Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added Path parameter to specify search container #6

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Added Path parameter to specify search container #6

wants to merge 3 commits into from

Conversation

TheWover
Copy link

I added a path parameter to specify the search container. This is useful when looking up object properties or permissions, such as when checking Certificate Template access permissions.

@FuzzySecurity
Copy link
Owner

Can you add some output please, see https://github.com/FuzzySecurity/StandIn#contributing

@TheWover
Copy link
Author

Sure:

StandIn.exe --object (&(objectCategory=*)(objectClass=pKICertificateTemplate)(cn=User)) --path LDAP://CN=Configuration,DC=test,DC=domain,DC=com --access

[?] Using DC : ca.test.domain.com

[?] Object   : CN=User

    Path     : LDAP://CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=domain,DC=com


[+] Object properties

    |_ Owner : TEST\Enterprise Admins

    |_ Group : TEST\Enterprise Admins


[+] Object access rules


[+] Identity --> NT AUTHORITY\Authenticated Users

    |_ Type       : Allow

    |_ Permission : GenericRead

    |_ Object     : ANY


[+] Identity --> TEST\Domain Admins

    |_ Type       : Allow

    |_ Permission : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner

    |_ Object     : ANY


[+] Identity --> TEST\Enterprise Admins

    |_ Type       : Allow

    |_ Permission : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner

    |_ Object     : ANY


[+] Identity --> TEST\Domain Admins

    |_ Type       : Allow

    |_ Permission : ReadProperty, WriteProperty, ExtendedRight

    |_ Object     : Certificate-Enrollment


[+] Identity --> TEST\Domain Users

    |_ Type       : Allow

    |_ Permission : ReadProperty, WriteProperty, ExtendedRight

    |_ Object     : Certificate-Enrollment


[+] Identity --> TEST\Enterprise Admins

    |_ Type       : Allow

    |_ Permission : ReadProperty, WriteProperty, ExtendedRight

    |_ Object     : Certificate-Enrollment


[+] Identity --> TEST\PKI Template Administrators

    |_ Type       : Allow

    |_ Permission : GenericAll

    |_ Object     : ANY


[+] Identity --> TEST\PKI CA Administrators

    |_ Type       : Allow

    |_ Permission : GenericAll

    |_ Object     : ANY


[+] Identity --> BUILTIN\Administrators

    |_ Type       : Allow

    |_ Permission : GenericAll

    |_ Object     : ANY


[+] Identity --> TEST\Enterprise Admins

    |_ Type       : Allow

    |_ Permission : GenericAll

    |_ Object     : ANY


[+] Identity --> TEST\Domain Admins

    |_ Type       : Allow

    |_ Permission : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner

    |_ Object     : ANY


[+] Identity --> BUILTIN\Administrators

    |_ Type       : Allow

    |_ Permission : CreateChild, ListChildren, ReadProperty, ExtendedRight, Delete, GenericWrite, WriteDacl, WriteOwner

    |_ Object     : ANY

I also updated the help to include details about this new parameter:

  __
 ( _/_   _//   ~b33f
__)/(//)(/(/)  v1.2


 >--~~--> Args? <--~~--<

--help          This help menu
--object        LDAP filter, e.g. samaccountname=HWest
--ldap          LDAP filter, can return result collection
--filter        Filter results, varies based on function
--limit         Limit results, varies based on function, defaults to 50
--computer      Machine name, e.g. Celephais-01
--group         samAccountName, e.g. "Necronomicon Admins"
--ntaccount     User name, e.g. "REDHOOK\UPickman"
--sid           Dependent on context
--grant         User name, e.g. "REDHOOK\KMason"
--guid          Rights GUID to add to object, e.g. 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
--domain        Domain name, e.g. REDHOOK
--user          User name
--pass          Password
--path          LDAP path / container to search in
--newpass       New password to set for object
--gpo           List group policy objects
--acl           Show ACL's for returned GPO's
--localadmin    Add samAccountName to BUILTIN\Administrators for vulnerable GPO
--setuserrights samAccountName for which to add token rights in a vulnerable GPO
--tasktype      Immediate task type (user/computer)
--taskname      Immediate task name
--author        Immediate task author
--command       Immediate task command
--args          Immediate task command args
--target        Optional, filter for DNS name or NTAccount
--targetsid     Optional, provider user SID
--increase      Increment either the user or computer GPO version number for the AD object
--policy        Reads some account/kerberos properties from the "Default Domain Policy"
--dns           Performs ADIDNS enumeration, supports wildcard filters
--legacy        Boolean, sets DNS seach root to legacy (CN=System)
--forest        Boolean, sets DNS seach root to forest (DC=ForestDnsZones)
--passnotreq    Boolean, list accounts that have PASSWD_NOTREQD set
--type          Rights type: GenericAll, GenericWrite, ResetPassword, WriteMembers, DCSync
--spn           Boolean, list kerberoastable accounts
--setspn        samAccountName for which to add/remove an SPN
--principal     Principal name to add to samAccountName (e.g. MSSQL/VermisMysteriis)
--delegation    Boolean, list accounts with unconstrained / constrained delegation
--asrep         Boolean, list ASREP roastable accounts
--dc            Boolean, list all domain controllers
--add           Boolean, context dependent group/spn
--remove        Boolean, context dependent msDS-AllowedToActOnBehalfOfOtherIdentity/group
--make          Boolean, make machine; ms-DS-MachineAccountQuota applies
--disable       Boolean, disable machine; should be the same user that created the machine
--access        Boolean, list access permissions for object
--delete        Boolean, delete machine from AD; requires elevated AD access

And added an example:

# Grant object access permissions
StandIn.exe --object "distinguishedname=DC=redhook,DC=local" --grant "REDHOOK\MBWillett" --type DCSync
StandIn.exe --object "distinguishedname=DC=redhook,DC=local" --grant "REDHOOK\MBWillett" --guid 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
StandIn.exe --object samaccountname=SomeTarget001$ --grant "REDHOOK\MBWillett" --type GenericWrite --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
StandIn.exe --object (&(objectClass=pKICertificateTemplate)(cn=User)) --path LDAP://CN=Configuration,DC=redhook,DC=local --access

@TheWover
Copy link
Author

I'm not familiar enough with all of the other operation to know if it makes sense for all of them to support this parameter, but let me know if you want me to add support to any of the others in addition to --object and --access.

@snovvcrash snovvcrash mentioned this pull request Dec 2, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@TheWover @FuzzySecurity