A cross-platforms tool to parse and describe the contents of a raw ntSecurityDescriptor structure.
- Reads source value from a file containing a raw ntSecurityDescriptor structure, in raw bytes, hex string or base64 string formats.
- Reads source value from the LDAP.
- Outputs a human readable summary of accesses with
--summary - Parsing of Access Control Entries (ACE) of various types:
- ACE type
ACCESS_ALLOWED_ACE - ACE type
ACCESS_ALLOWED_OBJECT_ACE - ACE type
ACCESS_DENIED_ACE - ACE type
ACCESS_DENIED_OBJECT_ACE - ACE type
ACCESS_ALLOWED_CALLBACK_ACE - ACE type
ACCESS_DENIED_CALLBACK_ACE - ACE type
ACCESS_ALLOWED_CALLBACK_OBJECT_ACE - ACE type
ACCESS_DENIED_CALLBACK_OBJECT_ACE - ACE type
SYSTEM_AUDIT_ACE - ACE type
SYSTEM_AUDIT_OBJECT_ACE - ACE type
SYSTEM_AUDIT_CALLBACK_ACE - ACE type
SYSTEM_MANDATORY_LABEL_ACE - ACE type
SYSTEM_AUDIT_CALLBACK_OBJECT_ACE - ACE type
SYSTEM_RESOURCE_ATTRIBUTE_ACE - ACE type
SYSTEM_SCOPED_POLICY_ID_ACE
- ACE type
- Parsing of SID
- Connect to LDAP to resolve sAMAccountNames of not well known SIDs
- Resolve names of well known SIDs
- Parsing of Access Control Lists (ACL):
- Print if ACL is in canonical form
$ ./DescribeNTSecurityDescriptor -h
DescribeNTSecurityDescriptor - by Remi GASCOU (Podalirius) - v1.2
Usage: DescribeNTSecurityDescriptor [--debug] [--domain <string>] [--username <string>] [--password <string>] [--hashes <string>] [--dc-ip <string>] [--port <tcp port>] [--use-ldaps] [--distinguished-name <string>] [--file-hex <string>] [--file-base64 <string>] [--file-raw <string>] [--value-hex <string>] [--value-base64 <string>]
-d, --debug Debug mode. (default: false)
Authentication:
-d, --domain <string> Active Directory domain to authenticate to. (default: "")
-u, --username <string> User to authenticate as. (default: "")
-p, --password <string> Password to authenticate with. (default: "")
-H, --hashes <string> NT/LM hashes, format is LMhash:NThash. (default: "")
LDAP Connection Settings:
-dc, --dc-ip <string> IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted, it will use the domain part (FQDN) specified in the identity parameter. (default: "")
-P, --port <tcp port> Port number to connect to LDAP server. (default: 389)
-l, --use-ldaps Use LDAPS instead of LDAP. (default: false)
Source Values:
-D, --distinguished-name <string> Distinguished Name. (default: "")
-fh, --file-hex <string> Path to file containing the hexadecimal string value of NTSecurityDescriptor. (default: "")
-fb, --file-base64 <string> Path to file containing the base64 encoded value of NTSecurityDescriptor. (default: "")
-fr, --file-raw <string> Path to file containing the raw binary value of NTSecurityDescriptor. (default: "")
-vh, --value-hex <string> Raw hexadecimal string value of NTSecurityDescriptor. (default: "")
-vb, --value-base64 <string> Raw base64 encoded value of NTSecurityDescriptor. (default: "")
./DescribeNTSecurityDescriptor --debug --username "Administrator" --domain "LAB.local" --password "Admin123!" --dc-ip "10.0.0.201" --distinguished-name "CN=Administrator,CN=Users,DC=LAB,DC=local"
./DescribeNTSecurityDescriptor --username "Administrator" --domain "LAB.local" --password "Admin123!" --dc-ip "10.0.0.201" --debug --value-hex "0100149ccc000000e800000014000000a000000004008c00030000000240140020000c00010100000000000100000000075a38002000000003000000be3b0ef3f09fd111b6030000f80367c1a57a96bfe60dd011a28500aa003049e2010100000000000100000000075a38002000000003000000bf3b0ef3f09fd111b6030000f80367c1a57a96bfe60dd011a28500aa003049e201010000000000010000000002002c000100000000002400ff010f0001050000000000051500000028bb82279261b9fe2474aa5d0002000001050000000000051500000028bb82279261b9fe2474aa5d0002000001050000000000051500000028bb82279261b9fe2"
To build the project, use the following Docker command in this directory:
docker run -v $(pwd):/workspace/ podalirius/build-go-projectOr, if you want to build it manually, you can use the following commands:
GOOS=linux GOARCH=amd64; mkdir -p "/workspace/bin/linux/${GOOS}/${GOARCH}/" && /usr/local/go/bin/go build -o "/workspace/bin/linux/${GOOS}/${GOARCH}/" -buildvcs=false
Pull requests are welcome. Feel free to open an issue if you want to add other features.
