pyDescribeNTSecurityDescriptor
pyDescribeNTSecurityDescriptor copied to clipboard
Published
20 hours ago •
p0dalirius
p0dalirius
A python tool to parse and describe the contents of a raw ntSecurityDescriptor structure.
A python tool to parse and describe the contents of a raw ntSecurityDescriptor structure.
Features
- [x] Reads source value from a file or from the LDAP
- [x] Outputs a human readable summary of accesses with
--summary - [x] Parsing of Access Control Entries (ACE) of various types:
- [x] ACE type
ACCESS_ALLOWED_ACE - [x] ACE type
ACCESS_ALLOWED_OBJECT_ACE - [x] ACE type
ACCESS_DENIED_ACE - [x] ACE type
ACCESS_DENIED_OBJECT_ACE - [x] ACE type
ACCESS_ALLOWED_CALLBACK_ACE - [x] ACE type
ACCESS_DENIED_CALLBACK_ACE - [x] ACE type
ACCESS_ALLOWED_CALLBACK_OBJECT_ACE - [x] ACE type
ACCESS_DENIED_CALLBACK_OBJECT_ACE - [x] ACE type
SYSTEM_AUDIT_ACE - [x] ACE type
SYSTEM_AUDIT_OBJECT_ACE - [x] ACE type
SYSTEM_AUDIT_CALLBACK_ACE - [x] ACE type
SYSTEM_MANDATORY_LABEL_ACE - [x] ACE type
SYSTEM_AUDIT_CALLBACK_OBJECT_ACE - [x] ACE type
SYSTEM_RESOURCE_ATTRIBUTE_ACE - [x] ACE type
SYSTEM_SCOPED_POLICY_ID_ACE
- [x] ACE type
- [x] Parsing of SID
- [x] Connect to LDAP to resolve sAMAccountNames of not well known SIDs
- [x] Resolve names of well known SIDs
- [ ] Parsing of Access Control Lists (ACL):
- [ ] Print if ACL is in canonical form
Demonstration
Here is an example of the output of the tool when parsing the ntSecurityDescriptor contained in the file example_value.txt. This file contains a raw ntSecurityDescriptor structure in hex dump format:
0100148cc4090000e0090000140000008c0000000400780002000000075a38002000000003000000be3b0ef3f09fd111b6030000f80367c1a57a96bfe60dd011a28500aa003049e2010100000000000100000000075a380020000000030000
...
02000000000005200000002a02000000121800bd010f0001020000000000052000000020020000010500000000000515000000a3cd06bf0e0fe808c335b8e600020000010500000000000515000000a3cd06bf0e0fe808c335b8e600020000
Using DescribeNTSecurityDescriptor.py, we can open the file and parse its content precisely:
./DescribeNTSecurityDescriptor.py ./example_value.txt
Usage
$ ./DescribeNTSecurityDescriptor.py
usage: DescribeNTSecurityDescriptor.py [-h] [-v] value
Parse and describe the contents of a raw ntSecurityDescriptor structure
positional arguments:
value The value to be described by the NTSecurityDescriptor
options:
-h, --help show this help message and exit
-v, --verbose Verbose mode. (default: False)
Example
./DescribeNTSecurityDescriptor.py -u Administrator -p 'Admin123!' -d LAB --dc-ip 10.0.0.101 -D "CN=user user,CN=Users,DC=LAB,DC=local" --summary --describe
Contributing
Pull requests are welcome. Feel free to open an issue if you want to add other features.
Metadata
16
Stars
5
Forks
Watchers
Owner
p0dalirius
Metadata
A python tool to parse and describe the contents of a raw ntSecurityDescriptor structure.