Skip to content

dacledit.py: -mask added + bugfix #1912

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

dacledit.py: -mask added + bugfix #1912

wants to merge 2 commits into from
+32 −9

Conversation

shellinvictus
Copy link

  • new parameter -mask to add more granularity on access masks. Useful with -rights Custom (new option) or --rights-guid where the mask is different of read+write.
  • bugfix: access masks were badly parsed

@shellinvictus shellinvictus changed the title dacledit.py improvements dacledit.py: -mask added + bugfix Mar 1, 2025
@anadrianmanrique anadrianmanrique self-assigned this Mar 6, 2025
@anadrianmanrique anadrianmanrique added the in review This issue or pull request is being analyzed label Mar 6, 2025
@shellinvictus
Copy link
Author

Some examples below :

FullControl vs Custom

FullControl

dacledit.py corp.local/admin:password -dc-ip 10.0.0.2 -principal alice -target bob -rights FullControl -action write

[*] Filtering results for SID (S-1-5-21-756988169-910435930-493999333-1163)
[*]   ACE[20] info
[*]     ACE Type                  : ACCESS_ALLOWED_ACE
[*]     ACE flags                 : None
[*]     Access mask               : FullControl (0xf01ff)
[*]     Trustee (SID)             : alice (S-1-5-21-756988169-910435930-493999333-1163)

Custom

dacledit.py corp.local/admin:password -dc-ip 10.0.0.2 -principal alice -target bob -rights Custom -action write -mask readwrite

[*]   ACE[19] info                
[*]     ACE Type                  : ACCESS_ALLOWED_ACE
[*]     ACE flags                 : None
[*]     Access mask               : WriteProperties, ReadProperties (0x30)
[*]     Trustee (SID)             : alice (S-1-5-21-756988169-910435930-493999333-1163)

Removing an ACE

The mask is necessary to remove an ACE (otherwise it uses the default values of dacledit). To remove the previous ACE, we can use 0x30 or again readwrite):

dacledit.py corp.local/admin:password -dc-ip 10.0.0.2 -principal alice -target bob -rights Custom -action remove -mask 0x30
dacledit.py corp.local/admin:password -dc-ip 10.0.0.2 -principal alice -target bob -rights Custom -action remove -mask readwrite

GUID objects

By default on guid objects, the mask is AllExtendedRights (original behavior):

dacledit.py corp.local/admin:password -dc-ip 10.0.0.2 -principal alice -target bob -rights-guid bf967a68-0de6-11d0-a285-00aa003049e2 -action write

[*]     ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
[*]     ACE flags                 : None
[*]     Access mask               : ControlAccess (0x100)
[*]     Flags                     : ACE_OBJECT_TYPE_PRESENT
[*]     Object type (GUID)        : User-Account-Control (bf967a68-0de6-11d0-a285-00aa003049e2)
[*]     Trustee (SID)             : alice (S-1-5-21-756988169-910435930-493999333-1163)

Example on giving only the right write on UserAccountControl:

dacledit.py corp.local/admin:password -dc-ip 10.0.0.2 -principal alice -target bob -rights-guid bf967a68-0de6-11d0-a285-00aa003049e2 -mask write -action write

[*]   ACE[5] info
[*]     ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
[*]     ACE flags                 : None
[*]     Access mask               : WriteProperty (0x20)
[*]     Flags                     : ACE_OBJECT_TYPE_PRESENT
[*]     Object type (GUID)        : User-Account-Control (bf967a68-0de6-11d0-a285-00aa003049e2)
[*]     Trustee (SID)             : alice (S-1-5-21-756988169-910435930-493999333-1163)

Masks

dacledit.py corp.local/admin:password -dc-ip 10.0.0.2 -principal alice -target bob -rights Custom -mask readwrite -action write
dacledit.py corp.local/admin:password -dc-ip 10.0.0.2 -principal alice -target bob -rights Custom -mask write -action write
dacledit.py corp.local/admin:password -dc-ip 10.0.0.2 -principal alice -target bob -rights Custom -mask self -action write
dacledit.py corp.local/admin:password -dc-ip 10.0.0.2 -principal alice -target bob -rights Custom -mask allext -action write

[*]   ACE[19] info
[*]     ACE Type                  : ACCESS_ALLOWED_ACE
[*]     ACE flags                 : None
[*]     Access mask               : AllExtendedRights (0x100)
[*]     Trustee (SID)             : alice (S-1-5-21-756988169-910435930-493999333-1163)
[*]   ACE[20] info
[*]     ACE Type                  : ACCESS_ALLOWED_ACE
[*]     ACE flags                 : None
[*]     Access mask               : Self (0x8)
[*]     Trustee (SID)             : alice (S-1-5-21-756988169-910435930-493999333-1163)
[*]   ACE[21] info
[*]     ACE Type                  : ACCESS_ALLOWED_ACE
[*]     ACE flags                 : None
[*]     Access mask               : WriteProperties (0x20)
[*]     Trustee (SID)             : alice (S-1-5-21-756988169-910435930-493999333-1163)
[*]   ACE[22] info
[*]     ACE Type                  : ACCESS_ALLOWED_ACE
[*]     ACE flags                 : None
[*]     Access mask               : WriteProperties, ReadProperties (0x30)
[*]     Trustee (SID)             : alice (S-1-5-21-756988169-910435930-493999333-1163)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@anadrianmanrique anadrianmanrique

Labels
in review This issue or pull request is being analyzed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@shellinvictus @anadrianmanrique