : CN=User
Path : LDAP://CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=domain,DC=com
[+] Object properties
|_ Owner : TEST\Enterprise Admins
|_ Group : TEST\Enterprise Admins
[+] Object access rules
[+] Identity --> NT AUTHORITY\Authenticated Users
|_ Type : Allow
|_ Permission : GenericRead
|_ Object : ANY
[+] Identity --> TEST\Domain Admins
|_ Type : Allow
|_ Permission : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner
|_ Object : ANY
[+] Identity --> TEST\Enterprise Admins
|_ Type : Allow
|_ Permission : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner
|_ Object : ANY
[+] Identity --> TEST\Domain Admins
|_ Type : Allow
|_ Permission : ReadProperty, WriteProperty, ExtendedRight
|_ Object : Certificate-Enrollment
[+] Identity --> TEST\Domain Users
|_ Type : Allow
|_ Permission : ReadProperty, WriteProperty, ExtendedRight
|_ Object : Certificate-Enrollment
[+] Identity --> TEST\Enterprise Admins
|_ Type : Allow
|_ Permission : ReadProperty, WriteProperty, ExtendedRight
|_ Object : Certificate-Enrollment
[+] Identity --> TEST\PKI Template Administrators
|_ Type : Allow
|_ Permission : GenericAll
|_ Object : ANY
[+] Identity --> TEST\PKI CA Administrators
|_ Type : Allow
|_ Permission : GenericAll
|_ Object : ANY
[+] Identity --> BUILTIN\Administrators
|_ Type : Allow
|_ Permission : GenericAll
|_ Object : ANY
[+] Identity --> TEST\Enterprise Admins
|_ Type : Allow
|_ Permission : GenericAll
|_ Object : ANY
[+] Identity --> TEST\Domain Admins
|_ Type : Allow
|_ Permission : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner
|_ Object : ANY
[+] Identity --> BUILTIN\Administrators
|_ Type : Allow
|_ Permission : CreateChild, ListChildren, ReadProperty, ExtendedRight, Delete, GenericWrite, WriteDacl, WriteOwner
|_ Object : ANY
I also updated the help to include details about this new parameter:
__
( _/_ _// ~b33f
__)/(//)(/(/) v1.2
>--~~--> Args? <--~~--<
--help This help menu
--object LDAP filter, e.g. samaccountname=HWest
--ldap LDAP filter, can return result collection
--filter Filter results, varies based on function
--limit Limit results, varies based on function, defaults to 50
--computer Machine name, e.g. Celephais-01
--group samAccountName, e.g. "Necronomicon Admins"
--ntaccount User name, e.g. "REDHOOK\UPickman"
--sid Dependent on context
--grant User name, e.g. "REDHOOK\KMason"
--guid Rights GUID to add to object, e.g. 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
--domain Domain name, e.g. REDHOOK
--user User name
--pass Password
--path LDAP path / container to search in
--newpass New password to set for object
--gpo List group policy objects
--acl Show ACL's for returned GPO's
--localadmin Add samAccountName to BUILTIN\Administrators for vulnerable GPO
--setuserrights samAccountName for which to add token rights in a vulnerable GPO
--tasktype Immediate task type (user/computer)
--taskname Immediate task name
--author Immediate task author
--command Immediate task command
--args Immediate task command args
--target Optional, filter for DNS name or NTAccount
--targetsid Optional, provider user SID
--increase Increment either the user or computer GPO version number for the AD object
--policy Reads some account/kerberos properties from the "Default Domain Policy"
--dns Performs ADIDNS enumeration, supports wildcard filters
--legacy Boolean, sets DNS seach root to legacy (CN=System)
--forest Boolean, sets DNS seach root to forest (DC=ForestDnsZones)
--passnotreq Boolean, list accounts that have PASSWD_NOTREQD set
--type Rights type: GenericAll, GenericWrite, ResetPassword, WriteMembers, DCSync
--spn Boolean, list kerberoastable accounts
--setspn samAccountName for which to add/remove an SPN
--principal Principal name to add to samAccountName (e.g. MSSQL/VermisMysteriis)
--delegation Boolean, list accounts with unconstrained / constrained delegation
--asrep Boolean, list ASREP roastable accounts
--dc Boolean, list all domain controllers
--add Boolean, context dependent group/spn
--remove Boolean, context dependent msDS-AllowedToActOnBehalfOfOtherIdentity/group
--make Boolean, make machine; ms-DS-MachineAccountQuota applies
--disable Boolean, disable machine; should be the same user that created the machine
--access Boolean, list access permissions for object
--delete Boolean, delete machine from AD; requires elevated AD access
And added an example:
# Grant object access permissions
StandIn.exe --object "distinguishedname=DC=redhook,DC=local" --grant "REDHOOK\MBWillett" --type DCSync
StandIn.exe --object "distinguishedname=DC=redhook,DC=local" --grant "REDHOOK\MBWillett" --guid 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
StandIn.exe --object samaccountname=SomeTarget001$ --grant "REDHOOK\MBWillett" --type GenericWrite --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
StandIn.exe --object (&(objectClass=pKICertificateTemplate)(cn=User)) --path LDAP://CN=Configuration,DC=redhook,DC=local --access
I'm not familiar enough with all of the other operation to know if it makes sense for all of them to support this parameter, but let me know if you want me to add support to any of the others in addition to --object and --access.